[Kali] migitagion against dependency hell between Qubes repository and Kali repository

This commit is contained in:
Neowutran 2020-05-23 19:29:04 +02:00
parent 0bd9330831
commit f6ab96ade4

View File

@ -37,7 +37,7 @@ If you need to install custom kernel modules (wifi drivers, …) you need to use
The steps can be summarized as: The steps can be summarized as:
1. Install Qubes stable Debian template 1. Install Qubes stable Debian template
2. Upgrade the template to Debian testing release 2. Add `testing` and `securitytesting` Qubes repositories
3. Add the Kali repository 3. Add the Kali repository
4. Update the template 4. Update the template
@ -45,7 +45,8 @@ Get Kali Linux PGP key
----------------------- -----------------------
**CAUTION:** Before proceeding, please carefully read [On Digital Signatures and Key Verification][qubes-verifying-signatures]. **CAUTION:** Before proceeding, please carefully read [On Digital Signatures and Key Verification][qubes-verifying-signatures].
This website cannot guarantee that any PGP key you download from the Internet is authentic. This website cannot guarantee that any PGP key you download from the Internet is authentic.
Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint. In order to obtain a trusted fingerprint, check its value against multiple sources.
Then, check the keys you download against your trusted fingerprint.
This step is required since by (security) default TemplateVM do not have a This step is required since by (security) default TemplateVM do not have a
direct Internet connectivity. Users understanding the risks of enabling such direct Internet connectivity. Users understanding the risks of enabling such
@ -54,7 +55,7 @@ access can change this configuration in firewall settings for the TemplateVM.
1. Retrieve the Kali Linux PGP key using a DisposableVM. 1. Retrieve the Kali Linux PGP key using a DisposableVM.
```shell_session ```shell_session
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 $ gpg --keyserver hkps://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
$ gpg --list-keys --with-fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 $ gpg --list-keys --with-fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
$ gpg --export --armor 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 > kali-key.asc $ gpg --export --armor 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 > kali-key.asc
``` ```
@ -76,52 +77,30 @@ These instructions will show you how to upgrade a Debian TemplateVM to Kali Linu
# qubes-dom0-update <latest Debian template> # qubes-dom0-update <latest Debian template>
``` ```
2. Start your Debian template 2. Clone `debian-X` template
```shell_session
$ qvm-start debian-<X>
$ qvm-run -a debian-<X> gnome-terminal
```
3. Update it
4. And then close it
```shell_session
$ qvm-shutdown debian-<X>
```
5. Clone `debian-X` template
```shell_session ```shell_session
$ qvm-clone debian-<X> kali-rolling $ qvm-clone debian-<X> kali-rolling
``` ```
6. Check the name of currently used repository in `/etc/apt/sources.list` and current testing [Debian release][Debian-releases]. Update repository list accordingly 3. Check the name of currently used repository in `/etc/apt/sources.list.d/qubes-r<X>.list` and current testing [Debian release][Debian-releases]. Update repository list accordingly
```shell_session ```shell_session
# sed -i 's/<current stable>/<current testing>/g' /etc/apt/sources.list
# sed -i 's/<current stable>/<current testing>/g' /etc/apt/sources.list.d/qubes-r<X>.list # sed -i 's/<current stable>/<current testing>/g' /etc/apt/sources.list.d/qubes-r<X>.list
``` ```
e.g. in this example we update `buster` stable repository to `bullseye` testing repository e.g. in this example we update `buster` stable repository to `bullseye` testing repository
```shell_session ```shell_session
# sed -i 's/buster/bullseye/g' /etc/apt/sources.list
# sed -i 's/buster/bullseye/g' /etc/apt/sources.list.d/qubes-r<X>.list # sed -i 's/buster/bullseye/g' /etc/apt/sources.list.d/qubes-r<X>.list
``` ```
For installation based on Debian 10 stable, please note that the security repository of Debian testing has [recently been renamed][Debian-security-naming-convention] from `<current testing>/update` to `<current-testing>-security`. To account for that change, execute the following command.
```shell_session 4. Enable the QubesOS `testing` and `securitytesting` repositories
# sed -i 's%bullseye/updates%bullseye-security%g' /etc/apt/sources.list
```
5. Update the template In `/etc/apt/sources.list.d/qubes-r<X>.list`, enable the 'testing' and 'securitytesting' repository.
We do that to reduce the 'dependency hell' between Qubes repository and Kali repository.
**Note:** During execution of the update, carefully read list of packages to be removed. If it contains `qubes-*` packages, terminate operation and try to resolve `qubes-*` packages missing dependencies first. 5. Copy the Kali PGP key from the DisposableVM to the new template:
6. Copy the Kali PGP key from the DisposableVM to the new template:
```shell_session ```shell_session
$ qvm-copy kali-key.asc $ qvm-copy kali-key.asc
@ -129,7 +108,7 @@ $ qvm-copy kali-key.asc
The DisposableVM can now be turned off. The DisposableVM can now be turned off.
7. Add the Kali PGP key to the list of keys trusted to authenticate packages: 6. Add the Kali PGP key to the list of keys trusted to authenticate packages:
```shell_session ```shell_session
# cat /home/user/QubesIncoming/dispXXX/kali-key.asc | apt-key add - # cat /home/user/QubesIncoming/dispXXX/kali-key.asc | apt-key add -
@ -137,18 +116,17 @@ $ qvm-copy kali-key.asc
This command should return: `OK`. This command should return: `OK`.
8. Add the Kali repository 7. Replace Debian repositories with Kali repository
```shell_session ```shell_session
# cat <<EOF > /etc/apt/sources.list.d/kali.list # echo 'deb https://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list
# Kali Linux repository
deb https://http.kali.org/kali kali-rolling main non-free contrib
EOF
``` ```
9. Update the template 8. Update the template
10. Ensure a terminal can be opened in the new template. **Note:** During execution of the update, carefully read list of packages to be removed. If it contains `qubes-vm-dependencies` package, terminate operation and try to resolve missing dependencies first. For other `qubes-*` packages, it is up to you to decide if you need them.
9. Ensure a terminal can be opened in the new template.
```shell_session ```shell_session
$ qvm-run -a kali-rolling gnome-terminal $ qvm-run -a kali-rolling gnome-terminal