OnionShare Whonix integration development discussion

Patrick · May 30, 2014, 10:58am

Made a feature request:

Patrick · December 7, 2015, 8:21pm

Instructions on getting onionshare to work in Whonix progressed far although they are still unfinished: Next - Whonix

Help would be welcome with the following two required control port filter python features that are missing to add onionshare support.

…since I am busy with various stuff, and since @troubadour is busy with various stuff and our new…

Patrick · December 7, 2015, 9:18pm

source forge help wanted post: https://sourceforge.net/p/forge/helpwanted/programmers/thread/34928768/

Patrick · January 10, 2017, 10:27am

Lots of progress has been made. There is a very good chance it will work in Whonix 14.

For reference:
https://phabricator.whonix.org/T561
https://phabricator.whonix.org/T581
https://phabricator.whonix.org/T448
https://phabricator.whonix.org/T446
https://phabricator.whonix.org/T574
https://phabricator.whonix.org/T594
https://phabricator.whonix.org/T445

maybe future work:
https://phabricator.whonix.org/T564

Patrick · January 10, 2017, 10:55am

ongoing discussion:
decide if we should install onionshare by default in Whonix 14
⚓ T595 install onionshare by default in Whonix 15

Patrick · March 10, 2017, 1:32am

2 posts were split to a new topic: hide torbrowser-launcher inside Whonix start menu

Patrick · June 11, 2017, 4:21pm

github.com/onionshare/onionshare

magic-wormhole sharing style (using mnemonic words and tab word completion)

opened 04:11PM - 11 Jun 17 UTC

closed 05:52PM - 19 Jan 18 UTC

adrelanos

wontfix

https://packages.debian.org/de/stretch/magic-wormhole https://github.com/warn…er/magic-wormhole https://us.pycon.org/2016/schedule/presentation/1838/ Usability wise one of the most usable and useful tools I've found in a while. Easier than sharing a link to an onion, thanks to memonic words and tab word completion. Do you think you could add this to onionshare?

Patrick · August 31, 2017, 10:53am

Won’t make it into Whonix 14. Unfortunately, it is not available from Debian stretch.

https://packages.debian.org/search?keywords=onionshare

Does anyone know why?

HulaHoop · September 1, 2017, 3:11am

Weird. Its on every Debian version except current stable…

Attempts to build it on Stretch are failing:

github.com/onionshare/onionshare

Building Debian package failure on stretch/sid

opened 09:13AM - 24 Aug 17 UTC

closed 12:22AM - 21 Nov 17 UTC

ageis

Build requirements are all installed, and I followed the documentation. My syste…m is mostly Debian stretch, with a mixture of some more recent packages from testing/sid included. Running the Python scripts works fine, just trying to build the Debian package which fails near to some tests near the end. I'm attaching the contents my `./deb_dist` and `build_log.txt` which includes some warnings. Just to demonstrate I'm on latest, running the build script from the HEAD of the latest clean master branch: ``` kevin@helios:~/dev/onionshare$ git pull Already up-to-date. Current branch master is up to date. kevin@helios:~/dev/onionshare$ git status On branch master Your branch is up-to-date with 'origin/master'. nothing to commit, working tree clean ``` I don't know if it's necessary to post the full build output, so I'll just show the actual failure, which seems to indicate a problem with the `debian/rules` file. ```. dh_auto_test -O--buildsystem=pybuild I: pybuild base:184: cd /home/kevin/dev/onionshare/deb_dist/onionshare-1.1/.pybuild/pythonX.Y_3.6/build; python3.6 -m pytest test =============================================================================================== test session starts =============================================================================================== platform linux -- Python 3.6.2, pytest-3.0.6, py-1.4.32, pluggy-0.4.0 rootdir: /home/kevin/dev/onionshare/deb_dist/onionshare-1.1, inifile: collected 0 items ========================================================================================== no tests ran in 0.00 seconds =========================================================================================== E: pybuild pybuild:283: test: plugin distutils failed with: exit code=5: cd /home/kevin/dev/onionshare/deb_dist/onionshare-1.1/.pybuild/pythonX.Y_3.6/build; python3.6 -m pytest test dh_auto_test: pybuild --test --test-pytest -i python{version} -p "3.6 3.5" returned exit code 13 debian/rules:7: recipe for target 'build' failed make: *** [build] Error 25 dpkg-buildpackage: error: debian/rules build gave error exit status 2 Traceback (most recent call last): File "setup.py", line 65, in <module> ('/usr/share/nautilus-python/extensions/', ['install/scripts/onionshare-nautilus.py']) File "/usr/lib/python3.5/distutils/core.py", line 148, in setup dist.run_commands() File "/usr/lib/python3.5/distutils/dist.py", line 955, in run_commands self.run_command(cmd) File "/usr/lib/python3.5/distutils/dist.py", line 974, in run_command cmd_obj.run() File "/usr/lib/python3/dist-packages/stdeb/command/bdist_deb.py", line 48, in run util.process_command(syscmd,cwd=target_dirs[0]) File "/usr/lib/python3/dist-packages/stdeb/util.py", line 183, in process_command check_call(args, cwd=cwd) File "/usr/lib/python3/dist-packages/stdeb/util.py", line 46, in check_call raise CalledProcessError(retcode) stdeb.util.CalledProcessError: 2 OnionShare failed to build! ``` **Note:** I then ran `git clean -fdx`, upgraded all Python 3.5 and 2.7 PyPI modules to their latest versions, and tried it with superuser (root) privileges, received the same result. There was no `.deb` created, though did we get part of the way in that some deb-src files exist. (see attachments) [build_log.txt](https://github.com/micahflee/onionshare/files/1248286/build_log.txt) [deb_dist.tar.gz](https://github.com/micahflee/onionshare/files/1248290/deb_dist.tar.gz)

