This is similar to installing Cwtch in a debian-11-minimal template. A minimal template provides a smaller attack surface, which is good since attacks on Signal users via malicious messages are possible. It also means a dedicated qube running Signal will have a smaller memory footprint. Finally it makes it easier to run multiple instances of Signal if you have different accounts.
For how to install the debian-11-minimal template, check the Qubes documentation.
FYI, the command to run in dom0 to install the debian-11-minimal template is:
sudo qubes-dom0-update qubes-template-debian-11-minimal
And to clone it:
qvm-clone debian-11-minimal debian-11-minimal-signal
Create a new template
It's suggested that you clone debian-11-minimal, eg to debian-11-minimal-signal to have a specific template for this single-purpose qube.
In dom0, run qvm-run --user root debian-11-minimal-signal xterm to launch a root xterm in the new template for all the following steps. The following steps should all be run in this xterm terminal running in your new debian-11-minimal-signal.
To paste commands into this terminal, use Shift + Insert, that is the default paste command for xterm (and xterm is the only terminal you have in this minimal template).
Install curl
To do this, you'll need curl in the template. Run:
apt update
apt install curl
Add Signal repository
You need to run a few commands to add the Signal software signing keys and repository to the template. This is adapted from Signal's own documentation. The main differences being that I am using curl instead of wget and I am not using sudo.
First, download Signal's software signing key:
curl --proxy 127.0.0.1:8082/ https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
Put the key where it needs to be:
cat signal-desktop-keyring.gpg | tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
Add the repository:
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | tee /etc/apt/sources.list.d/signal-xenial.list
Intall Signal
Now, you can install Signal:
apt update && apt install signal-desktop
Install other required packges
You will need a few other packages in your minimal template for Signal to work.
qubes-core-agent-networkingobvious, required for networkingqubes-core-agent-passwordless-rootoptional, quality of life for working with the template in the future.dunstoptional, simple lightweight notifications - I believe you could usexfce4-notifydif you prefer it
To install all of these, run:
apt install qubes-core-agent-networking qubes-core-agent-passwordless-root dunst
After you are done installing, shut down the debian-11-minimal-signal template.
Create an app qube for Signal
Now that your template is all set, you can create a new app qube based on your template to run Signal in. You can do that from the terminal in dom0 if you like:
qvm-create --template debian-11-minimal-signal --label orange signal
Signal should show up in the "Available" list of Applications in the Qubes Settings GUI, and you can move it over to the "Selected" side to be able to launch it from your menu.
Updating
Updating the template you created using the Qubes Update tool will update Signal. Nice!
Using Signal in a minimal debian qube
First caveat is that there is no GUI file manager. If you download images or other files you are sent, and want to move, delete, or transfer them to other qubes, you will have to use the command line, eg using qvm-copy and qvm-move to transfer files to other qubes.
Second caveat is clicking links won't do anything. Normally in a template like this where there is no browser, they would open by default in your default disposable which would be really nice. Something about the way Signal tries to open links causes this to not work. You have to manually copy links out and paste them into whatever browser you want to open them in.