Problem adding I2P repository key in Whonix Workstation Template

Hello. I am trying to run I2P inside Whonix following the guide in Qubes 4.3 - Whonix Workstation 18 Cloned: https://www.whonix.org/wiki/I2P#I2P_Client_inside_Whonix-Workstation. I ran into some errors.

Problem from step 1 when I run:

http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 scurl-download --tlsv1.2 ``https://geti2p.net/_static/i2p-archive-keyring.gpg

I receive the error:

Unknown option: ‘–tlsv1.2’.
zsh: exit 1 http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 --tlsv1.2

I then downloaded the GPG key in a App VM and copied it into the template. I was able to follow the remaining commands until I ran:

sudo apt update && sudo apt full-upgrade

At that point I saw:

Err:8 tor+https://deb.i2p.net trixie InRelease
Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring “/usr/share/keyrings/i2p-archive-keyring.gpg” Caused by: 0: Reading “/usr/share/keyrings/i2p-archive-keyring.gpg”: Permission denied (os error 13) 1: Permission denied (os error 13)
Hit:9 tor+https://deb.debian.org/debian trixie-backports InRelease
Hit:10 tor+https://deb.debian.org/debian-security trixie-security InRelease
Warning: OpenPGP signature verification failed: tor+https://deb.i2p.net trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring “/usr/share/keyrings/i2p-archive-keyring.gpg” Caused by: 0: Reading “/usr/share/keyrings/i2p-archive-keyring.gpg”: Permission denied (os error 13) 1: Permission denied (os error 13)
Error: The repository ‘tor+https://deb.i2p.net trixie InRelease’ is not signed.
Notice: Updating from such a repository can’t be done securely, and is therefore disabled by default.
Notice: See apt-secure(8) manpage for repository creation and user configuration details.
zsh: exit 100 sudo apt update

I corrected the key file permissions with and wondering if this is the correct solution:

sudo chmod 644

It looks like somehow you unintentionally typed <en dash>tlsv1.2, rather than <hyphen><hyphen>tlsv1.2. Did you copy-and-paste the command out of a web browser or an application like LibreOffice? If so, try typing it manually and see if that works. Using --tlsv1.2 works for me on Kicksecure 18 (which Whonix 18 is based on).

As long as the key is owned by root:root, yes, that is good. You can check the permissions of a file using chmod-calc. For instance, this is what I see if check the permissions of the Debian archive keyring with chmod-calc:

[sysmaint ~]% chmod-calc /usr/share/keyrings/debian-archive-keyring.pgp 
Permissions for: '/usr/share/keyrings/debian-archive-keyring.pgp'
Type: Regular File
Owner: root
Group: root
Octal Permissions: 644
File Size: 55918 bytes
Link Count: 1
Hidden File: No
ACLs: none
Extended Attributes: none
Capabilities: None
Immutable (chattr +i): No

Symlink: No

Parent Folder Symlink: No

Category   Read   Write  Execute 
Owner      Yes    Yes    No      
Group      Yes    No     No      
Public     Yes    No     No      

Special Attributes:
SUID: Not Set
SGID: Not Set
Sticky Bit: Not Set

You should make sure the keyring has the same permissions as shown above.

1. I copied the command straight from a disposable Whonix VM. I pasted it into the Whonix cloned template through Qubes’ global clipboard copying commands.
2. The downloaded keyring from I2P has permissions of 660, not 644, without running the chmod 644 command.

Otherwise, everything worked as expected after changing the file permissions, and I could load and browse I2P on Whonix.

Thank you arraybolt3.