SecBrowser in Qubes - TemplateVM Issues

ronpunz · September 14, 2019, 11:50am

Summary:
I have followed the Installation guide from website Whonix/wiki/SecBrowser/Qubes and failed to install secbrowser in a qubes templatevm. However, I’ve successfully installed it in an AppVM - but that’s of little use as the Appvm is non-persistent.
Details:
Package Installation
Steps 1 to 8. All successful
Step 9 i.e. sudo apt update produces errors:(edited to remove disallowed links)
“user@debian-10-clone:~$ sudo apt-get update
Get:3 … buster InRelease [37.5 kB]
Get:4 … buster InRelease [2,500 B]
Hit:1 …/debian buster InRelease
Err:3 deb… buster InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY CB8D50BB77BB3C48
Hit:2 …org/debian-security buster/updates InRelease
Reading package lists… Done
W: GPG error…org buster InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY CB8D50BB77BB3C48
E: The repository … buster InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.”
It would appear that the unavailable key CB8D50BB77BB3C48, is a subkey of the primary key 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA downloaded earlier.

Have successfully installed the secbrowser package to a StandaloneVM and to an ApppVM but that’s not reaaly ideal for me.

Has anyone a clue how to rectify.

Patrick · September 14, 2019, 12:38pm

Did you follow the instructions for adding the signing key?

SecBrowser ™ has been deprecated!

ronpunz · September 14, 2019, 4:38pm

Yes
I downloaded the key with an AppVM, then transferred the text file: whonix.key to the TemplateVM

Patrick · September 14, 2019, 5:48pm

What’s the output of

sudo apt-key finger --fingerprint "916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA"

in TemplateVM?

Patrick · September 14, 2019, 5:51pm

Maybe key server issues.

Could you also try please to get the key from web, here:

?

Then same procedure of transferring it to TemplateVM.

Deletion of key in TemplateVM using apt-key beforehand is advisable too.

ronpunz · September 15, 2019, 6:27am

No output

ronpunz · September 15, 2019, 6:32am

Here is the output from the AppVM=secbrowser and the TemplateVM=debian-10-clone

user@secbrowser:~$ gpg --keyid-format long --import --import-options show-only --with-fingerprint patrick.asc
gpg: key 8D66066A2EEACCDA: 86 signatures not checked due to missing keys
pub rsa4096/8D66066A2EEACCDA 2014-01-16 [SC] [expires: 2021-04-17]
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
uid Patrick Schleizer adrelanos@riseup.net
sub rsa4096/3B1E6942CE998547 2014-01-16 [E] [expires: 2021-04-17]
sub rsa4096/10FDAC53119B3FD6 2014-01-16 [A] [expires: 2021-04-17]
sub rsa4096/CB8D50BB77BB3C48 2014-01-16 [S] [expires: 2021-04-17]

user@secbrowser:~$ gpg --import patrick.asc
gpg: key 8D66066A2EEACCDA: 86 signatures not checked due to missing keys
gpg: key 8D66066A2EEACCDA: public key “Patrick Schleizer adrelanos@riseup.net” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found

user@secbrowser:~$ sudo apt-key export 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA > /tmp/whonix.key
Warning: apt-key output should not be parsed (stdout is not a terminal)
gpg: WARNING: nothing exported

user@secbrowser:~$ ls /tmp/
qrexec-rpc-stderr.1357
qrexec-rpc-stderr-return.1357
qubes-session-env
qubes-session-waiter
ssh-wdfDJIyxIYa3
systemd-private-e7aef1c418b648f3a65f6b25bbe98590-haveged.service-Y7Dkmf
systemd-private-e7aef1c418b648f3a65f6b25bbe98590-rtkit-daemon.service-oabw7c
whonix.key

user@secbrowser:~$ qvm-copy /tmp/whonix.key templatevm_debian-10-clone
qfile-agent: Fatal error: stat templatevm_debian-10-clone (error type: No such file or directory)
EOF

user@debian-10-clone:~$ ls ~/QubesIncoming/secbrowser/
whonix.key
user@debian-10-clone:~$ cd ~/QubesIncoming/secbrowser/
user@debian-10-clone:~/QubesIncoming/secbrowser$ gpg --import whonix.key
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Patrick · September 15, 2019, 8:59am

Instructions SecBrowser ™ has been deprecated! were fixed just now. Please retry.

ronpunz · September 15, 2019, 10:04am

Thanks. SecBrowser is now installed in the TemplateVM. However, when running the ‘secbrowser’ command in the AppVM I get the following output:

user@secbrowser:~$ secbrowser
cp: cannot access '/var/cache/tb-binary/.cache/secbrowser/gpgtmpdir': Permission denied
[ERROR] [secbrowser] ###########################################################
## secbrowser script bug.
## No panic. Nothing is broken. Just some rare condition
## has been hit. Try again later. There is likely a
## solution for this problem. Please see the Whonix News,
## Whonix User Help Forum and Whonix Documentation.
## xxxxxxxxxxxxxxxx
## Please report this bug!
##
## BASH_COMMAND: cp --verbose --recursive --no-clobber "/var/cache/tb-binary/.cache" "$tb_user_home/"
## exit_code: 1
##
## tb_browser_folder: /home/user/.secbrowser/secbrowser
##
## tb_user_js_target_file: /home/user/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/user.js
##
## output: /usr/lib/msgcollector/msgcollector
## output_opts: --icon /usr/share/icons/anon-icon-pack/tbupdate.ico --parentpid 1333 --identifier secbrowser --parenttty /dev/pts/0 --whoami user
## progressbaridx: 
##
## Experts only:
## bash -x secbrowser

Patrick · September 15, 2019, 10:19am

Some permission errors.

To fix:

Either in TemplateVM:

sudo /var/lib/dpkg/info/tb-updater.postinst

Could be also run in AppVM but then it would only fix it temporarily until next reboot.

Will work on that.

ronpunz · September 15, 2019, 10:45am

That worked well.
Thanks for your help

Patrick · September 15, 2019, 12:18pm

This is now fixed in all Whonix repositories.