qvm-create-windows-qube icon indicating copy to clipboard operation
qvm-create-windows-qube copied to clipboard

Published 20 hours ago verified publisher icon ElliotKillick

installable from Qubes repository / refactoring

Open adrelanos opened this issue 4 years ago • 3 comments

This I find bad...

qvm-run -p "$resources_qube" "cd ${resources_dir%/*} && git clone https://github.com/elliotkillick/qvm-create-windows-qube"

echo -e "${BLUE}[i]${NC} Please check for a \"Good signature\" from GPG..." >&2
qvm-run -q "$resources_qube" "gpg --keyserver keys.openpgp.org --recv-keys 018FB9DE6DFA13FB18FB5552F9B90D44F83DD5F2"
qvm-run -p "$resources_qube" "cd '$resources_dir' && git verify-commit \$(git rev-list --max-parents=0 HEAD)"

...because it runs commands that require networking from dom0, relies on networking and successful gpg verification.

feature request: please design this script form the perspective of already being installed in Qubes dom0 without any networking/extra gpg verification required. Packaging, so this could be reviewed by @QubesOS and installed in dom0 using qubes-dom0-update.

adrelanos avatar Mar 15 '20 10:03 adrelanos

I do realize this potential MITM vulnerability, however, I removed the reminder to verify out-of-band due to #7.

Either way, this project should be packaged for streamlined and more secure Qubes installation. I've never done any type of packaging before so I'll have to figure that out but it is on the way!

ElliotKillick avatar Apr 23 '20 01:04 ElliotKillick

I've decided to re-add the reminder to verify out-of-band in https://github.com/elliotkillick/qvm-create-windows-qube/commit/5f7fb111bb9b726b7d57c0093a07177b012e2383. This is because as we discovered later in connected issue #6, that was not the issue. However, I did keep the simplified wording from the commit in issue #7.

Anyway, I'm looking into making this into an RPM for QCWQ 3.0 or possibly at that point just skipping to 4.0.0.0 to keep in line with Qubes versioning? However, before that I plan on at least finishing the automatic answer file selection feature like VMWare has and probably also porting the main qvm-create-windows-qube.sh shell script to Python. That feature is mostly done and I've thought out how I'm going to do the rest, I just need to implement it now.

ElliotKillick avatar Aug 31 '20 20:08 ElliotKillick

It looks like this work is not necessary anymore due to the great work of @fepitre (thank you!) creating qubes-mgmt-salt-windows-mgmt. I see an rpm_spec folder in there so that looks like packaging and the SaltStack does all the work creating the windows-mgmt VM so I think that's this issue closed. Is this correct @fepitre?

ElliotKillick avatar Apr 01 '21 04:04 ElliotKillick