Suggested entry below (Security Guide section) for the benefit of both Qubes and Non-Qubes-Whonix users. Tested and now working on my system for both templates.
Onionizing Whonix and Debian Repositories
When Whonix, Debian and Qubes packages are installed or updated, default settings point to repositories with a http:// URI.[1][2] However, experimental .onion support is already available for both Whonix and Debian packages, with Qubes .onion mirrors planned for the near-term.[3][4]
In order to install or update with the utmost caution, users may consider manually editing their sources.list to point to the Whonix and Debian .onion mirrors. There are several security and privacy benefits of this approach:[5]
- The user cannot be uniquely targeted for malicious updates (attackers are forced to attack everyone requesting the update);
- The package repository, or observers watching it, can’t track what programs you’ve installed;
- The ISP cannot easily learn what packages you fetch; and
- End-to-end authentification and encryption provides protection against man-in-the-middle attacks e.g. version downgrade attacks.
To use the .onion mirrors, it is necessary to change the whonix.list and debian.list files in the /etc/apt/sources.list.d directory in both the Whonix-Workstation and Whonix-Gateway TemplateVMs.[6]
(1) In the TemplateVM, open the Debian sources file in an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix, run:
kdesudo kwrite /etc/apt/sources.list.d/debian.list
If you are using a terminal-only Whonix, run:
sudo nano /etc/apt/sources.list.d/debian.list
(2) Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories noted in bold:
#deb Index of /debian jessie main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian jessie main contrib non-free
# deb http://security.debian.org jessie/updates main contrib non-free
deb http://sgvtcaew4bxjd7ln.onion jessie/updates main contrib non-free
(Optional - Backports)
#deb Index of /debian jessie-backports main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian jessie-backports main contrib non-free
(3) Save the new debian.list file
(4) Point to the Whonix APT Repository .onion mirror:
sudo whonix_repository --baseuri http://deb.kkkkkkkkkk63ava6.onion --enable --repository stable
Note: Users have four preferences available for Whonix packages: stable, stable-proposed-updates, testers and developers. Change the entry above to reflect this preference.[7]
(5) Check the .onions are correct and functional in your Whonix system:
sudo apt-get update && sudo apt-get dist-upgrade
Remember to repeat steps 1-5 for both the Whonix-Workstation and Whonix-Gateway TemplateVMs.[8]
(6) OPTIONAL testers/paranoid users step - create an onionized torproject.list:
If you are using a graphical Whonix or Qubes-Whonix, run:
kdesudo kwrite /etc/apt/sources.list.d/torproject.list
If you are using a terminal-only Whonix, run:
sudo nano /etc/apt/sources.list.d/torproject.list
Cut and paste the following text and comment out (#) the corresponding http repository noted in bold::
#deb Index of /torproject.org jessie main
deb http://sdscoq7snqtznauu.onion/torproject.org jessie main
Save and exit.
Footnotes:
[1] Whonix APT Repository
[2] Whonix 14 will prefer .onion repositories by default, even when adding third-party resources
[3] Onionizing Qubes-Whonix Repositories
[4] Install Additional Software Safely
[5] Tor at the Heart: apt-transport-tor and Debian onions | The Tor Project
[6] tor:// or tor:// + http:// entries are not required in Whonix because apt is uwt-wrapped.
[7] Whonix APT Repository
[8] Qubes users can repeat these steps in their Debian-8 TemplateVM to onionize installations and updates.