### Install Steam Source: https://secureblue.dev/faq Use this command to install the Steam client. ```bash ujust install-steam ``` -------------------------------- ### Install verification tools on Windows Source: https://secureblue.dev/verification Use winget to install GnuPG and coreutils. Restart PowerShell after installation to apply changes. ```powershell winget install -e --id GnuPG.GnuPG winget install -e --id uutils.coreutils ``` ```powershell function sha256sum { coreutils.exe sha256sum @args } ``` -------------------------------- ### Manage Docker Installation Source: https://secureblue.dev/faq Commands to install or uninstall Docker. Podman is recommended as an alternative. ```bash ujust install-docker ``` ```bash ujust uninstall-docker ``` -------------------------------- ### Install Dangerzone Source: https://secureblue.dev/faq Installs the Dangerzone utility for sanitizing potentially dangerous files. ```bash ujust install-dangerzone ``` -------------------------------- ### Commit and Tag Test Build Setup Source: https://secureblue.dev/contributing Use this Git command sequence to add, commit, and tag your test-build setup changes. The `-f` flag for `git tag` forces the tag to be updated if it already exists. ```git git add . git commit -m "DO NOT MERGE: test-build setup" git tag -f test-build-setup git push origin test-build ``` -------------------------------- ### Install GnuPG on Linux Source: https://secureblue.dev/verification Install GnuPG using Homebrew if it is not already available on the system. ```bash brew install gnupg ``` -------------------------------- ### Validate SecureBlue Setup Source: https://secureblue.dev/post-install Run this command to validate your SecureBlue installation and configuration. ```bash ujust audit-secureblue ``` -------------------------------- ### Install verification tools on macOS Source: https://secureblue.dev/verification Install GnuPG and coreutils via Homebrew, then update the PATH to include the coreutils binaries. ```bash brew install gnupg coreutils ``` ```bash export PATH="$(brew --prefix coreutils)/libexec/gnubin:$PATH" ``` -------------------------------- ### Setup USBGuard Policy Source: https://secureblue.dev/post-install Generate a USBGuard policy based on currently attached USB devices, block all others, and then enable the usbguard service. This enhances security by controlling USB device access. ```bash ujust setup-usbguard ``` -------------------------------- ### Configure System DNS with Unbound Source: https://secureblue.dev/post-install Interactively set up system DNS resolution using Unbound. Optionally, configure the resolver for Trivalent via management policy. Choose 'Configure global DNS.' for general setup. ```bash ujust dns-selector ``` -------------------------------- ### Enable LUKS TPM2 Unlock Source: https://secureblue.dev/post-install Executes the setup utility for TPM2-based LUKS unlocking. Requires an AMD CPU with a dedicated TPM or Pluton chip. ```bash ujust setup-luks-tpm-unlock ``` -------------------------------- ### Rebase to Secureblue Source: https://secureblue.dev/install Command to switch an existing Fedora IoT or Atomic installation to a Secureblue image. ```bash sudo bootc switch ghcr.io/secureblue/${IMAGE_NAME}:latest ``` -------------------------------- ### Set Kernel Arguments for Hardening Source: https://secureblue.dev/post-install Apply a stable set of kernel arguments for hardening if SecureBlue was not installed via the ISO installer or if you have rebased onto SecureBlue/SecureCore. Consult the Kargs article for more information. ```bash ujust set-kargs-hardening ``` -------------------------------- ### Conventional Commits examples Source: https://secureblue.dev/contributing Standardized commit message formats used to maintain tidy changelogs. ```text chore: add Oyster build script docs: explain hat wobble feat: add beta sequence fix: remove broken confirmation message refactor: share logic between 4d3d3d3 and flarhgunnstow style: convert tabs to spaces test: ensure Tayne retains clothing ``` -------------------------------- ### Enable GNOME User Extensions Source: https://secureblue.dev/faq Enable support for installing and using GNOME user extensions. This functionality is disabled by default in Secureblue for security reasons. Only system extensions are trusted by default. ```bash ujust toggle-gnome-extensions ``` -------------------------------- ### Run Application with Standard Malloc Source: https://secureblue.dev/faq For layered packages and packages installed via brew, run an application with `ujust with-standard-malloc APP` to temporarily disable hardened_malloc for a single execution. This is a workaround for malloc issues. ```bash ujust with-standard-malloc APP ``` -------------------------------- ### Enable Kernel Modules Source: https://secureblue.dev/faq Use this command to enable specific kernel modules that are disabled by default. For example, enabling 'cifs' and 'netfs' modules is required for mounting SMB shares. A reboot is