Whonix-installer error line 176 (Kicksecure Whonix, updates over tor, and S76 HCL)

Support
1

I am working on making an OS as close to what Qubes would be if it was configured to be compatible with System 76 Galago Pro 6. See Qubes forum user “procShield” HCL and topics (wifi is not recognized and the backlight is not at full brightness). There is a Fedora copr for S76, so I thought I would use Boxes to install Debian and then make it Kicksecure with Whonix. The following error message occurred while installing Whonix in Kicksecure:

whonix-installer-xfce: [ERROR]: Try again. If this issue is transient (not happening again) it can be safely ignored.
whonix-installer-xfce: [ERROR]: Please see Whonix News and Whonix User Help Forum.
whonix-installer-xfce: [ERROR]: If not already reported, please report this bug!

whonix-installer-xfce: [ERROR]: Error ocurred in line: 176.
*** 172 shift***
*** 173 log_run su root -s “${cmd}” – “${@}”***
*** 174 ;;***
*** 175 sudo)***
**** 176 log_run sudo – “${@}”***
*** 177 ;;***
*** 178 doas)***
*** 179 log_run doas -u root – “${@}”***
*** 180 ;;***

whonix-installer-xfce: [ERROR]: Please include the user log and the debug log in your bug report.
whonix-installer-xfce: [ERROR]: (For file locations where to find these logs, see above.)

whonix-installer-xfce: [ERROR]: Exit code: 1.

For some reason, torsocks could download with curl but not install the --onion method so I tried TLS. I don’t know what more needs to be configured for the onion source to install since I was able to update via tor+http. For reasons I don’t understand, tor+http updates can be blocked and signatures for releases remain unsigned.

Arch linux pacman can update over tor and S76 firmware is available for Arch. Perhaps substituting Fedora with Arch and then building Whonix KVM can approach the security of Qubes. If anyone has security architecture suggestions or knows the answer to the whonix-installer error, please let me know.

This is the right place for a bug report, right? Where do I find user and debug log?

2

I don’t know what you’re trying to di but you “cannot make it Kicksecure with Whonix”. That makes no sense.

Boxes? GNOME Boxes - Wikipedia?

Using nested virtualization?
(Nested Virtualization - Kicksecure)

So you’re using Debian and want to install Whonix?

Can you manually use sudo yet? If not, this might help: Debian Host Operating System Tips chapter sudoers in Kicksecure wiki

Some type of “run as root” utility (sudo, su, doas) needs to be functional. The Whonix installer might not have good error notification yet in case no run as root utility is functional. We’ll check the script and improve that. However, all we could do is tell “you need functional sudo, su or doas”.

In other words, the original cause might not be a situation that can (or should) be fixed by Whonix installer and needs to be fixed by the system administrator.

3

Thanks. I think you figured it out through context. A.I.s can’t do that. Perhaps I don’t have the precise nomenclature all worked out. Just Turing testing.
Yes, I did distribution morphing from Debian to Kicksecure as per instructions. Kicksecure iso and whonix iso are still being developed. Then I wanted to install Whonix on the Debian into Kicksecure morphing. You misinterpreted the preposition “with” at first. The instructions specify making sudo. I followed the instructions. Then after it did not work, I reported the error. I tried installing Whonix on the (morphed) Kicksecure both as root (su) and sudo and the same error message occurred. Sudo and su function just fine with other commands. That doesn’t seem to be the problem from where I stand. And why doesn’t onion curl work when onion updating does? This is a persistent difficulty I encounter. How could malicious exit nodes be selected for every tor installation I make?

4

No. That is definitely not the solution.
‘the user X is already a member of sudo’
I think there is some kind of bot that finds every forum I ask questions of and replies that I am stupid and/or go to a different forum. This is the right forum. Whonix dot org provides instructions about distribution morphing. Qubes related questions are a subforum of this forum (check your own forum). I’m not sure how to cross-list into Qubes related but then again I am not talking about Qubes specifically and this is the right place for a support question. Debain was morphed correctly as far as I can tell but Whonix is not installing in the resulting Kicksecure. Kicksecure looks the same as Debian right? The sources are modified and other security features have been upgraded but it appears the same, no? Nope. Mysteries remain and I am not stupid and this is the right place.

