From 55110c7e722b27315ab73db08fb48fe9b6f521cb Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Wed, 7 Feb 2018 09:55:41 +0000 Subject: [PATCH 01/11] qubes-r3-building 4.0 updates add build VM recommendations update dependencies add typical gpg sequence of fpr, trust, 5, q add key retrieval for Whonix templates (please verify process and key ID!) add .setup steps misc spelling/grammar --- building/qubes-r3-building.md | 79 ++++++++++++++++++++++++++++------- 1 file changed, 64 insertions(+), 15 deletions(-) diff --git a/building/qubes-r3-building.md b/building/qubes-r3-building.md index d4c34512..99d33c53 100644 --- a/building/qubes-r3-building.md +++ b/building/qubes-r3-building.md @@ -1,6 +1,6 @@ --- layout: doc -title: Qubes R3 Building +title: Qubes ISO Building permalink: /doc/qubes-r3-building/ redirect_from: - /en/doc/qubes-r3-building/ @@ -8,13 +8,27 @@ redirect_from: - /wiki/QubesR3Building/ --- -Building Qubes OS 3.0 ISO +Building Qubes OS ISO ========================= -Ensure your system is rpm-based and that you have necessary dependencies installed (see [QubesBuilder](/doc/qubes-builder/) for more info): +In `dom0`, install the Fedora 26 template if you don't already have it. +Other rpm-based operating systems may also work, but Fedora 26 has been successfully used to build Qubes R3.2 and R4.0 with the below steps. ~~~ -sudo yum install git createrepo rpm-build make wget rpmdevtools pandoc +sudo qubes-dom0-update qubes-template-fedora-26 +~~~ + +Create a standalone appVM from the Fedora 26 template. +You may choose your own name, but this document will refer to it as `dev26`. +Set private storage to at least 60000MB if you will be building only the default templates; 100000MB if you plan on additional. +It's not required, but if you allocate additional CPU cores, the build process can utilize them at some steps such as the kernel build. +Likewise, more memory (up to 16GB) can help. +Last, you may want to disable memory balancing on `dev26` but keep in mind the impact on your other qubes. + +Once you've built `dev26`, open a Terminal window to it and install the necessary dependencies (see [QubesBuilder](/doc/qubes-builder/) for more info): + +~~~ +$ sudo dnf install git createrepo rpm-build make wget rpmdevtools dialog rpm-sign gnupg dpkg-dev debootstrap python2-sh ~~~ Get the necessary keys to verify the sources: @@ -24,36 +38,71 @@ $ wget https://keys.qubes-os.org/keys/qubes-master-signing-key.asc $ gpg --import qubes-master-signing-key.asc $ gpg --edit-key 36879494 # Verify fingerprint!, set trust to *ultimate* +# (Typical sequence is fpr, trust, 5, q) $ wget https://keys.qubes-os.org/keys/qubes-developers-keys.asc $ gpg --import qubes-developers-keys.asc ~~~ -Note we do *not* relay above on the security of our server (keys.qubes-os.org) nor the connection (ssl, cert) -- we only rely on you getting the Qubes Master Signing Key fingerprint *somehow* and ensure they match! +And if you will be building the Whonix templates: -Now lets bootstrap the builder. Unfortunately the builder cannot verify itself (the classic Chicken and Egg problem), so we need to verify the signature manually: +~~~ +$ gpg --keyserver pgp.mit.edu --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA +~~~ + +**Note** In the above process, we do *not* rely on the security of our server (keys.qubes-os.org) nor the connection (ssl, cert) -- we only rely on you getting the Qubes Master Signing Key fingerprint *somehow* and ensuring they match! +Likewise, the Whonix signing key is available from multiple sources. + +Now let's bootstrap the builder. Unfortunately, the builder cannot verify itself (the classic Chicken and Egg problem), so we need to verify the signature manually: ~~~ $ git clone git://github.com/QubesOS/qubes-builder.git +$ mkdir qubes-builder/keyrings +$ mkdir qubes-builder/keyrings/git +$ cp .gnupg/pubring.gpg qubes-builder/keyrings/git/ +$ cp .gnupg/trustdb.gpg qubes-builder/keyrings/git/ $ cd qubes-builder -$ git describe --exact-match HEAD - -$ git tag -v +$ git tag -v `git