index blog articles links contact

Installing Cwtch in a Qubes minimal template

first published: 2023-01-23
last updated: 2023-03-23

Install Cwtch using a debian-11-minimal template in Qubes OS.

Advantage of using a minimal template is a smaller attack surface, and a lighter resource load. This will give you a dedicated app qube, based on debian-11-minimal just for running Cwtch.

For how to install the debian-11-minimal template, check the Qubes documentation.

FYI, the command to run in dom0 to install the debian-11-minimal template is:

sudo qubes-dom0-update qubes-template-debian-11-minimal

And to clone it:

qvm-clone debian-11-minimal debian-11-minimal-cwtch

This is for version 1.10.0 of Cwtch, but shouldn't be much different from future/past versions.

Create a new template

Clone debian-11-minimal, eg to debian-11-minimal-cwtch

In dom0, run qvm-run --user root debian-11-minimal-cwtch xterm to launch a root xterm in the new template for all the following steps.

Add Tor repository

This step is optional, but recommended. If you skip this step, you will be using the LTS version of Tor that is found in the regular Debian package repository. You can add the Tor project's own package repository to your template, and that way you will have the latest stable version of Tor.

These instructions are adapted from https://support.torproject.org/apt/ and modified to work for Qubes

install curl

To do this, you'll need curl

apt update

apt install curl

add tor repositories

Note bullseye appears here, since that corresponds to debian-11. If you are using a different version of a debian-minimal template, you'll have to replace this with whatever version of Debian you are using.

echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main" >> /etc/apt/sources.list.d/tor.list

add tor signing key

curl --proxy 127.0.0.1:8082/ https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

install the package to manage tor project's signing key.

apt update

apt install deb.torproject.org-keyring

Pre-reqs

Several packages are required or recommended in order to run Cwtch. You'll need to install them in your new debian-11-minimal-cwtch:

• qubes-core-agent-passwordless-root optional, suggested for your quality of life - if you know what this is any why you don't need it, then don't bother
• qubes-core-agent-networking obvious, required for networking
• dunst optional, simple lightweight notifications - I believe you could use xfce4-notifyd if you prefer it
• libgtk-3-0 required for Cwtch's GUI
• tor required for tor
• zenity needed for a GUI so that you can save files sent to you, or pick files to send to a contact

Install these with the following commands: In the new template as root, run:

apt update

apt install qubes-core-agent-passwordless-root qubes-core-agent-networking dunst libgtk-3-0 tor zenity

When you are done, shut down the debian-11-minimal-cwtch template.

Download Cwtch

Download Cwtch from https://cwtch.im, perhaps using Tor browser in a disposable instance of whonix-ws-16-dvm

Once downloaded, you can open the containing folder for the downloads from Tor browser's download manager, and then right click in the file browser to "Open a Terminal Here" if you arn't sure how to navigate to that location in a terminal yourself. Then you can easily verify the download, and copy it out to another qube for the next step.

You can get the sha512 checksum of your download using the command:

sha512sum cwtch-v1.10.0.tar.gz modifying the filename/path for your download.

You'll get the SHA 512 hash of the file, which you can compare against the value Cwtch provides on their download page.

Install Cwtch

Create a new app qube called cwtch or whatever name you prefer.

Now, you may install cwtch into your template, or into the new app qube based on the template. It's up to you. Cwtch is just installed by running a bash script, so you don't have the usual advantage of installing a template where updates from a repository are handled by Qubes Updates - you will have to manually update cwtch.

So the only advantage to installing Cwtch directly into your template is if you might have multiple app qubes based on that template. Otherwise, just install in your app qube.

Use qvm-copy to copy your downloaded Cwtch from your disposable (or wherever you downloaded it) to either the debian-11-minimal-cwtch template, or to your cwtch app qube.

Navigate to the relevant QubesIncoming folder in the destination qube and unpack the cwtch archive using tar -xzf cwtch*

There will be a directory called cwtch created, containing all the files cwtch needs for installation.

There are two install scripts, cwtch/install-home.sh and cwtch/install-sys.sh

If you are installing Cwtch into your template, run cwtch/install-sys.sh If you are installing Cwtch into an app qube, run cwtch/install-home.sh

Remember to restart the relevant app qubes or template for Cwtch to show up in the list of App shortcuts for your cwtch app qube, just like installing any new program in Qubes. But once you are all done, Cwtch should be an option in the App shortcuts of your app qube, and it can be added to the Selected list so it will show up in your Qubes menu!

Updating

As noted, you will have to take care of updating Cwtch manually. I havn't tested it with this setup, but previously updating Cwtch was as simple as downloading and unpacking the newest archive to the same qube, and running the appropriate new installation script (either install-home.sh for an app qube or install-sys.sh for a template) - basically installing the new version over the old one. This always seemed to work, however you should probably export and backup your Cwtch profile(s) before doing this to be safe!

path: index / BLOG / Installing Cwtch in a Qubes minimal template