I met Patrick at the 32c3 and he asked me about how I would implement a Windows installer for Whonix. I’m currently involved in a rather complex install package creation for a commercial p2p cloud storage software, so I got some excercise.
I would recommend InnoSetup because some scripting is needed i.e. for downloading files.
This is a rather liberal open source license, mainly about attribution.
For downloading external files I’d use this extension:
Right. Primarily @JasonJAyalaP, and me are working on a funding request. The idea was to get funded to have a Windows based installer, that would install VirtualBox, download and import Whonix VMs.
Inno Setup looks like the BSD 4 clause license. Should really be a non-issue.
I am sorry, but I may not have fully thought through the concept at 32c3.
Non-https makes the download too easy block in censored areas. Never mind https anyway. Could we also download VirtualBox and Whonix images through Tor using Tor bridges?
Using anon connection wizard (python). News - Whonix Forum
And bundled with integrated Tor and pluggable transports. Just for the download. Then somehow copy that Tor config into the gateway.
Could the installation of VirtualBox be simplified? I think embedding the VirtualBox installer into the Whonix installer would not be as simple as we need it. Ideally, except for the anon connection wizard, just one “yes, next, install” button.
A lot extra work. Maybe, and hopefully it will not be required for the first iteration since it would make the installer more complicated. But something as future development.
@thomiel, could you also implement a VirtualBox GUI alternative or know someone who would be up for it? Something just for Whonix’s purposes, that is simpler.
a question regarding the concept of an installer: Would it be better to create a small installer which downloads the necessary files over P2P and verifies the files á la a launcher for an online game or to simply create a 2GB+ download where the primary function of the installer would be to depack the files and verify them?
I was over thinking it. Got a much simpler idea now. Rather than an installer with anon connection wizard, that does torified downloads, it would be a lot simpler to have the Whonix installer to download nothing.
Once Whonix installer has been downloaded, the installer should have everything it requires. Integrated VirtualBox and Whonix VirtualBox VM images. That way we would neither require http, nor https nor Tor. Is that doable @thomiel?
What about portable VirtualBox?
Could we also use that? Do you also speak autoit? @thomiel
The problem with such a thing that I used to call ‘stub installer’ is censorship. It wouldn’t work in censored areas. Long time ago, I wrote about it here. Software Signature Verification Usability Issues and Proposed Solutions
(And now just remembered.)
(And as per my first reply, you see that overcoming censorship with such a stub installer gets super difficult quickly.)
(Apart from that, a stub installer is really awesome and improves usability.)
Most likely not possible cross platform. Too diverse platforms. No
development toolkit that is cross platform for that purpose. Too
difficult. Too much work. Most likely not something that gets funds
excited. Their focus is on usability. Super simplicity. And censorship
circumvention. Too difficult with Linux/KVM/VirtualBox. That would be Qubes.
so the best way would be to include everything, which would of course lead to a massive file. This would also mean, that someone would have to “create” such an installer every new version to include the newest updates.
Both issues (and in general the complexity of this project) could be solved by using a so called “SFX” or “Self-extracting archive”. How this would look, is using something like “7-zip” for compressing the files, then creating a small .exe file based on this, on which someone would have to only click, choose the destination and get everything extracted. Since we are already thinking about using VBox Portable, this wouldn’t be a problem and updating would also be easier. Furthermore the size could be reduced drastically.
The great thing is that this is under the GNU license, so that should be rather unproblamatic.
I’m currently also looking at a way to make something like this with “NanoZIP”, as that could create an even smaller file, be it on cost of CPU power and time. However, this could lead to an even easier distribution of Whonix.
If you’d like, I could try to create such an “executable archive” tomorrow.
[quote=“Patrick, post:2, topic:1909”]Non-https makes the download too easy block in censored areas. Never mind https anyway. Could we also download VirtualBox and Whonix images through Tor using Tor bridges?
Looks to me like the chicken-egg-problem.
I don’t recommend setting up a whole python environment for the sole purpose of downloading files through Tor during installation. If you launch a Python script, scrap InnoSetup! I really think, this is way overdone. And: How would you prevent the blocking of that software?
Please keep it simple – at least at the start. Even if this means that the Windows installer will initially fail in censored areas. Maybe we can improve the downloader later on, i.e. providing a dll based on libcurl or libtorrent. Let’s start with a prototype for Windows user just to lower the threshold for using Whonix.
I have worked with COM before but I have no experience with the VirtualBox API. This would be another league compared to doing a Windows installer. How should the GUI differ from the default one? I find the VirtualBox GUI quite good for using Whonix…
Sure. Piece of cake. I haven’t tested InnoSetup with files that big, though. But as long as the filesize stays below 4GB, it shouldn’t be a problem.
Why having an installer, if you want a portable thing? Doesn’t make sense at first glance…
Haven’t used this software. Question is: What do you want to have automated/scripted with it? I’d rely on InnoSetup when it comes to scripting.
I worked on cross-platform software but always relied on OS-native installation solutions rather than using cross-platform installers like the Qt Installer Framework, because they are alway limited and never optimized for the platform.
Having a self-exctracting zip archive would be the preferrable way for creating a portable installation.
But Windows users usually expect to have the option for an easy machine install.
