Getting HBO and Netflix to work on GNU/Linux

Edit: 2014-08: This guide is now outdated as pipelight is included in the main gentoo tree and does not require a crossdev environment to be set up to work any longer.

After my Mac Mini running OS X had a failed HDD I finally got an excuse to buy a nice Asus Vivo PC (Intel Core i5-3210M, 8GB RAM,128GB SSD, Intel HD 4000) and install my favorite OS; GNU/Linux, specifically running the Gentoo distribution.

Now, for all the good things there is about GNU/Linux (I'm not gonna spend time on mentioning them here), there is one obvious drawback, and that is that mainstream providers such as Netflix and HBO have no native support (Why aren't they just using HTML5?). However, thankfully there is a good alternative to enable these services, and that is Pipelight:

Pipelight is a special browser plugin which allows one to use windows only plugins inside Linux browsers. We are currently focusing on Silverlight, Flash, Shockwave and the Unity Webplayer. The project needs a patched version of Wine to execute the Silverlight DLL.

In addition Pipelight supports the Widevine used by HBO (and as only the DRM plugin is running in wine, with a rather low performance hit at that).

So how to go ahead installing Pipelight on a GNU/Linux machine running Gentoo? Well, first of all we'll make sure to have layman and crossdev installed.

emerge layman crossdev

As Pipelight require a patched version of wine we'll find both pipelight and the patched version in the overlay at:

layman -o -f -a pipelight

And in order to make sure that the overlay can be used we make sure layman is sourced

echo "source /var/lib/layman/make.conf" >> /etc/portage/make.conf

Rather than following the straight README for the overlay we want to set it up using crossdev. First we make sure that package.env, package.mask, package.use and package.keywords are directories rather than simple files, and if not convert it:

if [[ -f /etc/portage/package.env ]]; then mv /etc/portage/package.env /etc/portage/package.env.old && mkdir /etc/portage/package.env && mv /etc/portage/package.env.old /etc/portage/package.env/generic; fi
if [[ -f /etc/portage/package.keywords ]]; then mv /etc/portage/package.keywords /etc/portage/package.keywords.old && mkdir /etc/portage/package.keywords && mv /etc/portage/package.keywords.old /etc/portage/package.keywords/generic; fi
if [[ -f /etc/portage/package.mask ]]; then mv /etc/portage/package.mask /etc/portage/package.mask.old && mkdir /etc/portage/package.mask && mv /etc/portage/package.mask.old /etc/portage/package.mask/generic; fi
if [[ -f /etc/portage/package.use ]]; then mv /etc/portage/package.use /etc/portage/package.use.old && mkdir /etc/portage/package.use && mv /etc/portage/package.use.old /etc/portage/package.use/generic; fi

Then we delete the cross-compiler part already found in the overlay using

rm -rf /var/lib/layman/pipelight/cross-i686-w64-mingw32

and setup the crossdev toolchain using

echo "=cross-i686-w64-mingw32/mingw64-runtime-3.1.0 **" >> /etc/portage/package.keywords/generic

crossdev -S -t i686-w64-mingw32

Now to install pipelight itself, we do this using

echo "=www-plugins/pipelight-9999 **" >> /etc/portage/package.keywords/pipelight
echo "app-emulation/wine-compholio ~amd64" >> /etc/portage/package.keywords/pipelight
echo "app-emulation/wine-compholio abi_x86_32" >> /etc/portage/package.use/pipelight

emerge pipelight

With that we should have a working base. Before we proceed though we want to install  media-fonts/corefonts and app-arch/cabextract. The former is in particular necessary to get a working Netflix setup (without it, expect a player 1001 error).

emerge app-arch/cabextract media-fonts/corefonts

Now time to configure the actual plugin. As I intend on using this with Firefox, the last command to run as root privileges before switching back to the normal user is:

pipelight-plugin --create-mozilla-plugins

Now time to enable the actual plugins (as regular user):

pipelight-plugin --enable-plugin silverlight5.1
touch $HOME/.config/wine-wininet-installer.accept-license
pipelight-plugin --enable-plugin flash
pipelight-plugin --enable-plugin widevine

The actual installation happens upon a restart of firefox, and can be seen by visiting about:plugins.
As Netflix use a rather primitive user agent string check, we also need to switch the user agent string before attempting to play. I'm using user-agent-overrider and set it to Windows/firefox before attempting to visit netflix or HBO.

