[html]

Download

VirtualBox

Whonix-Gateway for VirtualBox

Whonix-Gateway for VirtualBox signature

Whonix-Workstation for VirtualBox

Whonix-Workstation signature

KVM / Qemu

Entirely untested! This is only useful if you have a developers mindset!

This is the first time .qcow2 images are available (as .tar.gz, qcow2 image and signature must be unpacked):

http://sourceforge.net/projects/whonixdevelopermetafiles/files/whonix-7.7.8.6/

We have unfinished(!) instructions for KVM:

https://www.whonix.org/wiki/KVM

There are still a few blockers before using Whonix with KVM can be

considered sane:

https://www.whonix.org/wiki/Dev/KVM

Please help out solving them. Whonix also needs a maintainer to

support using Whonix with KVM.

If you want to upgrade existing Whonix version

Sorry, upgrading from existing Whonix version (0.5.6, 7, etc.) to

7.7.8.0 (and 8 when it’s released) will not be possible.

If you want to build images from source code

See https://www.whonix.org/wiki/Dev/BuildDocumentation_8 and use git

tag 7.7.8.7.

(7.7.8.7 only contains a minor build script fix. Is otherwise same as 7.7.8.6.)

Physical Isolation users

Use Debian stable instead of testing, use git tag 7.7.8.7 and see

https://www.whonix.org/wiki/Physical_Isolation.

Changelog between Whonix 7 and Whonix 7.7.8.6 (testers-only version)

* Whonix is now based on Debian stable instead of Debian testing.

• In new installations, automatic updates of Whonix’s debian packages

are disabled by default. During first start, users can decide if they

want to enable Whonix’s APT repository or want to leave it disabled.

• Fixed Whonix’s Tor Browser download and start script for TBB 3.5.

• Fixed physical isolation build script.

• Verifiable Builds. Whonix now has a feature which allows the community

to check that Whonix .ova releases are verifiably created from project’s

own source code. Also made ade Whonix’s APT repository verifiable (even

deterministic!). Please see

Verifiable Builds - Whonix for details.

• Made Whonix build script configurable (can now build terminal-only

Whonix-Gateway’s and/or Whonix-Workstations; 64 bit builds and more)

• Improved Whonix News’s security. All Whonix News Files are now inside

one tarball, which is signed. This stops leaking how many users are

using a particular version.

• whonixcheck’s Whonix News download now checks if Whonix News are still

valid (currently up to 4 weeks) and therefore detects indefinite freeze

and replay attacks.

• whonix_repository tool now has a graphical user interface; added more

command line switches.

• Set default locale to en_US.UTF-8.

• Simplified custom user installation of TorChat, thanks to dummytor.

(Protecting from Tor over Tor.)

• Removed apper and synaptic from default installation, because they are

too confusing / have too many bugs, do not always work in all cases for

all users, #104, can still be manually installed if wanted, see also Dev/Automatic Updates - Kicksecure

• whonixcheck: more configuration options, any function can now be

disabled, this is useful for users who wish to disable control port

filter proxy, they can disable the check_tor_bootstrap function

• whonixcheck: added protection against possibly malicious strings from

check.torproject.org (in case of a bug, compromise of check.tpo server

or CA compromise), IP strings are now max 50 characters long. User will

be warned in case the limit is exceeded.

• Whonix-Workstation: no longer installing Tor Browser by default, this

simplified implementing verifiable builds (#113), installing iceweasel

by default, which can be used to download Tor Browser, added local

iceweasel browser homepage saying that iceweasel should not be used for

anything other than downloading Tor Browser, unless one knows what one

is doing.

• Removed galternatives from whonix-workstation-default-applications

because galternatives has been (temporarily) removed from Debian testing

• Building Whonix from frozen repository, from snapshot.debian.org to

make the build script more resistant from upstream changes and also to

make Whonix verifiable.

• The Whonix Team can now use separate keys for Whonix’s APT Repository

and Whonix News.

• Added technical documentation about keys in Whonix

whonix_shared/usr/share/whonix/keys/readme.

