pub rsa4096 2016-06-25 [SC] 4B1F 400D F256 51B5 3C41 41B3 8B3F 30F9 C8C0 C2EF uid [ unknown] unman (Qubes OS signing key)
sub rsa4096 2016-06-27 [S] [expires: 2024-06-30] sub rsa4096 2016-06-25 [E]
qvm-run -p qube 'cat PATH_TO_KEY ' > RPM-GPG-KEY-unman
sudo mv RPM-GPG-KEY-unman /etc/pki/rpm-gpg/RPM-GPG-KEY-unman
Download the template you want to use, and copy it into dom0:
qvm-run -p QUBE 'cat PATH_TO_DOWNLOADED_TEMPLATE ' > TEMPLATE_PACKAGE_NAME
TEMPLATE_PACKAGE_NAME with a name of your choice.
Then check the signature by (e.g):
rpm -K TEMPLATE_PACKAGE_NAME
Install the template using qvm-template:
qvm-template install --keyring /etc/pki/rpm-gpg/RPM-GPG-KEY-unman FULL_PATH_TO_DOWNLOADED_TEMPLATE
sudo mv RPM-GPG-KEY-unman /etc/qubes/repo-templates/keys/RPM-GPG-KEY-unman
Now you can use qvm-template or qvm-template-gui, as normal.
[3isec-templates] name = 3isec Qubes Templates Repository (updates) baseurl = https://qubes.3isec.org/rpm/r$releasever/templates skip_if_unavailable = False enabled = 1 metadata_expire = 6h gpgcheck = 1 gpgkey = file:////etc/qubes/repo-templates/keys/RPM-GPG-KEY-unman
apt-mark showholdin the template.
apt-mark unholdwill remove the hold, and allow you to update the Qubes packages.
apt-mark holdto make sure that the Qubes packages are not removed when updating other packages.
apt updateand then update the Qubes packages - either manually with
apt install..., or using a manager like aptitude, and selecting Qubes packages for upgrade.
Undoubtedly a pain, but less than the pain of breaking your qubes, and having to crawl backwards to get them working again.
Then again, if you use aptitude you would be able to see what changes would be made, opt to retain the Qubes packages - always keep the Qubes packages, and avoid breakage that way. This depends on you looking to see what changes will be made and acting accordingly. Using
apt-mark hold will take some pressure off.
sudo lvresize --size 40G /dev/qubes_dom0/root
sudo resize2fs /dev/mapper/qubes_dom0-root
For more details and options, look here.
https://the definitions have
http://HTTPS///- this is so that the caching proxy can see the request, and then connect to the repository over https. You can read about this here