Advantage of using a minimal template is a smaller attack surface, and a lighter resource load. This will give you a dedicated app qube, based on
debian-11-minimal just for running Cwtch.
For how to install the
debian-11-minimal template, check the Qubes documentation.
FYI, the command to run in
dom0 to install the
debian-11-minimal template is:
sudo qubes-dom0-update qubes-template-debian-11-minimal
And to clone it:
qvm-clone debian-11-minimal debian-11-minimal-cwtch
This is for version 1.10.0 of Cwtch, but shouldn't be much different from future/past versions.
Create a new template
debian-11-minimal, eg to
qvm-run --user root debian-11-minimal-cwtch xterm to launch a root xterm in the new template for all the following steps.
Add Tor repository
This step is optional, but recommended. If you skip this step, you will be using the LTS version of Tor that is found in the regular Debian package repository. You can add the Tor project's own package repository to your template, and that way you will have the latest stable version of Tor.
These instructions are adapted from https://support.torproject.org/apt/ and modified to work for Qubes
To do this, you'll need
apt install curl
add tor repositories
bullseye appears here, since that corresponds to
debian-11. If you are using a different version of a
debian-minimal template, you'll have to replace this with whatever version of Debian you are using.
echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main" >> /etc/apt/sources.list.d/tor.list
echo " deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main" >> /etc/apt/sources.list.d/tor.list
add tor signing key
curl --proxy 127.0.0.1:8082/ https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
install the package to manage tor project's signing key.
apt install deb.torproject.org-keyring
Several packages are required or recommended in order to run Cwtch. You'll need to install them in your new
qubes-core-agent-passwordless-rootoptional, suggested for your quality of life - if you know what this is any why you don't need it, then don't bother
qubes-core-agent-networkingobvious, required for networking
dunstoptional, simple lightweight notifications - I believe you could use
xfce4-notifydif you prefer it
libgtk-3-0required for Cwtch's GUI
torrequired for tor
zenityneeded for a GUI so that you can save files sent to you, or pick files to send to a contact
Install these with the following commands: In the new template as root, run:
apt install qubes-core-agent-passwordless-root qubes-core-agent-networking dunst libgtk-3-0 tor zenity
When you are done, shut down the
Download Cwtch from https://cwtch.im, perhaps using Tor browser in a disposable instance of
Once downloaded, you can open the containing folder for the downloads from Tor browser's download manager, and then right click in the file browser to "Open a Terminal Here" if you arn't sure how to navigate to that location in a terminal yourself. Then you can easily verify the download, and copy it out to another qube for the next step.
You can get the sha512 checksum of your download using the command:
sha512sum cwtch-v1.10.0.tar.gz modifying the filename/path for your download.
You'll get the SHA 512 hash of the file, which you can compare against the value Cwtch provides on their download page.
Create a new app qube called
cwtch or whatever name you prefer.
Now, you may install cwtch into your template, or into the new app qube based on the template. It's up to you. Cwtch is just installed by running a bash script, so you don't have the usual advantage of installing a template where updates from a repository are handled by Qubes Updates - you will have to manually update cwtch.
So the only advantage to installing Cwtch directly into your template is if you might have multiple app qubes based on that template. Otherwise, just install in your app qube.
qvm-copy to copy your downloaded Cwtch from your disposable (or wherever you downloaded it) to either the
debian-11-minimal-cwtch template, or to your
cwtch app qube.
Navigate to the relevant QubesIncoming folder in the destination qube and unpack the cwtch archive using
tar -xzf cwtch*
There will be a directory called
cwtch created, containing all the files cwtch needs for installation.
There are two install scripts,
If you are installing Cwtch into your template, run
If you are installing Cwtch into an app qube, run
Remember to restart the relevant app qubes or template for Cwtch to show up in the list of App shortcuts for your
cwtch app qube, just like installing any new program in Qubes. But once you are all done, Cwtch should be an option in the App shortcuts of your app qube, and it can be added to the Selected list so it will show up in your Qubes menu!
As noted, you will have to take care of updating Cwtch manually. I havn't tested it with this setup, but previously updating Cwtch was as simple as downloading and unpacking the newest archive to the same qube, and running the appropriate new installation script (either
install-home.sh for an app qube or
install-sys.sh for a template) - basically installing the new version over the old one. This always seemed to work, however you should probably export and backup your Cwtch profile(s) before doing this to be safe!