For now let’s forget about autoit. [ Background was: Portable VirtualBox (non-Free) was using it. If we have had the chance to build on top of it. ]
VirtualBox alternative gui:
I need to think about that more. And make some notes on a new Windows installation. One thing for example is, it has too many settings. For example, users sometimes change networking settings and then wonder if they broke it. A tabbed interface would be better. (Like VMware Workstation.) A single start button to start both VMs would be good. Or if the workstation was started, the gateway should be automatically started since it’s a dependency. The popups explaining the host key could be written better.
After looking at the installation screenshots again, it seems the most seemingly superfluous steps are the import ones. But exactly these ones we can get rid off with the installer. So for now the alternative VirtualBox gui is low priority.
With the installer alone we can make things a lot simpler.
no more need to download VirtualBox
no more need to install VirtualBox manually (automated by installer)
just download one file rather than two
no more need to import the VMs
after install, just start
Yes. Let’s forget about that.
Good. So Whonix will be ‘the installed thing’. Working similar to other installers that Windows users do know.
[We might still internally use some sort of Libre Software Portable VirtualBox - if that even exists. If that would help simplify implementing this.]
We need to stay compatible with already installed VirtualBox versions. Will this be doable?
currently I’m trying out both “Inno Setup” and the 7zip based solution I’ve mentioned. While the “Inno Setup” solution isn’t working at the moment (mainly because I’ve never worked with the program and faced a few problems) the 7zip one can do all the things Patrick has proposed:
Furthermore, it automatically creates an icon on the desktop for easy access, let’s you select the installation destination and is far smaller then the about 8,35 GB the Gateway, Workstation and VBox would have combined under normal circumstances (uncompressed). The file size for the .exe is only 2,63 GB which makes distribution far easier.
At the moment though, it is sadly based on the “Portable-VirtualBox”, which seems to have some problems when it comes to licensing. So I’m not sure wether I may share the file or not.
Have a nice day,
P.S.: A custom GUI for VBox would be an idea I’ve thought about a while back, mainly to have an “easy mode” which only shows two buttons to start the two VMs respectivley and an advanced mode with all the options. If we would do this though, I would recommend NOT checking wether VBox is already installed, as this would maybe create issues with preexisting installations. Having a seperate, second installation of VBox, would make more sense then.
I not mind so much if Inno Setup or 7zip based. Main point would be to
be as simple and usual to the user as anything. I guess 7zip won’t be as
common. And without a Libre Software portable VirtualBox, the 7zip
solution is probably out of question anyhow.
Maybe even making it as simple as not asking for an installation
destination. Or at least as simple as other super simple installers.
At the moment though, it is sadly based on the “Portable-VirtualBox”,
which seems to have some problems when it comes to licensing. So I’m
not sure wether I may share the file or not.
The vbox.me portable VirtualBox forbids commercial redistribution.
Legally pretty sloppy defined grounds.
P.S.: A custom GUI for VBox would be an idea I’ve thought about a
while back, mainly to have an “easy mode” which only shows two
buttons to start the two VMs respectivley and an advanced mode with
all the options.
If we would do this though, I would recommend NOT
checking wether VBox is already installed, as this would maybe create
issues with preexisting installations. Having a seperate, second
installation of VBox, would make more sense then.
Separate installation sounds also like causing issues.
Not sure if I can follow you there. The portable solution I’m using at the moment does not interfere with my “normal” installation of VBox. So, if we find a portable version which does offer the needed licensing, I don’t see any problems arrising. Or am I missing something?
It’s looking good! Did you / is it possible - to script this with a batch file or how did you create the shortcut and start Whonix?
Unfortunately, without portable VirtualBox as Libre Software this approach will be a dead end.
Even with portable VirtualBox, mixing versions will an already installed version may not work. Different VirtualBox gui versions require different VirtualBox drivers. And for example if an older VirtualBox driver is installed, no other “portable” driver one can be load in tandem. Therefore the newer portable VirtualBox gui would not work. Few years ago, I checked some version of portable VirtualBox it was not as self contained as you might think. Far from the quality from portableapps.com.
Both autostarting after the installation and creating “Startmenu”/desktop entries are integrated right in the sourcecode of 7-ZIP, so I didn’t have to script anything myself (laziness rules). However, from what I have seen while snoping around in the files, there seems to be quite a bit of customizability possible. Depends of course on your needs though.
Sadly, I have to agree on you there. Though I’m not sure how well an integration of a seperate installer using “Inno Setup” would go. Maybe similar to those game installers, which also have a second installer for DirectX, etc. bundle if needed…
I see what you mean.
Well, I’ll keep looking for a solution then.
Have a nice day,
I think this could be more than a mere fork, as the team behind the “LinuxLive USB Creator”, for which this was made, releases the entire software including the VBox for “testing” under GPL v3. I’ll look into that.
No, you were right, it was just a fork. Their trick is that the VBox element isn’t bundled with Lili but rather download afterwards, so they may keep their GPL but also use it. Will keep looking for an alternative. Think I have already found one, though it will need some manual work to get it running.
That’s good to hear. The question now is though, how we can automate the process oft importing the apliences. Wether there is any way of doing this without some extensive scripting or not, is what could Marke or brake this…