Now, at this point, depending on your video card you should be able to stream both Netflix and HBO, however, for my nouveau driver I got " Direct rendering is disabled, most likely your 32-bit OpenGL drivers haven't been installed correctly (using GL renderer "Gallium 0.4 on NVC3", version "1.4 (3.0 Mesa 9.1.6)")" when attempting to play Netflix (HBO works). Turns out I hadn't given the user in question access to /dev/dri/card0 (video group). Adding the user and netflix as well worked.

As a final note; Netflix might require xattr to be enabled on the filesystem. To test if this is enabled you can run:

touch ~/.xattr_test && setfattr -n 'user.testAttr' -v 'attribute value' ~/.xattr_test &> /dev/null; getfattr ~/.xattr_test 2>&1 | grep -q user.testAttr && echo 'It works!' || echo 'No workie!'; rm ~/.xattr_test &> /dev/null

And voilla, a working Netflix and HBO on GNU/Linux (Gentoo)!

Monkeysphere: Easing key management and improving HTTPS security

Update 2014-05-24

To make it easier to add the overlay it is now included in Layman (make sure layman is compiled with the mercurial use flag). It can then be added using layman -a k_f

End of Update

Lately I've been paying some more attention to Monkeysphere. Since it has been some time since my last blog post, I figured this was a good opportunity to share some new ideas.

I've already been using parts of the framework for some of my websites, including for quite some time. The reason for this is to offer an alternative to the traditional way of validating the authenticity of HTTPS server certificates, by utilizing the more decentralized approach of OpenPGP's Web of Trust (WoT). In particular with the recent Snowden/NSA/GCHQ revelations, an alternative to the Root CA (Certificate Authority)  structure being used today is interesting to investigate further.

The Monkeysphere project's goal is to extend OpenPGP's web of trust to new areas of the Internet to help us securely identify servers we connect to, as well as each other while we work online. The suite of Monkeysphere utilities provides a framework to transparently leverage the web of trust for authentication of TLS/SSL communications through the normal use of tools you are familiar with, such as your web browser0 or secure shell.

For this part, Monkeysphere imports the cryptographic details from my usual X.509 SSL Certificate used to identify the https connection and generate an OpenPGP certificate containing the same data, after which I've signed the OpenPGP key using my personal key and uploaded the certificate to the usual keyservers. This way, anyone that has validated my own OpenPGP key (if you don't have one on your own yet, you should create one) can find a trust path and compare the key data of the OpenPGP key to the X.509 certificate provided during SSL/TLS negotiation. When a match is found, we know that this is the intended key and can continue to browse safely.

Although it is possible to validate this manually, that can obviously be cumbersome, so I'm using the components msva-perl and the Firefox extension for Monkeysphere, titled xul-ext-monkeysphere, that automates the process. For information on how to set this up for yourself, see the documentation on Identifying secure web servers through the Web of Trust.

Somewhat more hidden to the everyday user, is however one of Monkeysphere's greatest advantages; using OpenPGP to ease key management for the Secure Shell Protocol (SSH). As my key has an authentication subkey that I use to log into my servers, it helps me automate how I access my servers. It is prudent to utilize Public Key Infrastructure and deny any password-based authentication to get into the server, to make it more difficult for an adversary to brute-force their way into the server, or simply to reduce the resources needed on the server to handle such attempts by automated robots. By specifying a trusted introducer on each server I can specify the OpenPGP User IDs that are permitted access for a given user. This also enable me to easily add new users without requesting that they provide me with their SSH keys, and managing the updating of such keys whenever they change across a number of servers. More importantly, if a user detect that their key is compromised and revoke it, it is automatically handled across all my servers as well, limiting the security impact. And the best part, it is rather  easy to set up. 

Monkeysphere also works for authenticating the server itself based on the Host key for SSH so that I don't have to remember the fingerprint of the host key whenever I clear out my known_hosts file.
If you haven't already, I recommend looking into this approach. If you're using Gentoo, as I am on most of my servers, I've created a repository for a Portage Overlay available at

In order to use this, you'll want to pull the repository into some location using

hg clone

You can then create a symlink to e.g. /usr/local/portage and include this in your /etc/portage/make.conf file using


you should then be able to emerge the packages using e.g.

emerge monkeysphere

Note that for now I've masked the packages with the ~arch attribute, so you'll need to unmask them as per instructions provided by portage, or by adding the following to your /etc/portage/package.accept_keywords in order to unmask all packages in this overlay for your ~arch:


In order to update the repository and get updates you'll want to run

hg pull && hg up

in your local repository directory from time to time before wanting to updated your installed packages.