5

This is confusing. That’s just Kicksecure.

More confusing.

Downloading over onion requires an already functional system Tor.

Documentation doesn’t state yet that torsocks needs to be installed.

Kicksecure’s APT configuration is torified but other than that, Kicksecure doesn’t have Tor integration. Now that we discuss this, Kicksecure higher than 16.0.9.8 should come with torsocks installed by default to simplify that. Meanwhile, install torsocks:

sudo apt update
sudo apt install torsocks

In your case, Whonix isn’t installed using distribution morphing. It’s installed using Whonix Linux Installer.

That you’re using Kicksecure is good to know which might be relevant. So this is the correct forum.

When using onions, there are no Tor exit relays involved. This is a Tor feature and up to Tor only. Hence, malicious Tor exit relay issues doesn’t exist for onions. The onion server’s Tor entry guard is not likely to selectively stop this connection. No such reports ever.

I think the torsocks curl command fails for other reasons. Try test downloading from other onions, any from the command line. Probably same issue. In that case, that might be a Kicksecure issue.

A different sudo command must have gone wrong where we don’t have error handling. We’ll look into this in the near future.

But until then… In that case, please provide the full log.

The installer has a line saying:

Please include the user log and the debug log in your bug report.
(For file locations where to find these logs, see above.)

That should be by default in folder ~/installer-dist-download.

(Pasting Logs for Support applies to this forum.)

After we can look at the log, there’s a good chance there’s more information what exactly is failing.

6

Very good. Thanks, Patrick.

Tor exit issues aren’t a problem for onion: good to know. Nearly every https I navigate to on tor returns with ‘insecure connection’ (and I don’t ever agree to the slasher) but you’re right that does not happen with onions. Too bad every site isn’t onioned! Someday maybe.

I thought about torsocks also but it is already installed and the newest version. What is happening appears similar to what was going on in a Debian that I had installed on another device. I brought it up on Debian forums (user Fasterandfaster) under the topic tor + http Security Updates. The furthest I got to reaching a conclusion was that it perhaps had to do with stream isolation and onion updates could get blocked otherwise. But I’m still not sure about the solution.

The ‘pasting for support’ link says it’s ok to provide long logs. I am not sure if I understand what else is preferred in terms of formatting, however. I found twelve folders with debug logs. I think those are re-tries or reiterations. Here is the debug log. I added spaces to bust up the links because the forum won’t allow posted links, so that is an edit of the log not in the log itself.

