Very good!
torjunkie:
sandbox: Failed to find Adwaita gtk-2.0 theme.
Since this theme is probably installed in standard Tor Browser (the running Sandboxed Tor Browser instance does look a little different), perhaps we should recommend users install it, as it may otherwise pose a fingerprinting vector(?).
Guess:
Good to have it installed (from Debian package sources), if avaialble.
Should:
Not matter.
Real answer:
Only Tor Browser developers are capable to answer that.
Excellent work 0brand - I think I can happily retire now 
I edited your stuff, plus the rest of the Tor chapter, which had various entries (not yours) that was irritating me for language/expression.
I was thinking the exact same thing. I’m not sure. I gather “Tor state” is the generic expression, but I left it mostly as is.
Thanks again, that is very useful to have extra steps in there.
OK - will add a step there when I get a chance.
Reminder to self: also fix AppArmor parameter for Qubes-Whonix.
The Tor chapter looks awesome! Thanks for the help!
Reminder to myself: fix Apparmor parameters before torjunkie gets to it.
Sorry about that. I was a little side tracked with the Tor wiki chapter.
That will be completed and ready for your review later on today.
Done!
https://whonix.org/w/index.php?title=Template:Qubes_AppArmor&oldid=33430&diff=cur
Changed Apparmor qvm-prefs option from ‘-l’ to ‘-g’ . I didn’t see the need to change the ‘-s’ option for R4 since it is ignored.
Language changes were necessary in the introduction IMO. It was very hard to understand. Plus minor language changes in the instructions.
I’m sure the template could use further changes/polishing. Let me know if I can help!
Off topic:
Just saw this post by Patrick. Should the new chapter in wiki/Tor that was just created use this command to stop Tor? This command works in Whonix 13 ( just tested it ). Maybe wait for his guidance when he reviews the new chapter?
Use /lib/systemd/system/tor@service.d instead
https://phabricator.whonix.org/T785
Noticed sys-whonix-A and sys-whonix-B in “Copy the Tor State File to Another sys-whonix Instance” steps 5-12 need to be swaped. No need to look who made the mistake. It was me of course 
I will fix later on today along with using /lib/systemd/system/tor@service.d , as per Patrick.
0brand:
Noticed
sys-whonix-Aandsys-whonix-Bin “Copy the Tor State File to Another sys-whonix Instance” steps 5-12 need to be swaped. No need to look who made the mistake. It was me of courseI will fix later on today along with using
/lib/systemd/system/tor@service.d, as per Patrick.
It’s a research ticket. It’s not yet clear we want that. Needs testing /
figuring out. If it works, then all ok.
OnionShare in Qubes-Whonix 14
@Patrick - please point out the faults in this method below if it is unsafe or not canonical.
Building OnionShare from Source
Whonix recommends against APT pinning because it has previously broken functionality. For example, on one occasion templates thought they were not connected to Whonix Gateway; see Dev/APT Pinning - Kicksecure.
Therefore, this procedure builds OnionShare from source code based on Micah Lee’s instructions; see https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux
To install OnionShare in Whonix 14:
1. Create an anon-onionshare AppVM based on the whonix-ws (14) template.
2. Open a terminal and navigate to the persistent home directory; this avoids polluting the TemplateVM upon which it is based.
cd /home/user
3. Install git which is not available by default in the AppVM.
sudo apt-get install git
4. Clone the OnionShare directory.
5. Change into the OnionShare directory.
cd onionshare
6. Retrieve Micah Lee’s PGP key using the long key ID.
Note: This key ID is taken from www.micahflee.com
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x927F419D7EC82C2F149C1BD1403C2657CD994F73
7. Examine the available git tags, and verify the latest version and its commit (v1.3 at the time of writing). Good signature messages should appear for each verify command below.
git tag
git verify-tag v1.3
git verify-commit v1.3^{commit}
8. Install OnionShare dependencies.
Warning: Do not proceed unless signatures were good for the two git verification steps.
The user must install the following dependencies.
sudo apt install -y build-essential fakeroot python3-all python3-stdeb dh-python python3-flask python3-stem python3-pyqt5 python-nautilus python3-pytest obfs4proxy
9. Extend the onion-grater whitelist on sys-whonix (14).
Steps 9-10 are sourced from http://kkkkkkkkkk63ava6.onion/wiki/File_Sharing#onionshare
In sys-whonix (14), open Konsole and create the following directory.
sudo mkdir -p /usr/local/etc/onion-grater-merger.d/
Symlink the onion-grater profile to the onion-grater settings folder.
sudo ln -s /usr/share/onion-grater-merger/examples/40_onionshare.yml /usr/local/etc/onion-grater-merger.d/
Restart onion-grater.
sudo service onion-grater restart
10. Modify the anon-onionshare user firewall settings and reload them.
In Konsole, first make sure the folder /rw/config/whonix_firewall.d exists.
sudo mkdir -p /rw/config/whonix_firewall.d
Create the necessary user.conf file.
sudo nano /etc/whonix_firewall.d/50_user.conf
Add ports that are required by OnionShare.
EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "
Save and exit.
11. Start the OnionShare GUI in anon-onionshare.
./dev_scripts/onionshare-gui
12. Select the settings button/icon (cog symbol) in the OnionShare GUI.
Under “How should OnionShare connect to Tor?” select “Connect using socket file”, and set the socket file to /var/run/tor/control.
Under “Tor authentication options” select “No authentication, or cookie authentication”.
13. Test the OnionShare settings.
Click the “Test Settings” button. If all steps were completed correctly, Tor will successfully connect.
The GUI should say it supports both ephemeral onion services and stealth onion services.
Check “Create stealth onion services” to make OnionShare operations more secure.
Actual Test
After doing all these steps above, it worked! 
I was able to share a dummy file with one sentence of text in it, that was made available at a random onion address.
The same instructions can be used for non-Qubes-Whonix, except each instance of sys-whonix and anon-onionshare is substituted with Whonix-Gateway and Whonix-Workstation instead.
Conclusion
OnionShare, a piece of cake in Whonix 
AppArmor Consideration
@Troubadour - what about the possibility of implementing this OnionShare AppArmor profile in Whonix?
Improve AppArmor profiles and enforce them. · onionshare/onionshare@6cceac3 · GitHub
Tor wiki chapter “Copy the Tor State File to Another sys-whonix Instance”
Mistakes fixed
https://whonix.org/w/index.php?title=Tor&oldid=33454&diff=cur
TODO
Anything that take priority as per Patrick, torjunkie
Whonix 14 Call for testers blog post. Update as needed
Come up with a new name for the attack as per: Long Wiki Edits Thread - #494 by Patrick
This all I have so far. 
Could use some ideas.
Fix broken link user reported in Multiple Tor Browsers safe setup in Whonix - #3 by clockworld
Add Qubes specific install instructions for “Using Tor Browser without Tor” chapter
torjunkie:
OnionShare in Whonix 14
@Patrick - please point out the faults in this method below if it is unsafe or not canonical.
Building OnionShare from Source
Whonix recommends against APT pinning because it has previously broken functionality.
No. I wouldn’t go so far. Pinning is fine. Just needs to be done right.
Not using generic codenames (stable, testing). Using specific codenames
(jessie, stretch, buster).
For example, on one occasion, templates thought they were not connected to Whonix Gateway; see Dev/APT Pinning - Kicksecure.
Unrelated to apt pinning.
Therefore, this test builds OnionShare from source code based on Micah Lee’s instructions; see https://github.com/micahflee/onionshare/blob/master/BUILD.md#gnulinux
To install OnionShare in Whonix 14:
1. Create an
anon-onionshareAppVM based on thewhonix-ws(14) template.
Ok, it’s user choice (optional) but good practice.
2. Open a terminal and switch to the persistent directory; this avoids polluting the TemplateVM upon which it is based.
cd /home/user
3. Install git which is not available by default in the AppVM.
sudo apt-get install git
4. Clone the OnionShare directory.
5. Change into the OnionShare directory.
cd onionshare
6. Receive Micah Lee’s PGP key using the long-ID key version.
Note: This key ID is taken from www.micahflee.com
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x927F419D7EC82C2F149C1BD1403C2657CD994F73
7. Examine the git tags available, and verify the latest version and it’s commit (v1.3 at the time of writing). Good signature messages should appear for the second and third steps.
git tag
git verify-tag v1.3
git verify-commit v1.3^{commit}
8. Install OnionShare dependencies.
Warning: Do not proceed unless signatures were good for the two git verification steps.
The user must install the following dependencies, except Tor, which is already installed by Whonix.
sudo apt install -y build-essential fakeroot python3-all python3-stdeb dh-python python3-flask python3-stem python3-pyqt5 python-nautilus python3-pytest obfs4proxy
9. Extend the onion-grater whitelist on
whonix-gw(14).Follow the directions from http://kkkkkkkkkk63ava6.onion/wiki/File_Sharing#onionshare
Ok.
That is, first create a new directory via Konsole in whonix-gw.
Can be done in sys-whonix. (Covered by bind-dirs.) (Maybe onion-grater
add wiki template needs improvement?)
Doing in whonix-gw TemplateVM is okay too but then it applies for all
Whonix-Gateway ProxyVMs based on sys-whonix. Probably not needed.
sudo mkdir -p /usr/local/etc/onion-grater-merger.d/
Symlink the onion-grater profile to the onion-grater settings folder.
sudo ln -s /usr/share/onion-grater-merger/examples/40_onionshare.yml /usr/local/etc/onion-grater-merger.d/
Please use the existing wiki template,
Restart onion-grater.
sudo service onion-grater restart
10. Modify the Whonix-Workstation User Firewall Settings and reload them.
In Konsole in
whonix-ws(copying instructions from the link above), first make sure the folder /rw/config/whonix_firewall.d exists.sudo mkdir -p /rw/config/whonix_firewall.d
Create the necessary user conf file.
sudo nano /etc/whonix_firewall.d/50_user.conf
Add ports that are required by OnionShare.
EXTERNAL_OPEN_PORTS+=" $(seq 17600 17659) "
Save and exit.
11. Start the OnionShare GUI in
whonix-ws../dev_scripts/onionshare-gui
12. Select the settings button/icon (cog symbol) in the OnionShare GUI.
Under “How should OnionShare connect to Tor?” choose “Connect using socket file”, and set the socket file to /var/run/tor/control.
Under “Tor authentication options” choose “No authentication, or cookie authentication”.
13. Test the OnionShare settings.
Click the “Test Settings” button. If all has gone well, you should see a successful connection to Tor.
The GUI should say it supports both ephemeral onion services and stealth onion services.
Check “Create stealth onion services” if you want to make OnionShare more secure.
Actual Test
Well I did all these steps above, and it worked!
Good.
I was able to share a dummy file with one sentence of text in it, that went to a random onion address.
Note
I skipped this step below, because OnionShare works anyway. It is unclear why it isn’t needed in Whonix i.e. allowing OnionShare to connect to the system Tor socket file explicitly, but perhaps the GUI step is sufficient:
Package anon-ws-disable-stacked-tor makes it appear as if Tor is running
in Whonix-Workstation, “Tor emulation”. Even though Tor is not running
there. And forwards to Whonix-Gateway. ( Need of update:
anon-ws-disable-stacked-tor )
Connecting to Tor · onionshare/onionshare Wiki · GitHub
sudo usermod -a -G debian-tor username
Should be also done already by anon-ws-disable-stacked-tor.
But, who gives a shit if it works.
Conclusion
OnionShare, a piece of cake in Whonix
AppArmor Consideration
@Troubadour - what about the possibility of implementing this OnionShare AppArmor profile in Whonix?
Improve AppArmor profiles and enforce them. · onionshare/onionshare@6cceac3 · GitHub
Doesn’t onionshare ship a profile by its own already?
Some nitpicks…
Maybe change to sys-whonix-old / sys-whonix-new. Better than a and b. Always clearer.
sys-whonix-new: after stopping Tor, also delete Tor state folder.
Why: imagine sys-whonix-new has a Tor state file that sys-whonix-old did not have. In that case it would not be a clean migration of the same. It would have an extraneous file.
Is sudo su required? Would sudo work?
sudo ls -l /var/lib/tor - not useful to run before fixing permissions using chown. After using chown usually we shouldn’t need to check. I think we can trust chown if no errors were shown. sudo ls -l /var/lib/tor is only useful for debugging. (Perhaps keep as footnote.)
whonixcheck -v: the -v shouldn’t be encouraged for most users. It’s non-verbose by default to keep the generated confusion from any whonixcheck output low. Please mention [[whonixcheck]] (where -v could be documented.).
Clarification: stopping Tor is required in both VMs old and new. Deleting Tor state files is required in new VM.
OnionShare wiki entry → Done.
Is this page linked on the main documentation page somewhere?
Anyway, will create the draft of the Whonix 14 blog post tomorrow, now that this is finally done. It will be ready for publishing EXCEPT for the date field right at the top which has April XX at the moment.
Then, I’m moving onto tempest’s encrypted email stuff for the blank wiki page I created already. Should be relatively easy cut and paste job (?).
Buddy, you do anything you like - your contributions are very much valued. 
Editing is a bug, once you get it, it’s hard to shake…
Done!
It only needs sudo. When first tested it required sudo su. I could have made an error.
Done!
Done!
After stopping Tor, /var/lib/tor had to be unmounted before it could be removed. When moving new Tor folder back into /var/lib, the new folder did not need to be mounted for Tor to start. Should it be mounted anyways?
New steps (note: some of the comments in the actual wiki are excluded for simplicity)
1. In sys-whonix-new, stop Tor
sudo systemctl stop tor@default
2. In sys-whonix-new, remove the Tor state folder. First the /var/lib/tor directory must be unmounted
sudo umount /var/lib/tor
sudo rm -r /var/lib/tor
3. In sys-whonix-old, stop Tor
sudo systemctl stop tor@default
4. In sys-whonix-old, copy the Tor state file across to sys-whonix-new
sudo qvm-copy /var/lib/tor sys-whonix-new
5. In sys-whonix-new, list the QubesIncoming directory to ensure the Tor state file was copied over successfully.
ls ~/QubesIncoming/sys-whonix-old/tor
6. In sys-whonix-new, move the newly copied Tor state file to /var/lib/tor
sudo mv ~/QubesIncoming/sys-whonix-old/tor /var/lib
7. In sys-whonix-new, change ownership of all files in the Tor state folder to debian-tor
sudo chown -R debian-tor:debian-tor /var/lib/tor
8. In sys-whonix-new, start Tor
sudo systemctl start tor@default
9. In sys-whonix-new, run whonixcheck to verify Tor is functioning properly
whonixcheck
https://whonix.org/w/index.php?title=Tor&oldid=33463&diff=cur
Knew I was in trouble when I started carrying around a pocket notebook to jot down ideas for content throughout the day. 
LOL. 
You might also want to put yourself on the contributors list next to my name re: wiki documentation audit if you’re going to be here for a while.
In my hunting for missing images on wiki pages, I noticed the following.
1. The following wiki pages link to nothing (virtually empty pages) on the main wiki TOC:
http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix:General_disclaimer
2. Also, do you want the “Expand or Collapse All” widget embedded on each of the main wiki documentation pages i.e. this? →
{{#widget:Expand or Collapse All}}
3. The following page is definitely an old version. I remember editing the text about different repositories to improve it i.e. remove folksy language.
http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix-APT-Repository
4. I see there are old edits awaiting approval for the “Tor Browser without Tor” page. Probably missed in all the action.
http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tor_Browser_without_Tor
Not sure who did that, but they look good. Suggest you approve that.
Dumb question since I rarely do blog posts, where is the button/link/login section to do that again? (via forums? via doc page login? don’t see it)
Looking high and low and I don’t see it anywhere. Let me know, and I’ll draft up the HTML markdown version for Whonix 14 release.
I don’t plan on going anywhere in foreseeable future. You’re stuck with me.
I think having your name on the contributors list is a privilege that is earned. I have a ways to go on that? I guess you could say I’m a padawan learner of sorts.
torjunkie:
Dumb question since I rarely do blog posts, where is the button/link/login section to do that again?
(via forums? via doc page login? don’t see it)
Looking high and low and I don’t see it anywhere. Let me know, and I’ll draft up the HTML markdown version for Whonix 14 release.
There’s none as far as I know. Manually only.
torjunkie:
In my hunting for missing images on wiki pages, I noticed the following.
1. The following wiki pages link to nothing (virtually empty pages) on the main wiki TOC:
- “Whonix.org Site Security”. It used to have ratings of various website features etc.
Removed.
- “Disclaimer” - dead redirects. Suggesting removing or fixing whatever it is meant to link to (I’m not sure what resource it should pull in).
http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix:General_disclaimer
Removed.
2. Also, do you want the “Expand or Collapse All” widget embedded on each of the main wiki documentation pages i.e. this? →
{{#widget:Expand or Collapse All}}
Not sure I understand the question.
{{#widget:Expand or Collapse All}} is currently only on
Whonix Documentation. What other pages do you
suggest? I don’t see any other pages where it would be useful currently.
Please elaborate.
3. The following page is definitely an old version. I remember editing the text about different repositories to improve it i.e. remove folksy language.
http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix-APT-Repository
Edits since June 2016…
Project-APT-Repository: Difference between revisions - Whonix
No big changes.
4. I see there are old edits awaiting approval for the “Tor Browser without Tor” page. Probably missed in all the action.
http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tor_Browser_without_Tor
Not sure who did that, but they look good. Suggest you approve that.
It’s mixed up with other changes which are untested. This was the
problem. And the person who contributed these disappeared.