Waydroid download

Eddie · January 5, 2024, 2:37pm

I know that there are a lot of topics about it, however i haven’t found this problem solved. (I swear i really tried)

I need to download Waydroid on Whonix - Virtualbox and when i execute
curl https://repo.waydro.id | sudo bash
following the tutorial by waydroid or adding repo as I have seen in another topic on this forum with following command:

export DISTRO="bullseye" && \
sudo scurl -Sf https://repo.waydro.id/waydroid.gpg --output /usr/share/keyrings/waydroid.gpg && \
echo "deb [signed-by=/usr/share/keyrings/waydroid.gpg] tor+https://repo.waydro.id/ $DISTRO main" > ~/waydroid.list && \
sudo mv ~/waydroid.list /etc/apt/sources.list.d/waydroid.list && \
sudo apt update

I get this error:

[sudo] password for user:           
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1754  100  1754    0     0    776      0  0:00:02  0:00:02 --:--:--   776
Hit:1 tor+https://deb.debian.org/debian bookworm InRelease                     
Hit:2 tor+https://deb.whonix.org bookworm InRelease                            
Hit:3 tor+https://deb.debian.org/debian bookworm-updates InRelease             
Hit:4 tor+https://deb.debian.org/debian-security bookworm-security InRelease   
Hit:5 tor+https://deb.kicksecure.com bookworm InRelease                        
Get:6 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease [12.9 kB]
Hit:7 tor+https://deb.debian.org/debian bookworm-backports InRelease           
Get:8 tor+https://repo.waydro.id bullseye InRelease [1312 B]                   
Err:8 tor+https://repo.waydro.id bullseye InRelease                            
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E406D181DCEE19C
Reading package lists... Done                                                  
W: GPG error: tor+https://repo.waydro.id bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E406D181DCEE19C
E: The repository 'tor+https://repo.waydro.id bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
zsh: exit 100   sudo apt update

I’m not really experienced in Linux so maybe you’ll find this question stupid. But I still need your help. Thank you

extraextra · January 5, 2024, 3:04pm

That is solvable.

Next issue you’ll have you’ll also need Wayland not X11.

apparatius · January 5, 2024, 3:09pm

Example setup for Qubes OS but it’ll work for Whonix in Virtualbox as well:

Eddie · January 5, 2024, 5:15pm

Thank you for your answers. But i have another problem. Key fingerprints don’t match:

Mine:

pub   rsa3072/0E406D181DCEE19C 2023-08-03 [SC] [expires: 2099-08-03]
      Key fingerprint = 7CE0 331F 71E0 A238 BB10  02D7 0E40 6D18 1DCE E19C
uid                            Czarek Nakamoto <ci@mrcyjanek.net>
sub   rsa3072/2BF5573548220A06 2023-08-03 [E] [expires: 2099-08-03]

Provided by kicksecure:

0D27 43A2 4328 AE06 34DF 3557 959F E34E 90E5 1522

What should I do?

extraextra · January 5, 2024, 10:44pm

Did you study Verifying Software Signatures - Kicksecure yet? Required for verification to be beneficial.

apparatius · January 6, 2024, 12:19pm

The old key has expired and Waydroid developer created a new one but didn’t upload it anywhere else.
The issue with keys handling seems to have a low priority for the Waydroid developer:

github.com/waydroid/waydroid

Upload PGP key (fingerprint) to distinct domains (out-of-band TOFU cross-reference)

opened 12:06AM - 16 Sep 22 UTC

maltfield

This ticket is a request to: 1. Upload the apt repository PGP key onto multip…le domains, and 2. Document how a user can verify the PGP key from multiple domains out-of-band when downloading the key for the first time (TOFU) ## Why? It's possible for a very powerful adversary to comprimise your release infrastructure (or the infrastructure between the server and the client) and get a new waydroid user to download a malicious version of the `/etc/apt/sources.list.d/waydroid.list` file and the repository signing key `waydroid.gpg` -- but it's exponentially more difficult for them to comprimise multiple distinct domains. Here's a great list of supply chain vulnerabilities including some historically relevant cases where this happened: * https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises # Part One: Making key available out-of-band ## SKS Keyservers **I was unable to find your PGP key** (with fingerprint = `0D2743A24328AE0634DF3557959FE34E90E51522`) on an SKS keyserver. For example: * https://keyserver.ubuntu.com/pks/lookup?search=0D2743A24328AE0634DF3557959FE34E90E51522&fingerprint=on&op=index Please make sure that you upload your PGP key to popular keyservers (they mostly sync with each other, so you only need to upload it to one) such as Ubuntu's keyserver * https://keyserver.ubuntu.com/#submitKey ## https://keys.openpgp.org/ keys.openpgp.org is a newer keyserver that doesn't sync with the others, and it strips UIDs and signatures by default for privacy and to resist [certificate spamming attacks](https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-certificates/) Unfortunately, **I could not find for your key on this server**. **Please upload your key** to the keys.openpgp.org keyserver: * https://keys.openpgp.org/upload After you upload your key, **please verify your email address** by clicking the link sent to the uid of the key as described here: * https://keys.openpgp.org/about ## GitHub Please add your public keys as a files somewhere in this GitHub repo ## Sourceforge Please add your public keys as files somewhere in you sourceforge: * https://sourceforge.net/projects/waydroid/files/ ## Other domains I do recommend adding your key to as many other domains as possible, including: 1. Your official twitter and/or mastodon account (just put the keys' full fingerprint (`0D2743A24328AE0634DF3557959FE34E90E51522`) at the top of your profile 2. Your official [keybase.io](https://keybase.io) account 1. Any domains you own (eg `waydro.id` -- unless that's hosted by GitHub as that would provide zero additional benefits to the public key in your GitHub repo (see above) 2. Something else? The more domains you upload it to, the better. # Part Two: Documenting it After uploading your public key and/or full fingerprint to as many distinct domains as possible, please update the project's documentation to **enumerate all of the domains where a user can find the PGP Key** (or key fingerprint) and write a paragraph to **describe how the user can mitigate the risk** of compromised infrastructure by cross-checking the integrity of the key across multiple domains. * https://docs.waydro.id/usage/install-on-desktops

For reference, the new key fingerprint downloaded by me from https://repo.waydro.id/waydroid.gpg matches the one you’ve posted.