Problem Description
plinth/apps/i2p Installation: i2p page says, “This application is not available in your distribution.”

Are we missing i2p-router package in bookworm? If so, is there a workaround to this while still having the application controlled by FreedomBox (maybe an out-of-process install of i2p-router)?
Instructions for this are at geti2p.net

Steps to Reproduce

1. Start with frequent-feature update/advanced apps and features enabled Bookworm FreedomBox having i2p installed via plinth (since buster)
2. do sudo apt install -t bookworm-backports freedombox to correct automatic updates to freedombox
3. do rerun setup on i2p from plinth
4. do Uninstall on i2p from plinth
5. intending to install i2p anew I now see the, “This application is not currently available in your distribution.” message. Surprise!

Expected Results
I expected the application to be available for installation after uninstalling the application. Sadly, it is not.

Actual results
The plinth/apps/i2p page tells me:

This application is currently not available in your distribution.

Screenshot

Screenshot from 2023-09-10 10-53-431267×768 59.4 KB

Information

• FreedomBox version: You are running Debian GNU/Linux 12 (bookworm) and FreedomBox version 23.16. FreedomBox is up to date.
• Hardware: intel Atom PC uname -a: Linux fbhostname 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 GNU/Linux
• How did you install FreedomBox?:

• • netinst debian buster
• • DEBIAN_FRONTEND=noninteractive apt install freedombox -y
• • unattended upgrade to bullseye
• • upgrade to bookworm

Additional Troubleshooting
The installation issue for i2pd does not appear to be an unresolved dependency. i2p-router package doesn’t seem to be in bookworm, however.

apt search i2p-router gives:

Sorting… Done
Full Text Search… Done

apt search i2p gives:

i2pd/stable 2.45.1-1 amd64
Full-featured C++ implementation of I2P client

aptitude shows dependency issues with i2pd installation. Bookworm distribution packages for libboost-filesystem, libboost-program-options, and libminiupnpc all appear to satisfy the install dependencies for i2pd.

Screenshot from 2023-09-10 11-15-301531×901 124 KB

There’s an open Debian bug on i2p for a security issue: “Attackers can de-anonymize i2p hidden services with a message replay attack” that probably led to removal from testing before testing became bookworm.

Thanks for checking bugs. It looks like a FreedomBox users hosting eepsites are at risk. It is not clear to me from reading these whether http/https proxies or i2psnark are at risk. http(s) and i2psnark are not eepsites.

CVE-2023-36325: Attackers can de-anonymize i2p hidden services with a message replay attack synopsis:

If you host eepsites with Java i2p and are running older than i2p 2.3.0, update it as soon as possible.
…
Users of i2pd are not affected.
…

Debian Security Tracker for i2p synopsis:

Attackers can de-anonymize i2p hidden services with a message replay attack

Failed Workaround

You cannot successfully install and configure i2p in FreedomBox today by making the i2p packages available from the upstream source at geti2p.net. These are the geti2p.net installation instructions.

Steps

• configure apt using instructions from geti2p.net
• install i2p from plinth

Outcome

Plinth setup of i2p using geti2p.net packages fails with an error:

Error installing app: (‘No tunnel called I2P HTTP Proxy’, b’‘, b’\x1b[31m ERROR\x1b[0m \x1b[94m__main__ \x1b[0m Error executing action: No tunnel called I2P HTTP Proxy\nTraceback (most recent call last):\n File “/usr/share/plinth/actions/actions”, line 92, in _call\n return_values = func(*arguments['args'], **arguments['kwargs'])\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File “/usr/lib/python3/dist-packages/plinth/modules/i2p/privileged.py”, line 16, in set_tunnel_property\n .set_tunnel_idx(name) \\n ^^^^^^^^^^^^^^^^^^^^\n File “/usr/lib/python3/dist-packages/plinth/modules/i2p/helpers.py”, line 75, in set_tunnel_idx\n raise ValueError('No tunnel called {}'.format(name))\nValueError: No tunnel called I2P HTTP Proxy\n’)

Backout

sudo apt-purge i2p
sudo apt-get autopurge
sudo apt-purge i2p-keyring
sudo rm /usr/share/keyrings/i2p-archive-keyring.gpg
sudo rm /etc/apt/sources.list.d/i2p.let
sudo apt autopurge
sudo apt update

More i2p drama regarding packages.

The datacenter that was hosting the debian repository has not responded to my emails or phone calls and the services at deb.i2p2.de/no will need to be replaced. A new hostname will be announced when the server is back up. The workarounds listed above will continue to work for all Debian users.

Users who care deeply about restoring i2p service on Freedombox will have to wait or follow the workaround instructions in this blog post to get the packages from Ubuntu PPA servers. (see Failed Workaround) The Freedombox i2p installation did not work for me using the i2p debian packages from geti2p.net. If you do this you’ll be going out of process with Freedombox and will probably have to do some heavy housekeeping in the future to get back to Freedombox managed i2p installation.