iry · February 19, 2018, 6:37am

Tails is using the onionshare from sid:
It seems Tails is enabling all the repository enabled and then use pin-priority to control where should a package be download and installed from.

cat config/chroot_apt/preferences:

Package: onionshare
Pin: release o=Debian,n=sid
Pin-Priority: 999

Is this a feature that is nice to have in Whonix? Or do we have any concern causing us not to adopt this approach ?

Patrick · February 19, 2018, 4:01pm

As far I know, Tails doesn’t support full upgrades. Only point release
upgrades. So not comparable wrt upgrades and pinning.

Apt pinning is too complicated and must be avoided. Reasoning:

troubadour · February 25, 2018, 8:46pm

For those who would like to use or try onionshare…

After cloning Micah’s repository and building the package, there was an issue running it.

I don’t know which version of onionshare the .d onion-grater white list 40_onionshare.yml was written for, but with version 1.2 (as stated in the GUI), I had to add a line to the ADD_ONION command.

Mimicking NEW:BEST Port=

      - pattern: 'NEW:RSA1024 Port=80,(176[0-5][0-9])'
        replacement: 'NEW:RSA1024 Port=80,{client-address}:{} Flags=DiscardPK'

Patrick · February 25, 2018, 10:25pm

Btw for those who don’t know (information not connected here), instructions can be found here:

Next - Whonix

Thanks!

0.9.2 most likely.

Patrick · February 25, 2018, 11:04pm

iry · April 25, 2018, 4:54am

It seems onionshare will land on stretch-backports but not stretch:

Patrick · April 14, 2019, 11:53am

A regression about showing the Whonix advice if onion-grater profile is not active yet in Whonix 15 / debian buster based.

github.com/onionshare/onionshare

show error message rather than python exception on restricted Tor control access

opened 10:42AM - 10 Jan 17 UTC

closed 05:58PM - 04 May 21 UTC

adrelanos

enhancement

This is what will happen in Whonix 14, because one has to drop a control port fi…lter configuration snippet first to whitelist the Tor control protocol command required by onionshare. Currently only a python exception is logged to the console which is not visible within the gui. ``` Onionshare 0.9.2 | https://onionshare.org/ * Running on http://127.0.0.1:17600/ Configuring onion service on port 17600. Staring ephemeral Tor onion service and awaiting publication Exception in thread Thread-2: Traceback (most recent call last): File "/usr/lib/python3.4/threading.py", line 920, in _bootstrap_inner self.run() File "/usr/lib/python3.4/threading.py", line 868, in run self._target(*self._args, **self._kwargs) File "/usr/lib/python3/dist-packages/onionshare_gui/__init__.py", line 177, in start_onion_service self.app.start_onion_service() File "/usr/lib/python3/dist-packages/onionshare/__init__.py", line 89, in start_onion_service self.onion_host = self.onion.start(self.port) File "/usr/lib/python3/dist-packages/onionshare/onion.py", line 252, in start res = self.c.create_ephemeral_hidden_service({ 80: port }, await_publication=True) File "/usr/lib/python3/dist-packages/stem/control.py", line 2860, in create_ephemeral_hidden_service self.add_event_listener(hs_desc_listener, EventType.HS_DESC) File "/usr/lib/python3/dist-packages/stem/control.py", line 3010, in add_event_listener raise stem.ProtocolError('SETEVENTS rejected %s' % ', '.join(failed_events)) stem.ProtocolError: SETEVENTS rejected HS_DESC ``` If that happens and if Whonix is detected (check for existence of file /usr/share/anon-ws-base-files/workstation), could you please make onionshare an error popup such as the following? ``` ERROR To make onionshare work in Whonix, please have a look at the Whonix onionshare documentation. https://www.whonix.org/wiki/onionshare ``` More user-friendly wording suggestions very much welcome.

