suzanne.soy/qubes-doc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clean up script based build, add manual steps

Browse Source
This commit is contained in:
awokd 2018-02-22 10:25:50 +00:00 committed by GitHub
parent f075bfc287
commit 045ff64f1b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 102 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
building/qubes-r3-building.md
View File

@ -11,17 +11,22 @@ redirect_from:
Building Qubes OS ISO Building Qubes OS ISO
========================= =========================
In `dom0`, install the Fedora 26 template if you don't already have it. Build Environment
Other rpm-based operating systems may also work, but Fedora 26 has been successfully used to build Qubes R3.2 and R4.0 with the below steps. -----------------
Fedora 26 has been successfully used to build Qubes R3.2 and R4.0 with the below steps.
Other rpm-based operating systems may also work.
Travis-CI also uses Ubuntu 14.04 to perform test builds, except it can not test the `./setup` script. Travis-CI also uses Ubuntu 14.04 to perform test builds, except it can not test the `./setup` script.
In `dom0`, install the Fedora 26 template if you don't already have it.
~~~ ~~~
sudo qubes-dom0-update qubes-template-fedora-26 sudo qubes-dom0-update qubes-template-fedora-26
~~~ ~~~
Create a standalone appVM from the Fedora 26 template. Create a standalone appVM from the Fedora 26 template.
You may choose your own name, but this document will refer to it as `dev26`. You may choose your own name, but this document will refer to it as `dev26`.
Set private storage to at least 60 GB if you will be building only the default templates; 100 GB if you plan on additional. Set private storage to at least 60 GB if you will be building only the default templates; 100 GB or more if you plan on additional.
It's not required, but if you allocate additional CPU cores, the build process can utilize them at some steps such as the kernel build. It's not required, but if you allocate additional CPU cores, the build process can utilize them at some steps such as the kernel build.
Likewise, more memory (up to 16 GB) can help. Likewise, more memory (up to 16 GB) can help.
Last, you may want to disable memory balancing on `dev26` but keep in mind the impact on your other qubes. Last, you may want to disable memory balancing on `dev26` but keep in mind the impact on your other qubes.
@ -32,52 +37,49 @@ Once you've built `dev26`, open a Terminal window to it and install the necessar
$ sudo dnf install git createrepo rpm-build make wget rpmdevtools dialog rpm-sign gnupg dpkg-dev debootstrap python2-sh $ sudo dnf install git createrepo rpm-build make wget rpmdevtools dialog rpm-sign gnupg dpkg-dev debootstrap python2-sh
~~~ ~~~
Get the necessary keys to verify the sources: Get the necessary keys to verify the sources (run these and other commands below as a regular user, not root):
~~~ ~~~
$ wget https://keys.qubes-os.org/keys/qubes-master-signing-key.asc wget https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
$ gpg --import qubes-master-signing-key.asc gpg --import qubes-master-signing-key.asc
$ gpg --edit-key 36879494 gpg --edit-key 36879494
# Verify fingerprint!, set trust to *ultimate* # Verify fingerprint!, set trust to *ultimate*
# (Typical sequence is fpr, trust, 5, q) # (Typical sequence is fpr, trust, 5, q)
$ wget https://keys.qubes-os.org/keys/qubes-developers-keys.asc wget https://keys.qubes-os.org/keys/qubes-developers-keys.asc
$ gpg --import qubes-developers-keys.asc gpg --import qubes-developers-keys.asc
~~~
And if you will be building the Whonix templates:
~~~
$ wget https://github.com/QubesOS/qubes-builder-debian/blob/master/keys/whonix-developer-patrick.asc
$ gpg --import whonix-developer-patrick.asc
~~~ ~~~
**Note** In the above process, we do *not* rely on the security of our server (keys.qubes-os.org) nor the connection (ssl, cert) -- we only rely on you getting the Qubes Master Signing Key fingerprint *somehow* and ensuring they match! **Note** In the above process, we do *not* rely on the security of our server (keys.qubes-os.org) nor the connection (ssl, cert) -- we only rely on you getting the Qubes Master Signing Key fingerprint *somehow* and ensuring they match!
Likewise, the Whonix signing key is available from multiple sources.
Now let's bootstrap the builder. Unfortunately, the builder cannot verify itself (the classic Chicken and Egg problem), so we need to verify the signature manually: Now let's bootstrap the builder. Unfortunately, the builder cannot verify itself (the classic Chicken and Egg problem), so we need to verify the signature manually:
~~~ ~~~
$ git clone git://github.com/QubesOS/qubes-builder.git git clone git://github.com/QubesOS/qubes-builder.git
$ mkdir qubes-builder/keyrings cd qubes-builder
$ mkdir qubes-builder/keyrings/git git tag -v `git describe`
$ cp .gnupg/pubring.gpg qubes-builder/keyrings/git/
$ cp .gnupg/trustdb.gpg qubes-builder/keyrings/git/
$ cd qubes-builder
$ git tag -v `git describe`
~~~ ~~~
It's very important to check if the verification message contains "Good signature from ..." and does not contain "WARNING: This key is not certified with a trusted signature!". **Note** It's very important to check if the verification message contains "Good signature from ..." and does not contain "WARNING: This key is not certified with a trusted signature!".
