[Kali] migitagion against dependency hell between Qubes repository and Kali repository

This commit is contained in:
Neowutran 2020-05-23 19:29:04 +02:00
parent 0bd9330831
commit f6ab96ade4

View File

@ -37,7 +37,7 @@ If you need to install custom kernel modules (wifi drivers, …) you need to use
The steps can be summarized as:
1. Install Qubes stable Debian template
2. Upgrade the template to Debian testing release
2. Add `testing` and `securitytesting` Qubes repositories
3. Add the Kali repository
4. Update the template
@ -45,7 +45,8 @@ Get Kali Linux PGP key
-----------------------
**CAUTION:** Before proceeding, please carefully read [On Digital Signatures and Key Verification][qubes-verifying-signatures].
This website cannot guarantee that any PGP key you download from the Internet is authentic.
Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint.
In order to obtain a trusted fingerprint, check its value against multiple sources.
Then, check the keys you download against your trusted fingerprint.
This step is required since by (security) default TemplateVM do not have a
direct Internet connectivity. Users understanding the risks of enabling such
@ -54,7 +55,7 @@ access can change this configuration in firewall settings for the TemplateVM.
1. Retrieve the Kali Linux PGP key using a DisposableVM.
```shell_session
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
$ gpg --keyserver hkps://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
$ gpg --list-keys --with-fingerprint 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6
$ gpg --export --armor 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 > kali-key.asc
```
@ -76,52 +77,30 @@ These instructions will show you how to upgrade a Debian TemplateVM to Kali Linu
# qubes-dom0-update <latest Debian template>
```
2. Start your Debian template
```shell_session
$ qvm-start debian-<X>
$ qvm-run -a debian-<X> gnome-terminal
```
3. Update it
4. And then close it
```shell_session
$ qvm-shutdown debian-<X>
```
5. Clone `debian-X` template
2. Clone `debian-X` template
```shell_session
$ qvm-clone debian-<X> kali-rolling
```
6. Check the name of currently used repository in `/etc/apt/sources.list` and current testing [Debian release][Debian-releases]. Update repository list accordingly
3. Check the name of currently used repository in `/etc/apt/sources.list.d/qubes-r<X>.list` and current testing [Debian release][Debian-releases]. Update repository list accordingly
```shell_session
# sed -i 's/<current stable>/<current testing>/g' /etc/apt/sources.list
# sed -i 's/<current stable>/<current testing>/g' /etc/apt/sources.list.d/qubes-r<X>.list
```
e.g. in this example we update `buster` stable repository to `bullseye` testing repository
```shell_session
# sed -i 's/buster/bullseye/g' /etc/apt/sources.list
# sed -i 's/buster/bullseye/g' /etc/apt/sources.list.d/qubes-r<X>.list
```
For installation based on Debian 10 stable, please note that the security repository of Debian testing has [recently been renamed][Debian-security-naming-convention] from `<current testing>/update` to `<current-testing>-security`. To account for that change, execute the following command.
4. Enable the QubesOS `testing` and `securitytesting` repositories
```shell_session
# sed -i 's%bullseye/updates%bullseye-security%g' /etc/apt/sources.list
```
In `/etc/apt/sources.list.d/qubes-r<X>.list`, enable the 'testing' and 'securitytesting' repository.
We do that to reduce the 'dependency hell' between Qubes repository and Kali repository.
5. Update the template
**Note:** During execution of the update, carefully read list of packages to be removed. If it contains `qubes-*` packages, terminate operation and try to resolve `qubes-*` packages missing dependencies first.
6. Copy the Kali PGP key from the DisposableVM to the new template:
5. Copy the Kali PGP key from the DisposableVM to the new template:
```shell_session
$ qvm-copy kali-key.asc
@ -129,7 +108,7 @@ $ qvm-copy kali-key.asc
The DisposableVM can now be turned off.
7. Add the Kali PGP key to the list of keys trusted to authenticate packages:
6. Add the Kali PGP key to the list of keys trusted to authenticate packages:
```shell_session
# cat /home/user/QubesIncoming/dispXXX/kali-key.asc | apt-key add -
@ -137,18 +116,17 @@ $ qvm-copy kali-key.asc
This command should return: `OK`.
8. Add the Kali repository
7. Replace Debian repositories with Kali repository
```shell_session
# cat <<EOF > /etc/apt/sources.list.d/kali.list
# Kali Linux repository
deb https://http.kali.org/kali kali-rolling main non-free contrib
EOF
# echo 'deb https://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list
```
9. Update the template
8. Update the template
10. Ensure a terminal can be opened in the new template.
**Note:** During execution of the update, carefully read list of packages to be removed. If it contains `qubes-vm-dependencies` package, terminate operation and try to resolve missing dependencies first. For other `qubes-*` packages, it is up to you to decide if you need them.
9. Ensure a terminal can be opened in the new template.
```shell_session
$ qvm-run -a kali-rolling gnome-terminal