SecBrowser in Qubes - TemplateVM Issues

Summary:
I have followed the Installation guide from website Whonix/wiki/SecBrowser/Qubes and failed to install secbrowser in a qubes templatevm. However, I’ve successfully installed it in an AppVM - but that’s of little use as the Appvm is non-persistent.
Details:
Package Installation
Steps 1 to 8. All successful
Step 9 i.e. sudo apt update produces errors:(edited to remove disallowed links)
“user@debian-10-clone:~$ sudo apt-get update
Get:3 … buster InRelease [37.5 kB]
Get:4 … buster InRelease [2,500 B]
Hit:1 …/debian buster InRelease
Err:3 deb… buster InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY CB8D50BB77BB3C48
Hit:2 …org/debian-security buster/updates InRelease
Reading package lists… Done
W: GPG error…org buster InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY CB8D50BB77BB3C48
E: The repository … buster InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.”
It would appear that the unavailable key CB8D50BB77BB3C48, is a subkey of the primary key 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA downloaded earlier.

Have successfully installed the secbrowser package to a StandaloneVM and to an ApppVM but that’s not reaaly ideal for me.

Has anyone a clue how to rectify.

Did you follow the instructions for adding the signing key?

SecBrowser ™ has been deprecated!

Yes
I downloaded the key with an AppVM, then transferred the text file: whonix.key to the TemplateVM

What’s the output of

sudo apt-key finger --fingerprint "916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA"

in TemplateVM?

Maybe key server issues.

Could you also try please to get the key from web, here:

?

Then same procedure of transferring it to TemplateVM.

Deletion of key in TemplateVM using apt-key beforehand is advisable too.


Related:

No output

Here is the output from the AppVM=secbrowser and the TemplateVM=debian-10-clone

user@secbrowser:~$ gpg --keyid-format long --import --import-options show-only --with-fingerprint patrick.asc
gpg: key 8D66066A2EEACCDA: 86 signatures not checked due to missing keys
pub rsa4096/8D66066A2EEACCDA 2014-01-16 [SC] [expires: 2021-04-17]
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
uid Patrick Schleizer adrelanos@riseup.net
sub rsa4096/3B1E6942CE998547 2014-01-16 [E] [expires: 2021-04-17]
sub rsa4096/10FDAC53119B3FD6 2014-01-16 [A] [expires: 2021-04-17]
sub rsa4096/CB8D50BB77BB3C48 2014-01-16 [S] [expires: 2021-04-17]

user@secbrowser:~$ gpg --import patrick.asc
gpg: key 8D66066A2EEACCDA: 86 signatures not checked due to missing keys
gpg: key 8D66066A2EEACCDA: public key “Patrick Schleizer adrelanos@riseup.net” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found

user@secbrowser:~$ sudo apt-key export 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA > /tmp/whonix.key
Warning: apt-key output should not be parsed (stdout is not a terminal)
gpg: WARNING: nothing exported

user@secbrowser:~$ ls /tmp/
qrexec-rpc-stderr.1357
qrexec-rpc-stderr-return.1357
qubes-session-env
qubes-session-waiter
ssh-wdfDJIyxIYa3
systemd-private-e7aef1c418b648f3a65f6b25bbe98590-haveged.service-Y7Dkmf
systemd-private-e7aef1c418b648f3a65f6b25bbe98590-rtkit-daemon.service-oabw7c
whonix.key

user@secbrowser:~$ qvm-copy /tmp/whonix.key templatevm_debian-10-clone
qfile-agent: Fatal error: stat templatevm_debian-10-clone (error type: No such file or directory)
EOF

user@debian-10-clone:~$ ls ~/QubesIncoming/secbrowser/
whonix.key
user@debian-10-clone:~$ cd ~/QubesIncoming/secbrowser/
user@debian-10-clone:~/QubesIncoming/secbrowser$ gpg --import whonix.key
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Instructions SecBrowser ™ has been deprecated! were fixed just now. Please retry.

Thanks. SecBrowser is now installed in the TemplateVM. However, when running the ‘secbrowser’ command in the AppVM I get the following output:

user@secbrowser:~$ secbrowser
cp: cannot access '/var/cache/tb-binary/.cache/secbrowser/gpgtmpdir': Permission denied
[ERROR] [secbrowser] ###########################################################
## secbrowser script bug.
## No panic. Nothing is broken. Just some rare condition
## has been hit. Try again later. There is likely a
## solution for this problem. Please see the Whonix News,
## Whonix User Help Forum and Whonix Documentation.
## xxxxxxxxxxxxxxxx
## Please report this bug!
##
## BASH_COMMAND: cp --verbose --recursive --no-clobber "/var/cache/tb-binary/.cache" "$tb_user_home/"
## exit_code: 1
##
## tb_browser_folder: /home/user/.secbrowser/secbrowser
##
## tb_user_js_target_file: /home/user/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/user.js
##
## output: /usr/lib/msgcollector/msgcollector
## output_opts: --icon /usr/share/icons/anon-icon-pack/tbupdate.ico --parentpid 1333 --identifier secbrowser --parenttty /dev/pts/0 --whoami user
## progressbaridx: 
##
## Experts only:
## bash -x secbrowser

Some permission errors.

To fix:

Either in TemplateVM:

sudo /var/lib/dpkg/info/tb-updater.postinst

Could be also run in AppVM but then it would only fix it temporarily until next reboot.

Will work on that.

That worked well.
Thanks for your help

This is now fixed in all Whonix repositories.