• new man page: man/whonix_shared/sdwdate.8.ronn

• Deactivated Maximizing Windows by dragging them to the top of the

screen to prevent users from accidentally maximizing their browser

window when they are using resolutions higher than 1024×768. See

Higher Screen Resolution without VirtualBox Guest Additions ;

https://github.com/Whonix/Whonix/issues/110 and

Prompt if Tor Browser is Maximized (#7255) · Issues · Legacy / Trac · GitLab for more

information. #108

• added udisks to whonix-shared-packages-recommended for mounting

removable drives

• KDE settings changes, set to oxygen as suggested by scarp in

“[Whonix-devel] Plastique kwin style & Widget Style”

• whonixcheck: increased timeout for the tor bootstrap.py utility from 5

to 10 seconds to make it compatible with slow systems as per bug reporthttps://www.whonix.org/wiki/Special:AWCforum/st/id248/whonixcheck%3A_tor_bootstrap_statu….html

• whonixcheck: Whonix News File is now deterministic

• whonixcheck: Whonix News added timeout for gpg and tar

• added secure-delete, because it contains sfill, which can be used to

zero out free space, which is required for disk shrinking

• Deactivated running update-command-not-found during build, since not

deterministic (verifiable). Manually running is of course still possible.

• whonix_shared/etc/apt/sources.list.d/torproject.list: removed the “deb

Index of /torproject.org tor-0.2.4.x-jessie main”

repository, since that repository has been removed by The Tor Project

(Tor is now in their Debian testing repository, which is already added)

• fixed a bug reported by scarp,

whonix_shared/usr/share/whonix/postinst.d/70_disable_kdm_autostart: was

not disabling other display managers other than kdm. Now using the more

generic

/usr/lib/whonix/display-manager-dpkg-post-invoke.

• msgcollector: fix race condition not always closing progress bar when

it reached 100%

• Whonix-Gateway: Workaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578 Download Whonix ™ (FREE) Set in /etc/default/tor:

USE_AA_EXEC=”no” Can be commented out when that bug gets fixed.

• optionally (opt-in) building qcow2 images, first rudimentary

implementation, build target (VirtualBox or qcow2 or both) should

probably be configurable in whonix_build script (#122)

• Whonix News Blog Download / Whonix News: Whonix News Blogs (Whonix

Feature Blog and Whonix Important Blog) are now deployed over the same

mechanism as Whonix News.

• Whonix-Workstation: better implementation of dummytor using

config-package-dev (might break compatibility with Whonix 7)

• removed adrelanos’ old key; removed

whonix_shared/usr/share/whonix/postinst.d/70_legacy (breaks

compatiblity with Whonix 7)

• Re-implemented uwt and dummytor using config-package-dev instead of

custom dpkg-diversions. Breaks compatibly with Whonix 7.

• Removed rawdog and pandoc since no longer required.

• moved misc scripts (Scripts for managing Whonix’s offical repository

and Whonix News; debug scripts; developer documentation and deprecated

code) to GitHub - Kicksecure/developer-meta-files: Scripts for managing derivative official repositor; debug scripts; developer documentation

• whonixcheck: do not show output of gpg for Whonix News verification

• whonixcheck: do not start whonixcheck, if whonixsetup hasn’t finished yet

• whonixcheck: new –verbose / –debug options

• whonixcheck: Check that /proc/sys/net/ipv4/ip_forward and

/proc/sys/net/ipv6/ip_forward aren’t set to 1 to prevent users from

shooting their own feet.

• whonixsetup: start whonixcheck at the end of whonixsetup on

Whonix-Workstation

• torbrowser: hide output of gpg import; ask “Start Tor Browser yes/no”

after upgrading”

• torbrowser: added timeout to gpg to prevent endless data attacks

• torbrowser/whonixcheck: alternative method detecting locally installed

Tor Browser version. When $tbb_folder/Docs/version does not exist, i.e.

when the user manually downloaded Tor Browser, try to detect version

number from ~/tor-browser_en-US/Docs/sources/versions.; comment

• desktop: higher resolution icons for whonix_repository, whonixcheck,

contribute and donate, whonix gateway firewall, tb recommend, important

blog and torbrowser

• qcow2 images: added metadata preallocation

• qcow2 images: added “-o cluster_size=2M” to “qemu-img” for better performance

• build script: fix “sudo: unable to resolve host debian”

• build script: added –no-options to gpg to avoid conflict with user’s

gpg config files

• build script: added benchmarking

• build script: whonix_build_both: support extra parameter

• build script: got rid of grml_config by using grml-debootstrap’s new

environment variables feature

• build script: skip backup-img-after-grml-debootstrap and

backup-img-after-meta-package-install build steps by default, can be

re-enabled by builder

• build script: allow running build-steps.d/2400_convert-img-to-qcow2 without root

• verifiable builds: new build step build-steps.d/2350_cleanup; Get rid

of /dev folder inside the vm image. This is only required for verifiable

builds. Otherwise this could be skipped. For example,    “sudo

sha512sum /dev/xconsole” or “sudo sha512sum /dev/initctl” would run

forever. The /dev folder gets recreated by the kernel upon first boot.