describe` ~~~ -Assuming the verification went fine, we're good to go with all the rest without ever thinking more about verifying digital signatures on all the rest of the components, as the builder will do that for us, for each component, every time we, even for all aux files (e.g. Xen or Linux kernel sources). +Assuming the verification went fine, we're good to go with all the rest without ever thinking more about verifying digital signatures on all the rest of the components. +The builder will do that for us for each component, every time we build, even for all auxiliary files (e.g. Xen or Linux kernel sources). -Let's configure the builder first (we can use one of the example configs, either for R2 or "master", which currently means pre-released R3): +Let's configure the builder first (see Note at bottom if you would prefer to manually configure): ~~~ -cp example-configs/qubes-os-master.conf builder.conf +$ ./setup +# Select 3.2 or 4.0 for version +# Stable +# No (we want a full build) +# Select builder-fedora, builder-debian, template-whonix, mgmt-salt +# Yes (to download) +# Select fc26, stretch, whonix-gateway, whonix-workstation (for the currently shipping templates) ~~~ -You can take a loot at the `builder.conf.default` for a description of all available options. Nevertheless, the default config should be enough for start: +Once the download is complete, continue the build process with: ~~~ -$ make get-sources qubes -$ make sign-all # this requires setting SIGN_KEY in the builder.conf, can be skipped for test builds. +$ make install-deps +$ make get-sources +~~~ + +Finally, if you are making a test build, use: + +~~~ +$ make qubes +$ make iso +~~~ + +Or for a fully signed build (this requires setting SIGN_KEY in the builder.conf): + +~~~ +$ make sign-all $ make iso ~~~ Enjoy your new ISO! + + +**Note** Instead of using `./setup`, you can manually configure the build by doing `cp example-configs/qubes-os-master.conf builder.conf` and editing `builder.conf`. +Take a look at `builder.conf.default` for a description of all available options. + From d1eec3b7f3da9ef7deea47913e10621163c6bf41 Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Wed, 7 Feb 2018 09:58:12 +0000 Subject: [PATCH 02/11] remove R3 from Building Qubes OS ISO title --- doc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc.md b/doc.md index 08ddea76..62276505 100644 --- a/doc.md +++ b/doc.md @@ -261,7 +261,7 @@ Building -------- * [Building Qubes](/doc/qubes-builder/) (["API" Details](/doc/qubes-builder-details/)) * [Development Workflow](/doc/development-workflow/) - * [Building Qubes OS 3.0 ISO](/doc/qubes-r3-building/) + * [Building Qubes OS ISO](/doc/qubes-r3-building/) * [Building Qubes Templates](https://github.com/QubesOS/qubes-template-configs) * [Building a TemplateVM based on a new OS (ArchLinux example)](/doc/building-non-fedora-template/) * [Building the Archlinux Template](/doc/building-archlinux-template/) From c1de3be92fe68c281710fa083eec0dc9875bd0ef Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Wed, 7 Feb 2018 10:20:12 +0000 Subject: [PATCH 03/11] MB -> GB for clarity and to fix Travis spell check --- building/qubes-r3-building.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/building/qubes-r3-building.md b/building/qubes-r3-building.md index 99d33c53..22ddb94c 100644 --- a/building/qubes-r3-building.md +++ b/building/qubes-r3-building.md @@ -20,9 +20,9 @@ sudo qubes-dom0-update qubes-template-fedora-26 Create a standalone appVM from the Fedora 26 template. You may choose your own name, but this document will refer to it as `dev26`. -Set private storage to at least 60000MB if you will be building only the default templates; 100000MB if you plan on additional. +Set private storage to at least 60 GB if you will be building only the default templates; 100 GB if you plan on additional. It's not required, but if you allocate additional CPU cores, the build process can utilize them at some steps such as the kernel build. -Likewise, more memory (up to 16GB) can help. +Likewise, more memory (up to 16 GB) can help. Last, you may want to disable memory balancing on `dev26` but keep in mind the impact on your other qubes. Once you've built `dev26`, open a Terminal window to it and install the necessary dependencies (see [QubesBuilder](/doc/qubes-builder/) for more info): From 2705f317ea9ce6315efae2a8019247523c41178d Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Thu, 15 Feb 2018 13:07:52 +0000 Subject: [PATCH 04/11] link to ISO build doc instead of Archlinux although the screenshots are nice --- building/qubes-builder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/building/qubes-builder.md b/building/qubes-builder.md index d5fe6e48..c36edcce 100644 --- a/building/qubes-builder.md +++ b/building/qubes-builder.md @@ -8,7 +8,7 @@ redirect_from: - /wiki/QubesBuilder/ --- -**Note: The build system has been improved since this how-to was last updated. The [Archlinux template building instructions](/doc/building-archlinux-template/) contain more up-to-date and detailed information on how to use the build system.** +**Note: The build system has been improved since this how-to was last updated. The [ISO building instructions](/doc/qubes-r3-building/) contain more up-to-date information on how to use the build system.** Building Qubes from scratch =========================== From 089b8d2f7b61dbeaa761602c742e0a7827ae160f Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Fri, 16 Feb 2018 21:47:34 +0000 Subject: [PATCH 05/11] use --import instead of --recv-keys and add more detail for manually configured builds --- building/qubes-r3-building.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/building/qubes-r3-building.md b/building/qubes-r3-building.md index 22ddb94c..754ccc19 100644 --- a/building/qubes-r3-building.md +++ b/building/qubes-r3-building.md @@ -46,7 +46,8 @@ $ gpg --import qubes-developers-keys.asc And if you will be building the Whonix templates: ~~~ -$ gpg --keyserver pgp.mit.edu --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA +$ wget https://github.com/QubesOS/qubes-builder-debian/blob/master/keys/whonix-developer-patrick.asc +$ gpg --import whonix-developer-patrick.asc ~~~ **Note** In the above process, we do *not* rely on the security of our server (keys.qubes-os.org) nor the connection (ssl, cert) -- we only rely on you getting the Qubes Master Signing Key fingerprint *somehow* and ensuring they match! @@ -105,4 +106,16 @@ Enjoy your new ISO! **Note** Instead of using `./setup`, you can manually configure the build by doing `cp example-configs/qubes-os-master.conf builder.conf` and editing `builder.conf`. Take a look at `builder.conf.default` for a description of all available options. +On manually configured builds, you may also need to: + +~~~ +export GNUPGHOME=~/qubes-builder/keyrings/git +mkdir --parents "$GNUPGHOME" +chmod --recursive 700 "$GNUPGHOME" +echo '427F11FD0FAA4B080123F01CDDFA1A3E36879494:6:' | gpg --import-ownertrust +~~~ +And for the Whonix templates: +~~~ +echo '916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA:6:' | gpg --import-ownertrust +~~~ From 0d672fa9c92f97bc758ef15c76047bb207e8efd8 Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Sat, 17 Feb 2018 15:50:52 +0000 Subject: [PATCH 06/11] remove --import-ownertrust on non-Qubes key should not be necessary for an official Qubes build --- building/qubes-r3-building.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/building/qubes-r3-building.md b/building/qubes-r3-building.md index 754ccc19..16f5647a 100644 --- a/building/qubes-r3-building.md +++ b/building/qubes-r3-building.md @@ -114,8 +114,4 @@ mkdir --parents "$GNUPGHOME" chmod --recursive 700 "$GNUPGHOME" echo '427F11FD0FAA4B080123F01CDDFA1A3E36879494:6:' | gpg --import-ownertrust ~~~ -And for the Whonix templates: -~~~ -echo '916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA:6:' | gpg --import-ownertrust -~~~ From f075bfc2870ae2a2d3d9fcdd1b410c09ba3448e1 Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Wed, 21 Feb 2018 08:16:21 +0000 Subject: [PATCH 07/11] add verification desc., remove --import-ownertrust --- building/qubes-r3-building.md | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/building/qubes-r3-building.md b/building/qubes-r3-building.md index 16f5647a..0e0084f2 100644 --- a/building/qubes-r3-building.md +++ b/building/qubes-r3-building.md @@ -13,6 +13,7 @@ Building Qubes OS ISO In `dom0`, install the Fedora 26 template if you don't already have it. Other rpm-based operating systems may also work, but Fedora 26 has been successfully used to build Qubes R3.2 and R4.0 with the below steps. +Travis-CI also uses Ubuntu 14.04 to perform test builds, except it can not test the `./setup` script. ~~~ sudo qubes-dom0-update qubes-template-fedora-26 @@ -65,6 +66,7 @@ $ cd qubes-builder $ git tag -v `git describe` ~~~ +It's very important to check if the verification message contains "Good signature from ..." and does not contain "WARNING: This key is not certified with a trusted signature!". Assuming the verification went fine, we're good to go with all the rest without ever thinking more about verifying digital signatures on all the rest of the components. The builder will do that for us for each component, every time we build, even for all auxiliary files (e.g. Xen or Linux kernel sources). @@ -98,6 +100,7 @@ Or for a fully signed build (this requires setting SIGN_KEY in the builder.conf) ~~~ $ make sign-all +$ make qubes $ make iso ~~~ @@ -105,13 +108,5 @@ Enjoy your new ISO! **Note** Instead of using `./setup`, you can manually configure the build by doing `cp example-configs/qubes-os-master.conf builder.conf` and editing `builder.conf`. -Take a look at `builder.conf.default` for a description of all available options. -On manually configured builds, you may also need to: - -~~~ -export GNUPGHOME=~/qubes-builder/keyrings/git -mkdir --parents "$GNUPGHOME" -chmod --recursive 700 "$GNUPGHOME" -echo '427F11FD0FAA4B080123F01CDDFA1A3E36879494:6:' | gpg --import-ownertrust -~~~ +Take a look at `doc/Configuration.md` for a description of all available options. From 045ff64f1b5ee8024f2ebcc212cceaf178bb64fb Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Thu, 22 Feb 2018 10:25:50 +0000 Subject: [PATCH 08/11] clean up script based build, add manual steps --- building/qubes-r3-building.md | 138 +++++++++++++++++++++++++--------- 1 file changed, 102 insertions(+), 36 deletions(-) diff --git a/building/qubes-r3-building.md b/building/qubes-r3-building.md index 0e0084f2..841172db 100644 --- a/building/qubes-r3-building.md +++ b/building/qubes-r3-building.md @@ -11,17 +11,22 @@ redirect_from: Building Qubes OS ISO ========================= -In `dom0`, install the Fedora 26 template if you don't already have it. -Other rpm-based operating systems may also work, but Fedora 26 has been successfully used to build Qubes R3.2 and R4.0 with the below steps. +Build Environment +----------------- + +Fedora 26 has been successfully used to build Qubes R3.2 and R4.0 with the below steps. +Other rpm-based operating systems may also work. Travis-CI also uses Ubuntu 14.04 to perform test builds, except it can not test the `./setup` script. +In `dom0`, install the Fedora 26 template if you don't already have it. + ~~~ sudo qubes-dom0-update qubes-template-fedora-26 ~~~ Create a standalone appVM from the Fedora 26 template. You may choose your own name, but this document will refer to it as `dev26`. -Set private storage to at least 60 GB if you will be building only the default templates; 100 GB if you plan on additional. +Set private storage to at least 60 GB if you will be building only the default templates; 100 GB or more if you plan on additional. It's not required, but if you allocate additional CPU cores, the build process can utilize them at some steps such as the kernel build. Likewise, more memory (up to 16 GB) can help. Last, you may want to disable memory balancing on `dev26` but keep in mind the impact on your other qubes. @@ -32,52 +37,49 @@ Once you've built `dev26`, open a Terminal window to it and install the necessar $ sudo dnf install git createrepo rpm-build make