+ xtrace=1
+ touch /home/dkwx/installer-dist-download/logs/12/debug.log
+ test -f /home/dkwx/installer-dist-download/logs/12/debug.log
+ test notice = debug
+ true 'tail -f /home/dkwx/installer-dist-download/logs/12/user.log >&3 &'
+ tail_pid=1965
+ tail -f /home/dkwx/installer-dist-download/logs/12/user.log
+ get_utilities
+ true
+ has sha512sum
++ command -v sha512sum
+ _cmd=/usr/bin/sha512sum
+ '[' -x /usr/bin/sha512sum ']'
+ checkhash=sha512sum
+ break
+ transfer_utility=rsync
+ case "${transfer_utility}" in
+ rsync=1
+ transfer_max_time_large_file=2700
+ transfer_max_time_small_file=180
+ transfer_io_timeout=600
+ transfer_connect_timeout=180
+ transfer_size_test_connection=200K
+ transfer_size_small_file=2K
+ transfer_size_large_file=3G
+ case ${transfer_utility} in
+ transfer_io_timeout_opt='--timeout 600'
+ transfer_size_opt=--max-size
+ transfer_dryrun_opt=--dry-run
+ transfer_output_dir_opt=
+ transfer_output_file_opt=
+ transfer_verbosity_opt='--no-motd --progress --verbose --verbose'
+ transfer_speed_optimization_opt='--compress --partial'
+ true
+ has sudo
++ command -v sudo
+ _cmd=/usr/bin/sudo
+ '[' -x /usr/bin/sudo ']'
+ sucmd=sudo
+ break
+ log info 'Testing root login'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ root_cmd echo 'Succesfull root login'
+ test -z echo
+ case "${sucmd}" in
+ log_run sudo -- echo 'Succesfull root login'
++ echo sudo -- echo 'Succesfull root login'
++ tr -s ' '
+ command_without_extrarenous_spaces='sudo -- echo Succesfull root login'
+ test '' = 1
+ log notice 'Executing: $ sudo -- echo Succesfull root login'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ sudo -- echo 'Succesfull root login'
+ get_download_links
+ site_clearnet_whonix=whonix .org
+ site_onion_whonix= dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd .onion
+ site_clearnet_kicksecure= kicksecure .com
+ site_onion_kicksecure =w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd  .onion
+ case "${guest}" in
+ site_clearnet=whonix  .org
+ site_onion=dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.  onion
+ case "${mirror}" in
+ site_download_clearnet=mirrors.dotsrc .org/whonix
+ site_download_onion=dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd .onion/whonix
+ case "${transfer_utility}" in
+ protocol_prefix_clearnet=rsync
+ protocol_prefix_onion=rsync
+ url_download_clearnet=rsync://mirrors.dotsrc .org/whonix
+ url_download_onion=rsync://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd. onion/whonix
+ case "${onion}" in
+ log info 'Clearnet preferred.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ test rsync = rsync
+ transfer_utility=rsync-ssl
+ test -n ''
+ curl_opt_ssl='--tlsv1.3 --proto =https'
+ url_origin=rsync://www.whonix.org
+ url_download=rsync://mirrors. dot src .org/ whonix
+ url_version_domain=https:// www .whonix .org
+ case "${hypervisor}" in
+ test '' = 1
+ url_version_template=VersionNew
+ signify_key='untrusted comment: Patrick Schleizer adrelanos @ whonix .org signify public key
RWQ6KRormNEETq+M8IysxRe/HAWlqZRlO8u7ACIiv5poAW0ztsirOjCQ'
+ url_domain=rsync: //mirrors. dotsrc .org /whonix/ ova
+ guest_file_ext=ova
+ url_version_prefix='w/index.php?title=Template:'
+ url_version_suffix='&stable=0&action=raw'
+ url_version='https:// www .whonix .org/w/index.php?title=Template:VersionNew&stable=0&action=raw'
+ main
+ log notice 'Saving user log to: '\''/home/dkwx/installer-dist-download/logs/12/user.log'\''.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ test -f /home/dkwx/installer-dist-download/logs/12/debug.log
+ log notice 'Saving debug log to: '\''/home/dkwx/installer-dist-download/logs/12/debug.log'\''.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ log info 'Starting main function.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
++ capitalize_first_char whonix
++ echo whonix
++ awk '{$1=toupper(substr($1,0,1))substr($1,2)}1'
+ guest_pretty=Whonix
++ capitalize_first_char xfce
++ echo xfce
++ awk '{$1=toupper(substr($1,0,1))substr($1,2)}1'
+ interface_pretty=Xfce
++ echo xfce
++ tr '[:lower:]' '[:upper:]'
+ interface_all_caps=XFCE
++ capitalize_first_char virtualbox
++ echo virtualbox
++ awk '{$1=toupper(substr($1,0,1))substr($1,2)}1'
+ hypervisor_pretty=Virtualbox
+ log info 'Parsed options:'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  directory_prefix="/home/dkwx/installer-dist-download"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  guest="whonix"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  hypervisor="virtualbox"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  interface="xfce"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  log_level="notice"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ log notice 'Whonix Xfce for Virtualbox Installer.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ test '' '!=' 1
+ log notice 'If you wish to cancel installation, press Ctrl+C.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ check_license
+ '[' '' = 1 ']'
+ log notice 'The license will be show in some seconds.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ test '' '!=' 1
+ sleep 6
+ true
+ has dialog