Successful Workaround

Summary

i2p is not currently available in Debian. This package was removed by Debian maintainers because of a security issue which creates risk only to users maintaining eepsites (i2p network web server). Users not maintaining an eepsite are not at risk of the attack method listed earlier in this thread.

A skilled Debian user can get i2p running again on their Freedombox with these instructions. This workaround does require root privilege and modification of the system from a terminal. It’s not for everybody, but it appears to be working for me.

Risk Disclosure

We are connecting apt to a new package repository. When you examine the apt changes you will see that these appear to be limited to i2p, so I do not expect Freedombox to add an unexpected package from this location.

Procedure

Reference i2p installation instruction from geti2p.net. Do not follow these instructions - they didn’t work for me.
Reference i2p workaround installation from i2p forum. We will use this one with modifications.
We will be using packages from the Ubuntu PPA Focal repository. We will:

• Get and check the repository key
• Add the key to the system keyring (we deviate from the published workaround here)
• Add the Ubuntu PPA repository to apt
• Install i2p from plinth like you normally would

Repository Key Download

We will not follow the published workaround for this step. If you do, it will work, but you will see apt complain about using the deprecated apt-key command. I took the opportunity to figure out the new way to manage repository keys.

Published Download Command

curl 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x474bc46576fae76e97c1a1a1ab9660b9eb2cc88b ' | sudo apt-key add -
You should copy and paste this command from the i2pforum page as discuss.freedombox.org will tamper with the quotes. If you do this it will work fine, but apt will complain about your having used the deprecated apt-key command.

New Key Download

We’ll only use the first bit of the published key download to get the public key without adding it to the apt repository. Copy and paste the command from the workaround page but delete the last part:

curl 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x474bc46576fae76e97c1a1a1ab9660b9eb2cc88b’ | sudo apt-key add -

Next redirect the curl output to a file - your command will look like this:
$curl 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x474bc46576fae76e97c1a1a1ab9660b9eb2cc88b ' > i2p-archive-ppa-focal-keyring

Be sure to remove the space between the end of the hexidecimal string and the single quote (discuss.freedombox.org changes quotes to make your post look pretty, but the syntax will be wrong for copy/paste into the command line.)

You now have a file named i2p-archive-ppa-focal-keyring in your working directory which has these contents:

Screenshot from 2023-11-18 11-43-431041×769 205 KB

Next change this file into gpg format - again you do not need to be root yet.
$gpg --dearmor i2p-archive-ppa-focal-keyring

This will create the file i2p-archive-ppa-focal-keyring.gpg

Normally at this point best practice is to compare the key fingerprint with a published key fingerprint to be certain you are connecting to the repository to which you think you are connecting.

$gpg --show-keys i2p-archive-ppa-focal-keyring.gpg

You should check the key fingerprint from the GPG file against the key published by the PPA repository maintainer. I skip this step because I couldn’t find this easily. If you do this - please share your results especially if the keys don’t check out.
$gpg --show-keys i2p-archive-ppa-focal-keyring.gpg

image962×101 14.3 KB

Now we copy the .gpg key into /usr/share/keyrings (as root):

sudo cp i2p-archive-ppa-focal-keyring.gpg /usr/share/keyrings

At this point we have the encryption key for the Ubuntu PPA Focal repository configured. Next we set up apt.

Set up apt i2p repository using PPA

Create a new apt source for i2p in /etc/apt/sources.list.d named i2p.list.
$sudo nano /etc/apt/source.list.d/i2p.list with these contents:

deb [signed-by=/usr/share/keyrings/i2p-archive-ppa-focal-keyring.gpg] Index of /i2p-maintainers/i2p/ubuntu focal main
deb-src [signed-by=/usr/share/keyrings/i2p-archive-ppa-focal-keyring.gpg] Index of /i2p-maintainers/i2p/ubuntu focal main


Check that everything is working with $sudo apt update

Hit:1 tor+http://deb.debian.org/debian bookworm InRelease
Hit:2 tor+http://deb.debian.org/debian bookworm-updates InRelease
Hit:3 Index of /i2p-maintainers/i2p/ubuntu focal InRelease
Hit:4 tor+http://deb.debian.org/debian bookworm-backports InRelease
Hit:5 tor+http://security.debian.org/debian-security bookworm-security InRelease
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
All packages are up to date.

Hit: 3 Index of /i2p-maintainers/i2p/ubuntu focal InRelease is what we were hoping to see.

Install i2p from plinth like you normally would.

image1411×975 98.4 KB

image1725×553 46.1 KB

Update: You may need to modify your firewall rules.

Your new i2p installation will be using a different pair of ports for TCP/UDP listening. You will get this from https://freedombox.local/i2p/confignet. Check for both the TCP and UDP ports. The doco says to never share this information, by the way. You will know if this is not right if your i2p router status information says, Network: Firewalled

If you have an old firewall rule for i2p with the wrong port number delete that. Then create a new rule using the TCP and UDP ports you see from the i2p/confignet page.