Qubes templates

We currently provide these templates:
BlackArch
debian-testing-minimal
Parrot template
Ubuntu 2022.4 minimal
Ubuntu 2024.4 minimal

All templates are signed with my Qubes OS Signing key:

pub   rsa4096 2016-06-25 [SC]
      4B1F 400D F256 51B5 3C41  41B3 8B3F 30F9 C8C0 C2EF
uid           [ unknown] unman (Qubes OS signing key) 
sub   rsa4096 2016-06-27 [S] [expires: 2024-06-30]
sub   rsa4096 2016-06-25 [E]

You can read about how to get a copy of the key, and how to validate it here.

Manual Installation

You will need to copy the key in to dom0:


qvm-run -p  qube 'cat PATH_TO_KEY ' > RPM-GPG-KEY-unman

and then move it into place:


sudo mv RPM-GPG-KEY-unman  /etc/qubes/repo-templates/keys/RPM-GPG-KEY-unman

Download the template you want to use, and copy it into dom0:
qvm-run -p QUBE 'cat PATH_TO_DOWNLOADED_TEMPLATE ' > TEMPLATE_PACKAGE_NAME
replacing TEMPLATE_PACKAGE_NAME with a name of your choice.

You may want to check the signature before copying the package to dom0 by (e.g):
rpm -qi TEMPLATE_PACKAGE_NAME
This will show you the key that signed the package, and this should be the same as the short keyID of the unman key.

Install the template using qvm-template in dom0:
qvm-template --keyring /etc/qubes/repo-templates/keys/RPM-GPG-KEY-unman install FULL_PATH_TO_DOWNLOADED_TEMPLATE
The qvm-template call will check that the package is signed by the key you specify.

Using qvm-template

It is also possible to use the native Qubes tools for template management.
To do this you will need to copy the key to dom0, as above, and move it:


sudo mv RPM-GPG-KEY-unman /etc/qubes/repo-templates/keys/RPM-GPG-KEY-unman

You will also need to create the repository definition.
Create a file at /etc/qubes/repo-templates/3isec-templates.repo, with this content:


[3isec-templates]
name = 3isec Qubes Templates Repository (updates)
baseurl = https://qubes.3isec.org/rpm/r$releasever/templates
skip_if_unavailable = False
enabled = 1
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:////etc/qubes/repo-templates/keys/RPM-GPG-KEY-unman

Now you can use qvm-template or qvm-template-gui, as normal.

Rolling distros - Parrot, Arch, Kali

Templates like Parrot or Kali are based on Debian testing, and are rolling distributions.
To avoid breakage when updating, the core Qubes packages should be on hold.
This means that they will not be updated.
You can confirm this by running apt-mark showhold in the template.
apt-mark unhold will remove the hold, and allow you to update the Qubes packages.
I suggest you restore the hold apt-mark hold to make sure that the Qubes packages are not removed when updating other packages.

So, while updating a template you will see that some packages cannot be upgraded because they will conflict with the Qubes packages.
Periodically, in the template, remove the hold on the Qubes packages. Update the package list with apt update and then update the Qubes packages - either manually with apt install... , or using a manager like aptitude, and selecting Qubes packages for upgrade.
Once the upgrade has been completed, put the Qubes packages back on hold, and upgrade again.

Undoubtedly a pain, but less than the pain of breaking your qubes, and having to crawl backwards to get them working again.
Then again, if you use aptitude you would be able to see what changes would be made, opt to retain the Qubes packages - always keep the Qubes packages, and avoid breakage that way. This depends on you looking to see what changes will be made and acting accordingly. Using apt-mark hold will take some pressure off.

BlackArch tools

The BlackArch template is minimal, but is configured with the BlackArch repositories ready to use. You may want to clone the template so that you have different templates using different combinations of tools. Or you can install all the tools in one template.
You can install packages individually, or use the meta-packages - they begin with blackarch-: a helpful guide is here. For example, sudo pacman -S blackarch will install all the BlackArch tools. You probably dont want that. sudo pacman -S blackarch-scanner will install some useful scanning tools.

Parrot tools

The Parrot template is minimal, but is configured with parrot-core. You may want to clone the template so that you have different templates using different combinations of Parrot tools. Or you can install all the tools in one template.
You can install packages individually, or use the meta-packages - they begin with parrot-tools-: e.g. parrot-tools-pwn , parrot-tools-infogathering, or parrot-tools-full. Using aptitude will help you select the packages you want and resolve any issues that may arise.

Installing large templates

In 4.2, dom0 is pegged at 20G by default.
This means that you will not be able to install the larger templates, like parrot, without taking some action.
The easiest thing to do is to increase the size of dom0. On a default install you can do this simply enough by:


	sudo lvresize --size 40G /dev/qubes_dom0/root


	sudo resize2fs /dev/mapper/qubes_dom0-root

For more details and options, look here.

Repository definitions and apt-cacher-ng

Very often, the repository definitions in these templates are modified to enable use of the apt-cacher-ng caching proxy. Instead of https:// the definitions have http://HTTPS/// - this is so that the caching proxy can see the request, and then connect to the repository over https. You can read about this here
If you use apt-cacher-ng, that's fine. Everything will just work™.
If you do not use apt-cacher-ng, then you can install it using this tool.
If you do not use apt-cacher-ng, or you do not want to use it for this template, edit the repository definitions, replacing http://HTTPS/// with https://

Always check that the repository definitions suit your use case.

unman