Strange behavior of Whonix related to updates.

Yesterday I had strange update notification. Let’s start by saying that I configured all updates to go through Whonix proxy. I configured Whonix as update proxy everywhere. I allowed checking for updates only for Whonix qubes and what’s more - I disabled networking for all non-whonix qubes (all this in order to make Qubes perform checking for updates only through Tor). And taking into account all this, yesterday happened all those strange things:

  1. I added new bridge and it failed to connect even though the same bridge was working fine in the same time on other device. So I turned network off in order to prevent any potentional traffic leaks (yes, I’m paranoid) while I will be adding another bridge that I saved before. Network was working only few seconds, it had no established connection to Tor, but despite this fact I still got the notification about Whonix Gateway update. I checked all my update settings in Global Configs and everything was still configured as I did. Then I added another bridge and it still failed to connect, so this way I made sure that it’s not about bridge. So I shut down sys-whonix, sys-firewall, sys-net and restarted them again and this time connected to the bridge without any problems but then happened the second strange thing -
  2. All of a sudden it started system check itself and after it was finished there appeared notification window that I never seen before. It asked me to perform (because of some reason) some specific actions to update my Whonix Gateway properly. Everything shown on screenshot:

Did you have that update yesterday too? What do I do, follow the instructions on the screenshot, update as usual or am I being hacked and this notification is fake? And how update notification could appear if there was no established Tor connection? I shut down all the ways it could check for updates by-passing Tor (at least I think I did for this all I could). There was no update notifications in previous session and I specially checked Qubes Updater and it was saying the last update check was performed “today” (but today it already means “yesterday”, because I did it yesterday).

My opinion on GUI update tools:
I do not like update GUI tools. Computers operate based on zeros and ones. The most detailed human understandable output can be presented in terminal windows and textual log files. Any GUI update tools are far away from being able to handle and even notify about all the different (temporary or permanent until fixed) error states. Lots of known issues.

This is elaborated in this wiki chapter:

In short, if you want the real information, forget about the GUI and look at the CLI.

systemcheck is automatically started under some conditions.

setup-wizard-dist → detects that Tor is not enabled → starts Anon Connection Wizard (ACW) → starts systemcheck

There could be bugs here too with too much or too little autostart but in any case these are usability issues, not security issues.

If some Template is configured to use sys-whonix as a Qubes UpdatesProxy and it is not running, then depending on Qubes dom0 UpdatesProxy settings, sys-whonix is autostarted. And that can result in starting systemcheck.

Invalid compromise indicator. See:
Valid Compromise Indicators versus Invalid Compromise Indicators

Command sudo apt-get dist-upgrade --simulate does not need a network connection. Once APT “knew” that updates are available, that is stored in the local APT database. Network available or not, command sudo apt-get dist-upgrade --simulate runs completely offline and uses already existing available local information.

There is no way to know that without checking using Control and Monitor Tor or at least Tor logs.

Unsuitable Connectivity Troubleshooting Tools

upgrade-nonroot is mentioned many times on the website. → Utilize Search Engines and Documentation

  • “upgrade-nonroot”

  • “upgrade-nonroot”