OnionShare Whonix integration development discussion

A regression about showing the Whonix advice if onion-grater profile is not active yet in Whonix 15 / debian buster based.

Added support for OnionShare in “bundled Tor” configuration which is the default in Debian buster version of OnionShare.

Installing onionshare issue on Whonix 14 "there was an error with Tor: SET EVENTS rejected HS_DESC" · Issue #829 · onionshare/onionshare · GitHub

This will come through Whonix 15 package upgrades at some point in future.

1 Like

Over on tor-dev, this thread makes it very clear that v2 onions are plain dangerous for various reasons.

https://lists.torproject.org/pipermail/tor-dev/2020-May/014322.html

I note this because the current version of OnionShare from Debian buster (v1.3.2) installed in Whonix defaults to legacy v2 as you can see in my screenshots recently added.

(Which is funny, since if you have a much later Tor version >3.5.X like that provided by Whonix, it is apparently meant to default to v3? Maybe that is only for later OnionShare software version?)

So I guess this might be something where we recommend users default to a later installed version from Sid? (v2.2-2) and take their chances. Bullseye has v2.2. Otherwise they are at real risk of having their ass hacked by capable adversaries.

Debian bullseye = Debian sid = onionshare 2.2-2 at time of writing.

Yes. v2 vs v3 is entirely up to OnionShare, I think. Debian bullseye version uses v3 if I am not mistaken.

Could go back to manual installation instructions.

Outdated, Deprecated, Archived Whonix Documentation.

Can also consider to no longer install by default in Whonix until Whonix is based on Debian bullseye.

1 Like

OnionShare wiki page issues

Why not just use Flatpak for latest version instead (in the appendix part)? Micah has removed build dependencies information for OnionShare - can’t find them anywhere for v2.3.1 They are just pushing snap and flatpak instead for Linux.

This would be easy in non-Qubes-Whonix (only a few steps - see below).

Of course in Qubes-Whonix the AppVM steps would need to be done everytime, but at least you have latest, fully-functional, secure, v3 onions version. The Debian version is ancient and even next testing version is still only v2.2.

With the next Debian release due soon, that means we’ll be stuck with v2.2 for a couple more years - not good enough, because anonymous chat is only available in v2.3 and it is arguably far better/secure than the messengers we recommend in the wiki.

This works →

In whonix-ws-15-onionshare TemplateVM:

sudo apt-get install flatpak

In whonix-ws-15-onionshare AppVM (not allowed in TemplateVM, any way around that?):

Add the Flathub repository:

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

Install in AppVM (can’t be done in TemplateVM again, any way around that?):

flatpak install flathub org.onionshare.OnionShare

Run in AppVM:

flatpak run org.onionshare.OnionShare

Tested and works nicely with v2.3.1

A pain, but v1.3.2 in Debian is hopelessly out-of-date i.e. doesn’t allow receiving files anonymously, anonymous websites or anonymous chat and only legacy v2 onions i.e. useless by comparison and a security risk.

Also, flatpak instructions are far easier than that build stuff we have on the relevant wikipage right now. If you don’t like the steps above, would this work in both Qubes-Whonix and non-Qubes-Whonix? →

https://docs.onionshare.org/2.3/en/install.html#install-in-linux

You can also download and install PGP-signed .flatpak or .snap packages from Index of /dist/ if you prefer.

I guess for Qubes → download in AppVM, get Micah’s key, verify, copy to TemplateVM, install (for persistence). Dunno, I never use Flatpak.

Random error

Do you see this when trying to run standard onionshare in Whonix 15? (I guess I installed Firejail at some stage…). Doesn’t happen with later OnionShare versions > v1.3.2.

Type: “whonix” for help.
uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:
uwt INFO: Stream Isolation: Easy
user@host:~$ onionshare-gui
Reading profile /etc/firejail/onionshare-gui.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2023, child pid 2024
Child process initialized in 78.28 ms
/usr/lib/uwtwrapper: line 327: /sbin/ifconfig: Permission denied

Parent is shutting down, bye…

1 Like

Sure. Perhaps keep a short explanation why Debian buster (even bulseye) version is Undocumented, Untested or Unsupported Features at Whonix. Perhaps even just one short sentence for better usability and a few details in a footnote. We aren’t coerced to document everything in every version. Only as far as the Contributors and Authorship - Whonix are willing to support it.

Sure.

Even Qubes-Whonix isn’t too complicated. I am demonstrating how to use flatpak in (Qubes-)Whonix on this page:
Chromium

If you would like, what would be useful would be a wiki template flatpak-install.


[1] I actually researched that in context of Dev/Default Browser - Kicksecure but since kicksecure.com isn’t public yet and since flatpak use instructions are interesting (such as for the use case here), I’ve added to Whonix wiki.


Related:
FlatPak as a Software Source / flathub as a source of software

Thanks.

This is tested to work in Qubes-Whonix for OnionShare persistence in the AppVM after reboot/restart. (The --user tag will clearly work for other matters as well e.g. Chromium etc.)

It is clearly not as safe as having it installed in the TemplateVM, but so long as the user only uses that AppVM for that sole purpose, that will limit the risk somewhat. We should create a wiki template as you said.

(PS I think we should have standard flatpak installed in WS in Whonix 16. Just makes it easier.)

In whonix-ws-15-onionshare TemplateVM:

sudo apt-get install flatpak

In whonix-ws-15-onionshare AppVM: (note the --user tag)

flatpak --user remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

flatpak --user install flathub org.onionshare.OnionShare

To launch OnionShare v2.3.1:

flatpak run org.onionshare.OnionShare

Note - I see OnionShare will work (connect to the Tor network successfully) with its bundled Tor version if you don’t change the settings. We should probably warn against that, as it would then lead to Tor-over-Tor in Whonix.

1 Like

Due to too old version… anon-meta-packages whonix-workstation-packages-recommended-gui should no longer Depends: on Debian -- Details of package onionshare in buster?

In other words: No longer install OnionShare by default inside Whonix?
(Until Whonix gets rebased to Debian bullseye (Whonix 16) and OnionShare 2.3.1 arrived in Debian bullseye.)


Documentation currently still mentions v1.3.2:

Figure: First Start of OnionShare v1.3.2 GUI

In v1.3.2 you can check

Remove onionshare non-flatpak instructions?

Last I checked OnionShare 2.2 is probably in the next Debian release. That utilises v3 onions etc. and has most functionality except the anonymous chat. Since I know you’ll update to Debian 11 at the first opportunity, we could just wait a couple of months (or so) and more strongly recommend people use the flatpak method in the meantime as a reasonable compromise.

(Also easier to leave non-flatpak instructions for easy updating later on.)

1 Like

Quote The Tor Project: Onion Service version 2 deprecation timeline [archive]:

Retirement

Here is our planned deprecation timeline:

1. September 15th, 2020

0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.

2. July 15th, 2021

0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.

3. October 15th, 2021

We will release new Tor client stable versions for all supported series that will disable v2.

@Patrick
This is not a good news for me (No longer install OnionShare by default) as I was a user of OnionShare.
Would it be possible to install it using a particular method or it is not recommended? Is it the recommended solution?

Flatpak installation method recommended, see:

Thanks for your support.

EDIT : Solved using the recommended method.

onion-grater profiles…

Any changes required?

//cc @JeremyRand

onion-grater profile updated for OnionShare 2.4. Experimental.

Wiki changes to address above issue: