Comment: The following is a previously private discussion which was made public after the initial release of the Whonix-Installer and UI.
So as some of you may recall, about half a year ago, I tried to create a custom installer which was supposed to make starting out with Whonix easier for newcomers. Now, since then original thread for this project (Windows Installer) hasn’t really been updated that much to be honest. The reasons for this were plentiful, as well as (partially) not really in my control. Some where based in the initial choice of programing language, some where actually created by Oracle/VirtualBox, who without telling the community, quietly changed some aspects of their installer, making anything based on there software rather unpredictable, some actually on part of Microsoft and there incapability of fixing bugs in regards to msiexec, instead recommending some rather obscure ways arround the issues (https://blogs.msdn.microsoft.com/heaths/2005/11/15/waiting-for-msiexec-exe-to-finish/) which sadly didn’t work for me, some where rooted in the fact that Whonix sadly isn’t the smallest thing in the world and thus a lot of tinkering was necessary as every free and open setup solution only supports up to 2GB in filesize, some where rooted in the fact that I really did want to minimize the input required by a user and also insisted on delivering the whole thing as one singular .exe which limited me in quite a few ways, some where rooted in the fact that making this project possible for users who already had VBox installed in some way create some massive issues, some in certain details regarding Whonix and VBox (the EULA for example made using VBoxManage for the import almost impossible, which lead me to thinking about actually creating and maintaining seperate images for this project…), some where rooted in the fact that a lot of private things happend in the background and one was rooted in the fact that I don’t really have the most efficient work moral…
Long story short, it took quite a massive amount of experimentation (far more than I would have imagined for simply bundling a few installers, drivers, certificates, after-install-scripts and files together) but I’ve finally been able to create the promised installer including all the features I intially proposed and then some.
You may find it once fully published here: https://github.com/EgoBits1/Whonix-Installer
Github sadly timed out just before reaching the 3,5GB mark. Thus uploaded it to mega: https://mega.nz/#F!eIYkwTbS!GqcZkPlTlYoKJZk6WEGhWA
It would be great if one or two of you could perhaps test it before it gets deployed. The Github project also contains a signature and my public key for verification.
Now, here a list of what my solution is capable of:
- Let’s user set install folder for everything in one go (including VBox, etc)
- Requires just three clicks to install everything (including importing and setting up WS and GW in VBox)
- Bundled into one single file
- Asks only once for UAC
- Very heavily compressed
- Comes with an easy to use uninstaller
- Bypass Oracles limitations in regards to where and how VBox may be installed
- Uninstaller removes everything (including VBox, the Whonix images created and imported by the installer and anything stored by the user) as good as is possible on Windows without overwriting hard drive multiple times
- Will be bundled with simple user interface allowing easy launch of GW and WS (to be finished (Placeholder is included as “whonix.exe” to test start menu inclusion)
- Works on both x64 and x86 and selects correct version of VBox, etc without needing user input
- Is easily “adaptable” for when Whonix 14 is finished
- Bypasses 2GB size limit imposed by “nullsoft scriptable install system”
- Includes a very basic “bin file checksum verifier”
- Based soly on free software (NSIS is under zlib/libpng and 7zip uses GPL)
- Existing installations of VirtualBox are automatically upgraded to the version included and existing images/virtual hard drives are in no way compromissed/modified/removed even when the user changes the install folder for VBox
Now, like mentioned before, it would be great if one of you (or more) could perhaps test this installer before we deploy it so any more problematic bugs can be found.
Furthermore, there are two “features” I’m still thinking about including.
First of all, though this isn’t really a feature, I’m thinking about changing/improving the design of the installer. This is what currently is being used:
While it is functional, it is also very basic.
Something like this might improve matters a bit:
Secondly, I had the idea of maybe creating an automated verification process which would make manually verifing the images not necessary anymore. However the question would be how such a thing could be implemented properly. If an attacker has the ability to modify the images, than modifying the keys would also be possible. They’d have to be delivered seperatley from a server, though how can one prevent an attacker from rerouting the query to said server? Anyways, as mentioned before there is a basic integrity check already though I wouldn’t trust it to much.
Also, I’m still attempting to automate the import of the necessary certificates by Oracle. Sadly the only way I could find requires additional software by Microsoft which due to licensing I am unable to bundle with this installer.
Adding to that, the command prompts while extracting and importing the gateway and workstation files are just temporary, mainly so I am able to monitor whether something actually happens during that time. I had spent so long looking for an error when in reality certain commands weren’t even executed that I found that to be a necessity. Whether these should actually be removed remains to be decided as an argument could be made that users should be able to observe the installation process as detailed as possible.
Anyways, I hope that what I’ve created works properly and if you have any suggestions on what could be added/changed/improved, just let me know. I didn’t want to post this publicly as any obvious issues should probably be found before deploying this…
Have a nice day,
P.S.: On certain systems, it takes a bit of time to start. Not sure whether my hard drive is at fault or whether my SFX is simply compressed with an ineffizient format.