necessary after enabling modules. ```bash ujust override-enable-module cifs ujust override-enable-module netfs ``` -------------------------------- ### Restore SELinux Labels for Fonts Source: https://secureblue.dev/faq Ensures fonts installed in the local user directory have the correct SELinux labels. ```bash restorecon -Rv $HOME/.local/share/fonts ``` -------------------------------- ### Toggle GHNS for KDE Themes Source: https://secureblue.dev/faq Enable or disable the GHNS functionality, which is used for installing KDE themes. This feature is disabled by default due to security risks associated with potentially malicious scripts. ```bash ujust toggle-ghns ``` -------------------------------- ### Create a test-build branch Source: https://secureblue.dev/contributing Commands to set up a local branch for building images by fetching the latest changes from the upstream repository. ```bash # Add upstream remote if wasn't already added git remote add upstream https://github.com/secureblue/secureblue # Fetch latest changes from upstream/live git fetch upstream live # Create your test-build branch based on upstream/live git switch -c test-build upstream/live ``` -------------------------------- ### Build custom image Source: https://secureblue.dev/contributing Command to initiate the build process for a specific recipe file. ```bash bluebuild build recipes/.yml ``` -------------------------------- ### Assemble Signed Distroboxes Source: https://secureblue.dev/faq Provisions signed Distroboxes for integration purposes. ```bash ujust distrobox-assemble ``` -------------------------------- ### Create Admin Wheel Account Source: https://secureblue.dev/post-install Automatically set up a dedicated administrator account with wheel privileges. This helps prevent privilege escalation and password sniffing. You will be prompted to select a password for this account. ```bash ujust create-admin ``` -------------------------------- ### Import WireGuard VPN Configuration Source: https://secureblue.dev/faq Import a WireGuard VPN configuration file using nmcli. This is useful when third-party VPN clients do not correctly interact with systemd-resolved. ```bash run0 nmcli connection import type wireguard file /path/to/vpn.conf ``` -------------------------------- ### Enable Libvirt Daemons Source: https://secureblue.dev/faq Enables the modular daemons required for running virtual machines. ```bash ujust set-libvirt-daemons ``` -------------------------------- ### Build Docker Image Locally Source: https://secureblue.dev/contributing Use `podman build` to build the Docker image from the current directory. The `-t` flag assigns a tag (e.g., 'something') to the built image for easy reference. ```bash podman build . -t something ``` -------------------------------- ### List Local Docker Images Source: https://secureblue.dev/contributing Confirm that your image built successfully by listing all local Docker images using `podman image ls`. This command displays images, their tags, IDs, and creation dates. ```bash podman image ls ``` -------------------------------- ### Enable User Namespaces for Containers Source: https://secureblue.dev/faq Grants the privilege to create user namespaces required for Podman and Distrobox to function without root. ```bash ujust set-container-userns on ``` -------------------------------- ### Configure Autoconnect for VPN Source: https://secureblue.dev/faq Show available network connections and set a specific VPN connection to automatically connect. Replace "Proton US123" with your actual VPN connection name. ```bash nmcli connection show ``` ```bash run0 nmcli connection modify "Proton US123" connection.autoconnect yes ``` -------------------------------- ### Enable User Namespaces for Unconfined Apps Source: https://secureblue.dev/faq Toggles the ability for processes in the unconfined SELinux domain to create user namespaces, required for apps like Electron and bubblejail. ```bash ujust set-unconfined-userns on ``` -------------------------------- ### Configure Podman image trust Source: https://secureblue.dev/contributing Commands to allow pulling unsigned images required for local Blue-build operations. ```bash podman image trust set --type accept docker.io/mikefarah/yq ``` ```bash podman image trust set --type accept ghcr.io/blue-build ``` ```bash podman image trust set --type accept quay.io/fedora-ostree-desktops ``` -------------------------------- ### Enable Xwayland Source: https://secureblue.dev/faq Enable Xwayland support on GNOME, KDE Plasma, and Sway. Xwayland is disabled by default for security reasons. Enabling it may be necessary for applications that have not yet migrated to Wayland. ```bash ujust set-xwayland on ``` -------------------------------- ### Lockdown Bash Environment Source: https://secureblue.dev/post-install Mitigate LD_PRELOAD attacks by running this command. This provides a weak stopgap against opportunistic malware until improved SELinux policies are developed. ```bash ujust toggle-bash-environment-lockdown ``` -------------------------------- ### Enroll Secure Boot Key Source: https://secureblue.dev/post-install Manually enroll the SecureBlue Secure Boot key if the automatic enrollment prompt fails or does not appear during boot. Ensure Secure Boot is enabled in your BIOS. ```bash ujust enroll-secureblue-secure-boot-key ``` -------------------------------- ### Run Command with SELinux Exception Source: https://secureblue.dev/faq When encountering exit code 203 with `run0` and commands like `dnf`, use the `-i` flag to bypass SELinux policy issues. Alternatively, enter a root shell first. ```bash run0 -i ``` -------------------------------- ### Clone SecureBlue Repository Source: https://secureblue.dev/contributing Clone the SecureBlue repository to your local machine using this `git clone` command. This is the first step for building the image locally. ```git git clone https://github.com/secureblue/secureblue.git ``` -------------------------------- ### Rebase to Unverified Remote Image Source: https://secureblue.dev/contributing Use this `rpm-ostree` command to rebase your system to a container image hosted on a remote registry without signature verification. Replace placeholders with your specific registry, image name, and branch/version details. ```bash rpm-ostree rebase ostree-unverified-registry:ghcr.io/YOURUSERNAME/YOURIMAGENAME:br-YOURBRANCHNAME-FEDORAVERSION ``` -------------------------------- ### Enable Bluetooth Kernel Modules Source: https://secureblue.dev/faq Enables Bluetooth kernel modules which are disabled by default for security. ```bash ujust set-bluetooth-modules on ``` -------------------------------- ### Enable Avahi Daemon Services Source: https://secureblue.dev/faq Unmask and enable the Avahi daemon socket and service to allow applications to discover network devices. These commands must be run in a root terminal. ```bash # systemctl unmask avahi-daemon.socket # systemctl unmask avahi-daemon.service # systemctl enable --now avahi-daemon.socket # systemctl enable --now avahi-daemon.service ``` -------------------------------- ### Check rpm-ostree status Source: https://secureblue.dev/faq Use this command to view information about current local deployments and remotes. ```bash rpm-ostree status ``` -------------------------------- ### Verify torrent ISO signature and checksum Source: https://secureblue.dev/verification Verify the signature of the torrent checksum file and validate the ISO integrity. ```bash gpgv --keyring ./secureblue-keyring.gpg "${IMAGE_NAME}.iso.torrent-CHECKSUM" ``` ```text gpgv: Signature made Wed 04 Jun 2025 12:49:39 AM PDT gpgv: using EDDSA key 26B4463ED8F313BC7E3FBDF9D9223AF0F47B3E41 gpgv: Good signature from "secureblueadmin " ``` ```bash sha256sum -c "${IMAGE_NAME}.iso.torrent-CHECKSUM" ``` ```text IMAGE_NAME.iso.torrent: OK sha256sum: WARNING: 8 lines are improperly formatted ``` -------------------------------- ### Create Firewall Zone for mDNS Source: https://secureblue.dev/faq Create a custom firewall zone to allow mDNS traffic, which is necessary for Avahi to function. This prevents opening mDNS to all connections by modifying the default zone. ```bash # firewall-cmd --new-zone=allow-mdns --permanent # firewall-cmd --zone=allow-mdns --add-service=mdns --permanent # firewall-cmd --reload ``` -------------------------------- ### Harden Flatpak integration Source: https://secureblue.dev/articles/flatpak Re-applies hardened_malloc integration for Flatpak after global overrides have been reset. ```bash ujust harden-flatpak ``` -------------------------------- ### Verify standard ISO signature and checksum Source: https://secureblue.dev/verification Verify the signature of the ISO checksum file and validate the ISO integrity. ```bash gpgv --keyring ./secureblue-keyring.gpg "${IMAGE_NAME}.iso-CHECKSUM" ``` ```text gpgv: Signature made Wed 04 Jun 2025 12:49:39 AM PDT gpgv: using EDDSA key 26B4463ED8F313BC7E3FBDF9D9223AF0F47B3E41 gpgv: Good signature from "secureblueadmin " ``` ```bash sha256sum -c "${IMAGE_NAME}.iso-CHECKSUM" ``` ```text IMAGE_NAME.iso: OK sha256sum: WARNING: 8 lines are improperly formatted ``` -------------------------------- ### Rebase to Default Branch Image Source: https://secureblue.dev/contributing This `rpm-ostree` command rebases your system to the 'latest' tag of your container image, typically built from the default branch of your repository. Ensure `YOURUSERNAME` and `YOURIMAGENAME` are correctly substituted. ```bash rpm-ostree rebase ostree-unverified-registry:ghcr.io/YOURUSERNAME/YOURIMAGENAME:latest ``` -------------------------------- ### Manage Container Image Trust Policy Source: https://secureblue.dev/faq Configures container image trust policies to allow or restrict specific registries. ```bash run0 podman image trust set -t accept registry.fedoraproject.org/fedora ``` ```bash rm -f ~/.config/containers/policy.json run0 cp /usr/etc/containers/policy.json /etc/containers/policy.json ``` -------------------------------- ### Integrate Feature Branch into Test Build Source: https://secureblue.dev/contributing