Patrick · July 1, 2019, 9:33am

Added support for OnionShare in “bundled Tor” configuration which is the default in Debian buster version of OnionShare.

Installing onionshare issue on Whonix 14 "there was an error with Tor: SET EVENTS rejected HS_DESC" · Issue #829 · onionshare/onionshare · GitHub

This will come through Whonix 15 package upgrades at some point in future.

torjunkie · May 22, 2020, 3:44pm

Over on tor-dev, this thread makes it very clear that v2 onions are plain dangerous for various reasons.

https://lists.torproject.org/pipermail/tor-dev/2020-May/014322.html

I note this because the current version of OnionShare from Debian buster (v1.3.2) installed in Whonix defaults to legacy v2 as you can see in my screenshots recently added.

(Which is funny, since if you have a much later Tor version >3.5.X like that provided by Whonix, it is apparently meant to default to v3? Maybe that is only for later OnionShare software version?)

So I guess this might be something where we recommend users default to a later installed version from Sid? (v2.2-2) and take their chances. Bullseye has v2.2. Otherwise they are at real risk of having their ass hacked by capable adversaries.

Patrick · May 22, 2020, 5:26pm

Debian bullseye = Debian sid = onionshare 2.2-2 at time of writing.

Yes. v2 vs v3 is entirely up to OnionShare, I think. Debian bullseye version uses v3 if I am not mistaken.

Could go back to manual installation instructions.

Outdated, Deprecated, Archived Whonix Documentation.

Can also consider to no longer install by default in Whonix until Whonix is based on Debian bullseye.

torjunkie · April 2, 2021, 1:35am

OnionShare wiki page issues

Why not just use Flatpak for latest version instead (in the appendix part)? Micah has removed build dependencies information for OnionShare - can’t find them anywhere for v2.3.1 They are just pushing snap and flatpak instead for Linux.

This would be easy in non-Qubes-Whonix (only a few steps - see below).

Of course in Qubes-Whonix the AppVM steps would need to be done everytime, but at least you have latest, fully-functional, secure, v3 onions version. The Debian version is ancient and even next testing version is still only v2.2.

With the next Debian release due soon, that means we’ll be stuck with v2.2 for a couple more years - not good enough, because anonymous chat is only available in v2.3 and it is arguably far better/secure than the messengers we recommend in the wiki.

This works →

In whonix-ws-15-onionshare TemplateVM:

sudo apt-get install flatpak

In whonix-ws-15-onionshare AppVM (not allowed in TemplateVM, any way around that?):

Add the Flathub repository:

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

Install in AppVM (can’t be done in TemplateVM again, any way around that?):

flatpak install flathub org.onionshare.OnionShare

Run in AppVM:

flatpak run org.onionshare.OnionShare

Tested and works nicely with v2.3.1

A pain, but v1.3.2 in Debian is hopelessly out-of-date i.e. doesn’t allow receiving files anonymously, anonymous websites or anonymous chat and only legacy v2 onions i.e. useless by comparison and a security risk.

Also, flatpak instructions are far easier than that build stuff we have on the relevant wikipage right now. If you don’t like the steps above, would this work in both Qubes-Whonix and non-Qubes-Whonix? →

https://docs.onionshare.org/2.3/en/install.html#install-in-linux

You can also download and install PGP-signed .flatpak or .snap packages from Index of /dist/ if you prefer.

I guess for Qubes → download in AppVM, get Micah’s key, verify, copy to TemplateVM, install (for persistence). Dunno, I never use Flatpak.

Random error

Do you see this when trying to run standard onionshare in Whonix 15? (I guess I installed Firejail at some stage…). Doesn’t happen with later OnionShare versions > v1.3.2.

Type: “whonix” for help.
uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:
uwt INFO: Stream Isolation: Easy
user@host:~$ onionshare-gui
Reading profile /etc/firejail/onionshare-gui.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2023, child pid 2024
Child process initialized in 78.28 ms
/usr/lib/uwtwrapper: line 327: /sbin/ifconfig: Permission denied

Parent is shutting down, bye…