++ command -v dialog
+ _cmd=
+ return 1
+ has whiptail
++ command -v whiptail
+ _cmd=/usr/bin/whiptail
+ '[' -x /usr/bin/whiptail ']'
+ dialog_box=whiptail
+ break
+ case "${dialog_box}" in
+ whiptail --scrolltext --title 'License agreement (scroll with arrows)' --yes-button Agree --no-button Disagree --yesno '
Please do NOT continue unless you understand everything!
 DISCLAIMER OF WARRANTY.
 .
 THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED,
 INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
 PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY.  THE PROGRAM IS BEING
 DELIVERED OR MADE AVAILABLE '\''AS IS'\'', '\''WITH ALL FAULTS'\'' AND WITHOUT WARRANTY OR
 REPRESENTATION.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
 PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
 ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
 .
 LIMITATION OF LIABILITY.
 .
 UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY
 OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE
 LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY
 DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL,
 INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH
 THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
 INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
 PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER
 OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH
 DAMAGES COULD HAVE BEEN FORESEEN.
 .
 INDEMNIFICATION.
 .
 IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT
 OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK,
 YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND
 AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF
 ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE
 ATTORNEYS'\'' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR
 IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
' 24 80
+ log notice 'User agreed with the license.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ pre_check
+ get_os
++ uname -s
+ os=Linux
++ uname -r
+ kernel=5.10.0-21-amd64
++ uname -m
+ arch=x86_64
+ distro=
+ distro_version=
+ case ${os} in
+ test -f /usr/share/kicksecure/marker
+ test -f /usr/share/whonix/marker
+ has lsb_release
++ command -v lsb_release
+ _cmd=/usr/bin/lsb_release
+ '[' -x /usr/bin/lsb_release ']'
++ lsb_release -sd
+ distro='Debian GNU/Linux 11 (bullseye)'
++ lsb_release -sc
+ distro_version=bullseye
+ distro='Debian GNU/Linux 11 (bullseye)'
+ distro='Debian GNU/Linux 11 (bullseye)'
+ case ${PATH} in
+ '[' '' ']'
+ '[' -z 5.10.0-21-amd64 ']'
+ '[' -z bullseye ']'
++ echo bullseye
++ tr -d .
+ distro_version_without_dot=bullseye
+ log notice 'Detected system: Debian GNU/Linux 11 (bullseye) bullseye.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ log notice 'Detected CPU architecture: x86_64.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ get_system_stat
+ '[' x86_64 '!=' x86_64 ']'
+ case "${interface}" in
+ min_ram_mb=3328
++ awk '/MemTotal/{print $2}' /proc/meminfo
+ total_mem_kB=7735508
+ total_mem=7735
+ '[' 7735 -lt 4200 ']'
++ df --output=avail -BG /home/dkwx/installer-dist-download
++ awk '/G$/{print substr($1, 1, length($1)-1)}'
+ free_space=10
+ '[' 10 -lt 10 ']'
+ get_host_pkgs
+ case "${os}" in
+ case "${distro}" in
+ true 'Debian GNU/Linux 11 (bullseye)'
+ install_package_debian_common
+ pkg_mngr=apt-get
+ pkg_mngr_install='apt-get install --yes'
+ pkg_mngr_update='apt-get update --yes --error-on=any'
+ pkg_mngr_check_installed='dpkg -s'
++ dpkg --audit
+ dpkg_audit_output=
+ test -n ''
+ install_pkg netcat-openbsd
+ pkgs=netcat-openbsd
+ pkg_not_installed=
+ for pkg in ${pkgs}
+ has netcat-openbsd
++ command -v netcat-openbsd
+ _cmd=
+ return 1
+ dpkg -s netcat-openbsd
+ pkg_not_installed=' netcat-openbsd'
+ test -n ' netcat-openbsd'
+ test '' = 1
+ log notice 'Updating package list.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ root_cmd apt-get update --yes --error-on=any
+ test -z apt-get
+ case "${sucmd}" in
+ log_run sudo -- apt-get update --yes --error-on=any
++ echo sudo -- apt-get update --yes --error-on=any
++ tr -s ' '
+ command_without_extrarenous_spaces='sudo -- apt-get update --yes --error-on=any'
+ test '' = 1
+ log notice 'Executing: $ sudo -- apt-get update --yes --error-on=any'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ sudo -- apt-get update --yes --error-on=any
+ return 1
++ handle_exit 1 176
++ true 'BEGIN handle_exit() with args: 1 176'
++ last_exit=1
++ line_number=176
++ log_time
+++ get_elapsed_time
++++ date +%s
+++ printf '%s\n' 18
++ log info 'Elapsed time: 18s.'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace
++ test 1 = 0
++ test 1 = 106
++ test 1 = 107
++ log notice 'Current script: ./whonix-installer-xfce'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace
++ test -n 'return 1'
++ log notice 'Function executed: root_cmd'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace
++ log notice 'Command executed: return 1'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace
++ test 176 -gt 2
++ log error 'Error detected. Installer aborted.'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace

------------------------------------- user log ------------------------------------

whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Executing: $ sudo -- echo Succesfull root login
Succesfull root login
whonix-installer-xfce: [e[1me[35mWARNe[0m]: Missing SOCKS proxy for torified connections.
whonix-installer-xfce: [e[1me[35mWARNe[0m]: Trying tor defaults: TBB (9150) and system tor (9050).
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Testing SOCKS proxy: 127.0.0.1:9050.
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Unexpected proxy response, maybe not a tor proxy?
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Testing SOCKS proxy: 127.0.0.1:9050.
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Unexpected proxy response, maybe not a tor proxy?
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Can't connect to SOCKS proxy.
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Aborting installer.
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Current script: ./whonix-installer-xfce
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Function executed: die
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Command executed: exit "${1}"
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Exit code: 2.
7

There are actually different issues here. The debug log doesn’t match the user log. But that doesn’t matter. I am going to address both.

The following will be the improved error message in that case once the new installer version goes live.

installer-dist: [WARN]: Missing SOCKS proxy for torified connections.
installer-dist: [WARN]: Trying Tor defaults: system Tor (little-t-tor) (port: 9050) and TBB (Tor Browser Bundle) (port: 9150).
installer-dist: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9050.
installer-dist: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9050 rsync --dry-run rsync://127.0.0.1:9050’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘rsync: [Receiver] failed to connect to 127.0.0.1 (127.0.0.1): Connection refused (111)’
    installer-dist: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9150.
    installer-dist: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9150 rsync --dry-run rsync://127.0.0.1:9150’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘rsync: [Receiver] failed to connect to 127.0.0.1 (127.0.0.1): Connection refused (111)’
    installer-dist: [ERROR]: Cannot connect to Tor SOCKS proxy.
  • This issue is most likely not caused by this installer.
  • This issue is likely caused by a missing software, configuration or network issues.

Note, that for torification of connections an already functional Tor connection is required.

  • A) An already installed and running system Tor (little-t-tor). Or,
  • B) An already installed and running TBB (Tor Browser Bundle).

This installer cannot help to set up a functional Tor connection. This must be done by the system administrator.

When manually running above cmd_check_proxy it needs to include the expected_response_header.
installer-dist: [ERROR]: Aborting installer.

Does that help?