Assuming the verification went fine, we're good to go with all the rest without ever thinking more about verifying digital signatures on all the rest of the components. Assuming the verification went fine, we're good to go with all the rest without ever thinking more about verifying digital signatures on all the rest of the components.
The builder will do that for us for each component, every time we build, even for all auxiliary files (e.g. Xen or Linux kernel sources). The builder will do that for us for each component, every time we build, even for all auxiliary files (e.g. Xen or Linux kernel sources).
Let's configure the builder first (see Note at bottom if you would prefer to manually configure):
Build using setup script
-----------------
Let's configure the builder first (see [procedure](/doc/qubes-r3-building/#build-using-manual-steps) at bottom if you would prefer to manually configure):
~~~ ~~~
$ ./setup cd ~/qubes-builder
./setup
# Select Yes to add Qubes Master Signing Key
# Select Yes to add Qubes OS Signing Key
# Select 3.2 or 4.0 for version # Select 3.2 or 4.0 for version
# Stable # Stable
# No (we want a full build) # No (we want a full build)
# Select builder-fedora, builder-debian, template-whonix, mgmt-salt # Select builder-fedora, builder-debian, template-whonix, mgmt-salt
# Choose Yes to add adrelanos@riseup.net third party key
# Yes (to download) # Yes (to download)
# Select fc26, stretch, whonix-gateway, whonix-workstation (for the currently shipping templates) # Select fc26, stretch, whonix-gateway, whonix-workstation (for the currently shipping templates)
~~~ ~~~
@ -85,28 +87,92 @@ $ ./setup
Once the download is complete, continue the build process with: Once the download is complete, continue the build process with:
~~~ ~~~
$ make install-deps make install-deps
$ make get-sources make get-sources
~~~ ~~~
Finally, if you are making a test build, use: Finally, if you are making a test build, use:
~~~ ~~~
$ make qubes make qubes
$ make iso make iso
~~~ ~~~
Or for a fully signed build (this requires setting SIGN_KEY in the builder.conf): Or for a fully signed build (this requires setting SIGN_KEY in the builder.conf):
~~~ ~~~
$ make sign-all make qubes
$ make qubes make sign-all
$ make iso make iso
~~~ ~~~
Enjoy your new ISO! Enjoy your new ISO!
**Note** Instead of using `./setup`, you can manually configure the build by doing `cp example-configs/qubes-os-master.conf builder.conf` and editing `builder.conf`. Build using manual steps
Take a look at `doc/Configuration.md` for a description of all available options. -----------------
Instead of using `./setup`, you can manually configure the build.
The script takes care of a lot of the keyring preparation for us, so we first need to set that up.
If you will be building Whonix templates:
~~~
cd ~
gpg --keyserver pgp.mit.edu --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
gpg --fingerprint 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
~~~
**Note:** It's very important to check the fingerprint displayed against other sources such as the [Whonix web site](https://www.whonix.org/wiki/Whonix_Signing_Key), etc.
It should look something like this:
~~~
pub 4096R/2EEACCDA 2014-01-16 [expires: 2021-04-17]
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
uid Patrick Schleizer <adrelanos@riseup.net>
sub 4096R/CE998547 2014-01-16 [expires: 2021-04-17]
sub 4096R/119B3FD6 2014-01-16 [expires: 2021-04-17]
sub 4096R/77BB3C48 2014-01-16 [expires: 2021-04-17]
~~~
Next, prepare the Git keyring directory and copy them in:
~~~
export GNUPGHOME=~/qubes-builder/keyrings/git
mkdir --parents "$GNUPGHOME"
cp ~/.gnupg/pubring.gpg "$GNUPGHOME"
cp ~/.gnupg/trustdb.gpg "$GNUPGHOME"
chmod --recursive 700 "$GNUPGHOME"
~~~
Copy one of the example configurations:
~~~
cp example-configs/qubes-os-master.conf builder.conf
~~~
Edit `builder.conf`, taking a look at `doc/Configuration.md` for a description of all available options.
continue the build process with:
~~~
make install-deps
make get-sources
~~~
Finally, if you are making a test build, use:
~~~
make qubes
make iso
~~~
Or for a fully signed build (this requires setting SIGN_KEY in the builder.conf):
~~~
make qubes
make sign-all
make iso
~~~
Enjoy your new ISO!