After developing a feature, switch back to your 'test-build' branch and integrate changes from your feature branch using either `cherry-pick` for specific commits or `merge` for the entire branch. Then, push the updated 'test-build' branch. ```git git switch test-build git cherry-pick # Or simply 'git merge new-feature' for the full branch. git push origin test-build ``` -------------------------------- ### Switch to systemd-resolved DNS Source: https://secureblue.dev/faq Switch the system's DNS resolver back to systemd-resolved, which is the default in Fedora. This can help resolve DNS issues when VPNs conflict with other DNS configurations. ```bash ujust dns-selector resolver resolved ``` -------------------------------- ### Lock down Flatpak permissions Source: https://secureblue.dev/articles/flatpak Applies a global lockdown to strip Flatpak permissions by default, requiring users to grant them manually. ```bash ujust flatpak-permissions-lockdown ``` -------------------------------- ### Assign Custom Firewall Zone to Network Connection Source: https://secureblue.dev/faq Modify your active network connection to use the newly created 'allow-mdns' firewall zone. Replace ${UUID} and ${DEVICE} with your specific connection UUID and device name. ```bash # nmcli connection modify uuid ${UUID} connection.zone allow-mdns # nmcli device reapply ${DEVICE} ``` -------------------------------- ### Sync Build Branch with Upstream Source: https://secureblue.dev/contributing This Git sequence synchronizes your 'test-build' branch with the upstream 'live' branch. It resets your local branch to match the upstream, reapplies a specific tag, and then forces a push to your remote 'test-build' branch, rewriting history. ```git # Make sure we're on test-build git switch test-build # Fetch latest changes from upstream/live git fetch upstream live # Reset the branch to upstream/live git reset --hard upstream/live # Cherry pick the tag defined before git cherry-pick test-build-setup # ... Cherry pick or commit changes ... # Push rewriting the history git push --force-with-lease origin test-build ``` -------------------------------- ### Enable FIDO2 LUKS Unlock Source: https://secureblue.dev/post-install Enable FIDO2 LUKS unlocking using your FIDO2 security key. This is one of two hardware-based unlocking options for your LUKS volume. It is recommended to choose only one hardware unlock method. ```bash ujust setup-luks-fido2-unlock ``` -------------------------------- ### Create New Feature Branch Source: https://secureblue.dev/contributing This Git workflow demonstrates creating a new feature branch from the upstream 'live' branch. It includes fetching the latest changes, switching to a new branch, and pushing it to your origin. ```git # Fetch latest changes from upstream/live git fetch upstream live git switch -c new-feature upstream/live # ... Do the changes ... git add . git commit -S -m "feat: ducks can now fly" git push origin new-feature ``` -------------------------------- ### Remove KDE Splash Screen Auto-Disable Source: https://secureblue.dev/faq Run this command to prevent secureblue from automatically disabling the KDE splash screen when Xwayland is disabled. This is a workaround for an upstream bug. ```bash run0 rm /etc/xdg/ksplashrc ``` -------------------------------- ### Apache License 2.0 Text Source: https://secureblue.dev/install The legal license text governing the use of Secureblue software. ```text Copyright 2024-2026 The Secureblue Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this software except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ``` -------------------------------- ### Disable Booting from USB Source: https://secureblue.dev/post-install Access your device's BIOS/UEFI screen to disable booting from USB devices. This can prevent unauthorized booting from live systems. ```bash ujust bios ``` -------------------------------- ### Reset global Flatpak overrides Source: https://secureblue.dev/articles/flatpak Reverts global Flatpak overrides, including the lockdown command. Note that this may affect other global settings. ```bash ujust flatpak-reset-global-overrides ``` -------------------------------- ### Disable Webcam Kernel Modules Source: https://secureblue.dev/faq Disables webcam kernel modules; requires a system reboot to take effect. ```bash ujust set-webcam-modules off ``` -------------------------------- ### Toggle Anti-Cheat Support Source: https://secureblue.dev/faq Toggles the kernel.yama.ptrace_scope parameter to allow or restrict process tracing. A system reboot is required after execution. ```bash ujust toggle-anticheat-support ``` -------------------------------- ### Toggle MAC Address Randomization Source: https://secureblue.dev/post-install Toggle system-wide MAC address randomization in NetworkManager between 'random' and 'permanent'. Disabling can help with network compatibility, while enabling improves privacy. ```bash ujust toggle-mac-randomization ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.