• Improved messages.

• Lots of smaller fixes.

• Code refactoring.

• For more details, see the git log.

  
  [/html]

Can you push 7.7.8.7 to Whonix/Whonix so I can use that for the Wiki instructions set?

Done.

Out of curiosity, to avoid using Iceweasel for downloading TBB, I have tried the ‘Tor Browser Updater’. It goes as far as downloading the signature, and then:

###########################################################
## torbrowser script bug.
## No panic. Nothing is broken. Just some rare condition
## has been hit. Try again later. There is likely a
## solution for this problem. Please see the Whonix News,
## Whonix User Help Forum and Whonix Documentation.
## https://www.whonix.org/wiki/Tor_Browser
## Please report this bug!
##
## BASH_COMMAND: wait "$!"
## exit_code: 22
##
## output: /usr/lib/whonix/msgcollector
## output_opts: --icon /usr/share/whonix/icons/tbupdate.ico --parentpid 10726 --identifier torbrowser --parenttty none 
## progressbaridx: fB9yzsyXJi
##
## Experts only:
## bash -x torbrowser
###########################################################

I would like to test Whonix 7.7.8.6, because I hate the Debian-Testers-OS, I get sick about downloading the updates every day in any Whonix clone.

BUT is Whonix 7.7.8.6 safe to use? Is there any dangerous of IP leaks or other safety risks?

I guess I need to git clone Whonix/Whonix instead of adrelanos/Whonix? adrelanos/Whonix is at 7.7.6.4, Whonix/Whonix is at 7.7.8.7. Build documentation is a bit confusing here.

EDIT: adrelanos.asc imported (it’s neither in adrelanos/Whonix nor in Whonix/Whonix) > downloaded from https://www.whonix.org/adrelanos.asc
git tag -v 7.7.8.7 > gpg: Can’t check signature: public key not found

EDIT2: another try via “gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 9B157153925C303A42253AFB9C131AD3713AAEEF” > gpg: Can’t check signature: public key not found

~Cerberus.
https://www.whonix.org/wiki/Jekyll:Sandbox#Building_from_source

Those are for inside VM build instructions (which I would be thrilled if you could test) but the git procedure is the same.

You clone from Whonix/Whonix and select git tag 7.7.8.7.

GPG key - there is a new one. https://www.whonix.org/wiki/Adrelanos

cd Whonix
gpg --recv-key 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
git tag -v 7.7.8.7

~dotcom
There should be no major flaws since it’s an update.

~adrelanos
Some Wiki changes are pending and if you could create a new page - https://www.whonix.org/wiki/Dev/BuildDocumentation_8_RC

Also update adrelanos.asc with the new key. GPG keys changes in wiki are messy. It’s either resigning the Whonix 7 images or dropping support for Whonix 7 (my choice).

Dead entries should be deleted and remaining ones updated with the new key.

@Occq
now, this worked out! Thanks a lot (also for the updated build instructions). I have to say, that new signing key is really well hidden

I’m currently building the Gateway part (physically isolated), Workstation is next. I’m undecided thus far if I’m going to build it from source (inside VM) or use the DL version. Whatever it takes to get rid of KDE Will get back to you!

~Cerberus.

No problem! Instructions for physical isolation are very similar(different last command) so I hope they will help you and that the text is clear and on point.

Comment on Build Documentation: Physical Isolation

grep -r eth0* * grep -r eth1* *
Wrong regular expression. Throws lots of irrelevant configuration files.

* The preceding item will be matched zero or more times.

Build failed. build-steps.d/1200_create-debian-packages complains about uncommitted changes …

whonix_gateway/etc/network/interfaces.whonix
whonix_gateway/usr/bin/leaktest
whonix_gateway/usr/bin/whonix_firewall

I do need to change these due to specific network configuration. How to start over here, i.e. fix it?