wget rpmdevtools dialog rpm-sign gnupg dpkg-dev debootstrap python2-sh ~~~ -Get the necessary keys to verify the sources: +Get the necessary keys to verify the sources (run these and other commands below as a regular user, not root): ~~~ -$ wget https://keys.qubes-os.org/keys/qubes-master-signing-key.asc -$ gpg --import qubes-master-signing-key.asc -$ gpg --edit-key 36879494 +wget https://keys.qubes-os.org/keys/qubes-master-signing-key.asc +gpg --import qubes-master-signing-key.asc +gpg --edit-key 36879494 # Verify fingerprint!, set trust to *ultimate* # (Typical sequence is fpr, trust, 5, q) -$ wget https://keys.qubes-os.org/keys/qubes-developers-keys.asc -$ gpg --import qubes-developers-keys.asc -~~~ - -And if you will be building the Whonix templates: - -~~~ -$ wget https://github.com/QubesOS/qubes-builder-debian/blob/master/keys/whonix-developer-patrick.asc -$ gpg --import whonix-developer-patrick.asc +wget https://keys.qubes-os.org/keys/qubes-developers-keys.asc +gpg --import qubes-developers-keys.asc ~~~ **Note** In the above process, we do *not* rely on the security of our server (keys.qubes-os.org) nor the connection (ssl, cert) -- we only rely on you getting the Qubes Master Signing Key fingerprint *somehow* and ensuring they match! -Likewise, the Whonix signing key is available from multiple sources. Now let's bootstrap the builder. Unfortunately, the builder cannot verify itself (the classic Chicken and Egg problem), so we need to verify the signature manually: ~~~ -$ git clone git://github.com/QubesOS/qubes-builder.git -$ mkdir qubes-builder/keyrings -$ mkdir qubes-builder/keyrings/git -$ cp .gnupg/pubring.gpg qubes-builder/keyrings/git/ -$ cp .gnupg/trustdb.gpg qubes-builder/keyrings/git/ -$ cd qubes-builder -$ git tag -v `git describe` +git clone git://github.com/QubesOS/qubes-builder.git +cd qubes-builder +git tag -v `git describe` ~~~ -It's very important to check if the verification message contains "Good signature from ..." and does not contain "WARNING: This key is not certified with a trusted signature!". +**Note** It's very important to check if the verification message contains "Good signature from ..." and does not contain "WARNING: This key is not certified with a trusted signature!". + Assuming the verification went fine, we're good to go with all the rest without ever thinking more about verifying digital signatures on all the rest of the components. The builder will do that for us for each component, every time we build, even for all auxiliary files (e.g. Xen or Linux kernel sources). -Let's configure the builder first (see Note at bottom if you would prefer to manually configure): + +Build using setup script +----------------- + +Let's configure the builder first (see [procedure](/doc/qubes-r3-building/#build-using-manual-steps) at bottom if you would prefer to manually configure): ~~~ -$ ./setup +cd ~/qubes-builder +./setup +# Select Yes to add Qubes Master Signing Key +# Select Yes to add Qubes OS Signing Key # Select 3.2 or 4.0 for version # Stable # No (we want a full build) # Select builder-fedora, builder-debian, template-whonix, mgmt-salt +# Choose Yes to add adrelanos@riseup.net third party key # Yes (to download) # Select fc26, stretch, whonix-gateway, whonix-workstation (for the currently shipping templates) ~~~ @@ -85,28 +87,92 @@ $ ./setup Once the download is complete, continue the build process with: ~~~ -$ make install-deps -$ make get-sources +make install-deps +make get-sources ~~~ Finally, if you are making a test build, use: ~~~ -$ make qubes -$ make iso +make qubes +make iso ~~~ Or for a fully signed build (this requires setting SIGN_KEY in the builder.conf): ~~~ -$ make sign-all -$ make qubes -$ make iso +make qubes +make sign-all +make iso ~~~ Enjoy your new ISO! -**Note** Instead of using `./setup`, you can manually configure the build by doing `cp example-configs/qubes-os-master.conf builder.conf` and editing `builder.conf`. -Take a look at `doc/Configuration.md` for a description of all available options. +Build using manual steps +----------------- +Instead of using `./setup`, you can manually configure the build. +The script takes care of a lot of the keyring preparation for us, so we first need to set that up. + +If you will be building Whonix templates: + +~~~ +cd ~ +gpg --keyserver pgp.mit.edu --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA +gpg --fingerprint 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA +~~~ + +**Note:** It's very important to check the fingerprint displayed against other sources such as the [Whonix web site](https://www.whonix.org/wiki/Whonix_Signing_Key), etc. +It should look something like this: + +~~~ +pub 4096R/2EEACCDA 2014-01-16 [expires: 2021-04-17] + Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA +uid Patrick Schleizer +sub 4096R/CE998547 2014-01-16 [expires: 2021-04-17] +sub 4096R/119B3FD6 2014-01-16 [expires: 2021-04-17] +sub 4096R/77BB3C48 2014-01-16 [expires: 2021-04-17] +~~~ + +Next, prepare the Git keyring directory and copy them in: + +~~~ +export GNUPGHOME=~/qubes-builder/keyrings/git +mkdir --parents "$GNUPGHOME" +cp ~/.gnupg/pubring.gpg "$GNUPGHOME" +cp ~/.gnupg/trustdb.gpg "$GNUPGHOME" +chmod --recursive 700 "$GNUPGHOME" +~~~ + +Copy one of the example configurations: + +~~~ +cp example-configs/qubes-os-master.conf builder.conf +~~~ + +Edit `builder.conf`, taking a look at `doc/Configuration.md` for a description of all available options. + +continue the build process with: + +~~~ +make install-deps +make get-sources +~~~ + +Finally, if you are making a test build, use: + +~~~ +make qubes +make iso +~~~ + +Or for a fully signed build (this requires setting SIGN_KEY in the builder.conf): + +~~~ +make qubes +make sign-all +make iso +~~~ + +Enjoy your new ISO! From 1bf93c11ca3a1c74f455f9bc5e76147f121002ba Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Thu, 22 Feb 2018 11:42:45 +0000 Subject: [PATCH 09/11] fix link and cd directory --- building/qubes-r3-building.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/building/qubes-r3-building.md b/building/qubes-r3-building.md index 841172db..5a59ca62 100644 --- a/building/qubes-r3-building.md +++ b/building/qubes-r3-building.md @@ -68,7 +68,7 @@ The builder will do that for us for each component, every time we build, even fo Build using setup script ----------------- -Let's configure the builder first (see [procedure](/doc/qubes-r3-building/#build-using-manual-steps) at bottom if you would prefer to manually configure): +Let's configure the builder first (see [procedure](/doc/qubes-r3-building#build-using-manual-steps) at bottom if you would prefer to manually configure): ~~~ cd ~/qubes-builder @@ -148,6 +148,7 @@ chmod --recursive 700 "$GNUPGHOME" Copy one of the example configurations: ~~~ +cd ~/qubes-builder cp example-configs/qubes-os-master.conf builder.conf ~~~ From 9999a024aff5efbec049ef5e842d009c1283c33a Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Thu, 22 Feb 2018 18:26:58 +0000 Subject: [PATCH 10/11] emphasize fingerprint verif., unset GNUPGHOME and miscellaneous consistency and cleanup --- building/qubes-r3-building.md | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/building/qubes-r3-building.md b/building/qubes-r3-building.md index 5a59ca62..1e052ad1 100644 --- a/building/qubes-r3-building.md +++ b/building/qubes-r3-building.md @@ -43,13 +43,16 @@ Get the necessary keys to verify the sources (run these and other commands below wget https://keys.qubes-os.org/keys/qubes-master-signing-key.asc gpg --import qubes-master-signing-key.asc gpg --edit-key 36879494 -# Verify fingerprint!, set trust to *ultimate* -# (Typical sequence is fpr, trust, 5, q) +fpr +# Verify fingerprint! See Note below! +# Once verified, set trust to *ultimate* +# (Typical sequence is trust, 5, q) wget https://keys.qubes-os.org/keys/qubes-developers-keys.asc gpg --import qubes-developers-keys.asc ~~~ **Note** In the above process, we do *not* rely on the security of our server (keys.qubes-os.org) nor the connection (ssl, cert) -- we only rely on you getting the Qubes Master Signing Key fingerprint *somehow* and ensuring they match! +See [Verifying Signatures](/security/verifying-signatures/#importing-qubes-signing-keys) for verification sources. Now let's bootstrap the builder. Unfortunately, the builder cannot verify itself (the classic Chicken and Egg problem), so we need to verify the signature manually: @@ -61,14 +64,14 @@ git tag -v `git describe` **Note** It's very important to check if the verification message contains "Good signature from ..." and does not contain "WARNING: This key is not certified with a trusted signature!". -Assuming the verification went fine, we're good to go with all the rest without ever thinking more about verifying digital signatures on all the rest of the components. +Assuming the verification went fine, we're good to go with all the rest without ever thinking more about verifying digital signatures on all the rest of the components, apart from an additional step if doing a non-scripted build. The builder will do that for us for each component, every time we build, even for all auxiliary files (e.g. Xen or Linux kernel sources). Build using setup script ----------------- -Let's configure the builder first (see [procedure](/doc/qubes-r3-building#build-using-manual-steps) at bottom if you would prefer to manually configure): +Let's configure the builder first (see [procedure](/doc/qubes-r3-building/#build-using-manual-steps) at bottom if you would prefer to manually configure): ~~~ cd ~/qubes-builder @@ -84,7 +87,7 @@ cd ~/qubes-builder # Select fc26, stretch, whonix-gateway, whonix-workstation (for the currently shipping templates) ~~~ -Once the download is complete, continue the build process with: +Continue the build process with: ~~~ make install-deps @@ -98,7 +101,7 @@ make qubes make iso ~~~ -Or for a fully signed build (this requires setting SIGN_KEY in the builder.conf): +Or for a fully signed build (this requires setting `SIGN_KEY` in `builder.conf`): ~~~ make qubes @@ -123,7 +126,7 @@ gpg --keyserver pgp.mit.edu --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA gpg --fingerprint 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA ~~~ -**Note:** It's very important to check the fingerprint displayed against other sources such as the [Whonix web site](https://www.whonix.org/wiki/Whonix_Signing_Key), etc. +**Note:** It's very important to check the fingerprint displayed against multiple sources such as the [Whonix web site](https://www.whonix.org/wiki/Whonix_Signing_Key), etc. It should look something like this: ~~~ @@ -152,13 +155,14 @@ cd ~/qubes-builder cp example-configs/qubes-os-master.conf builder.conf ~~~ -Edit `builder.conf`, taking a look at `doc/Configuration.md` for a description of all available options. +Edit `builder.conf`, referring to `doc/Configuration.md` for a description of all available options. -continue the build process with: +Continue the build process with: ~~~ make install-deps make get-sources +unset GNUPGHOME ~~~ Finally, if you are making a test build, use: @@ -168,7 +172,7 @@ make qubes make iso ~~~ -Or for a fully signed build (this requires setting SIGN_KEY in the builder.conf): +Or for a fully signed build (this requires setting `SIGN_KEY` in `builder.conf`): ~~~ make qubes From 9f89b16aee66b50d9e9b5142d884c9082e507d5d Mon Sep 17 00:00:00 2001 From: awokd <34515595+awokd@users.noreply.github.com> Date: Sat, 24 Feb 2018 18:45:39 +0000 Subject: [PATCH 11/11] don't use full email address --- building/qubes-r3-building.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/building/qubes-r3-building.md b/building/qubes-r3-building.md index 1e052ad1..d66f08c8 100644 --- a/building/qubes-r3-building.md +++ b/building/qubes-r3-building.md @@ -82,7 +82,7 @@ cd ~/qubes-builder # Stable # No (we want a full build) # Select builder-fedora, builder-debian, template-whonix, mgmt-salt -# Choose Yes to add adrelanos@riseup.net third party key +# Choose Yes to add adrelanos's third party key # Yes (to download) # Select fc26, stretch, whonix-gateway, whonix-workstation (for the currently shipping templates) ~~~