EDIT: (I hope) I have it. If someone else comes across this (git seems to be very different to svn), do this:

git config user.name 'Your name' git config user.email 'my@email.com' git status ## see uncommitted changes git add ## uncommitted changes, one by one git commit -s

EDIT2: Obviously my mistake. I missed Build Documentation: Physical Isolation

Again, build failed. This time build-steps.d/2000_install-files-packages is failing. Last thing I see is

+ true 'INFO: Skipping script, because BARE_METAL=1: /home/user/Whonix/help-steps/unmount-img' + exit 0 ++ echo 'ERROR in ./build-steps.d/2000_install-files-packages! Aborted.' 'ERROR in ./build-steps.d/2000_install-files-packages! Aborted.' ++ exit 1 run-parts: ./build-steps.d/2000_install-files-packages exited with return code 1 ++ error_handler_build_machine +++ caller ++ : echo ' BASH_COMMAND: run-parts --verbose --exit-on-error ./build-steps.d ERROR ./whonix_build: | caller: 45 ./whonix_build ' ++ exit 1

EDIT: additional info to tech support

• building gateway on bare metal
• Debian stable 7.4.0
• terminal-only, apt-repo on, no-report, everything else on default

~Cerberus.

Can you scroll up a bit? Your excerpt does not show exactly that the script was doing when it broke. This is more of an exit message in a way.

I’m guessing something went wrong since you modified the default packages.

## NOTE:
## If you make changes here, do not forget to update
## whonix_build_grml_sources_list in buildconfig.d/30_apt as well.

unfortunately not. i’m in cli. also i guess i did a mistake just yet = rebooting. a whonix (obviously broken) comes up. sounds like i’m on square one again (including a 5-6 hrs session to re-format the encrypted storage) or do you have any other ideas?

[quote=“troubadour, post:4, topic:67”]Out of curiosity, to avoid using Iceweasel for downloading TBB, I have tried the ‘Tor Browser Updater’. It goes as far as downloading the signature, and then:

[code]
###########################################################

torbrowser script bug.

No panic. Nothing is broken. Just some rare condition

has been hit. Try again later. There is likely a

solution for this problem. Please see the Whonix News,

Whonix User Help Forum and Whonix Documentation.

Tor Browser Essentials

Please report this bug!

BASH_COMMAND: wait “$!”

exit_code: 22

output: /usr/lib/whonix/msgcollector

output_opts: --icon /usr/share/whonix/icons/tbupdate.ico --parentpid 10726 --identifier torbrowser --parenttty none

progressbaridx: fB9yzsyXJi

Experts only:

bash -x torbrowser

###########################################################
[/code][/quote]
It is most unfortunate to have this bug in the current testers-only version. This will be fixed in the final.

You can also change to the Whonix testers repository. It currently contains 7.7.8.9, where this bug has been fixed.
Start Menu → Applications → System → Whonix Repository

BUT is Whonix 7.7.8.6 safe to use? Is there any dangerous of IP leaks or other safety risks?

~Cerberus.

Can you run the script again, appending a log?

sudo ./whonix_build --tor-gateway --bare-metal --build >> /home/user/log-gateway 2>> /home/user/log-gateway

Looking at my previous logs, 2200 does a lot of things so it’s hard to pinpoint without the actual log.

@Cerberus, using the 7.7.8.6 tag by chance? Won’t work. (Easy workaround, but forget about it, use 7.7.8.7 instead.) Please use 7.7.8.7 instead (contains a small build script fix) or 7.7.8.9 (additionally contains Tor Browser fix).

You obviously edited your post.

[quote=“Occq, post:13, topic:67”][code]

NOTE:

If you make changes here, do not forget to update

whonix_build_grml_sources_list in buildconfig.d/30_apt as well.

[/code][/quote]
Should not be of concern. It means if you edit whonix_shared/usr/share/whonix/build_sources/debian_stable_frozen.list, you must edit variable whonix_build_grml_sources_list in buildconfig.d/30_apt as well. This is only of interest in context of Build and Update Whonix from Source Code

Also, can I build again with a half-baked whonix running after reboot?

Occq, I agree, let’s deprecate Whonix 7 build instructions. I am eager to depreciate Whonix 7 altogether, after this little testing session and after the final RC, which could be next version. (I plan to build the next RC as Whonix 8, and if it works well, what I guess, bless it stable.)

@adrelanos
i’m actually building 7.7.8.7, not 7.7.8.6