Currently due to another bug that I fixed just now, only system Tor can be automatically detected. If TBB is running, that won’t work unless configuring the SOCKS proxy on the command line.

I’ll let you know once the next Whonix Linux Installer version has been uploaded. (Not that it will help much since you’re having system configuration issues most likely. Nothing that the installer can fix. Just better SOCKS auto detection and better error messages.)

More answers from me upcoming soonish.

8

This is a different issue. The improved error message will be:

installer-dist: [ERROR]: Could not update package lists.
- This issue is most likely not caused by this installer.
- This is most likely a package manager configuration or network issue.

This is the command which the installer has just run that failed:

sudo -- apt-get update --yes --error-on=any

The user is advised to attempt to debug this.

1. Run above command.

2. If there is an issue, use search engines, documentation and if needed contract the support of
   your operating system.

3. Once this has been fixed fixed, re-run this installer.
installer-dist: [ERROR]: Aborting installer.

Does that help?

9

minor: File /usr/share/kicksecure/marker does not exist. Therefore Kicksecure was not detected. Most likely Kicksecure isn’t installed. Debian was detected. Not Kicksecure. But that doesn’t make a difference except that if Kicksecure was installed, the tor package would already be installed.
(Whonix Linux Installer doesn’t check yet if the tor package is installed.)

10

As for logs, please wrap them into.

```

text

```

Upgraded your just now account. You can post links now.
(background: Posting Links for New Users)

That is a big issue. It rarely happens to me. The Tor Project actively scans for Tor exit relays attempting malicious traffic modifications and attempting to strip https. Once found, such relays are banned. Therefore shouldn’t happen a lot.

Therefore this could be an indication of general system issues. Unrelated to Whonix Linux Installer. But such system issues would likely also break Whonix Linux Installer.

Check your time and date. Should be reasonably correct +/- 30 minutes. Otherwise, specifically if wrong several days, you’ll get tons of https and other verification errors.

The log folders are iterative. Lowest number is log of first run. Highest number is log of last run.

11

Also unrelated new bug:

12
  • Dependency issue fixed. (You didn’t experience that one yet.)
  • Better error messages.
  • But doesn’t (won’t attempt to and conceptually shouldn’t) attempt to fix any general system configuration issues.
13

Thanks Patrick for making the installation process accessible to beginners as well. Others can learn from this also. From what I understand, tor is not an exclusively elite project since the more people involved only makes the anonymity stronger. I am not certain what is difference between system tor and TBB. From my experience with tor on Debian, I found that ‘systemctl tor.service’ can be started but .onion sources will not update unless TBB is running.

[I got interested in Nyx to understand more about tor configurations and I think there should be a guide about Nyx if there isn’t one somewhere I couldn’t find.]

I did not have TBB installed on the virtualized system I am working on currently, just tor and torsocks. Now I installed TBB and ran the command you suggested.

Here is the result from terminal with TBB running in the background:
. . .
dkwx@deb:~$ sudo – apt-get update --yes --error-on=any
[sudo] password for dkwx:
Hit:1 tor+https://deb.debian.org/debian bullseye InRelease
Get:2 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease [12.9 kB]
Err:2 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY C47F8A8AAD743EF7
Get:3 tor+https://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 tor+https://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:5 tor+https://deb.debian.org/debian bullseye-backports InRelease [49.0 kB]
Get:6 tor+https://deb.debian.org/debian bullseye-backports/main amd64 Packages.diff/Index [63.3 kB]
Get:7 tor+https://deb.debian.org/debian bullseye-backports/main amd64 Packages T-2023-03-18-1410.53-F-2023-03-17-0204.57.pdiff [2,552 B]
Get:8 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye InRelease [39.7 kB]
Get:7 tor+https://deb.debian.org/debian bullseye-backports/main amd64 Packages T-2023-03-18-1410.53-F-2023-03-17-0204.57.pdiff [2,552 B]
Get:9 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye/main amd64 Packages [48.6 kB]
Get:10 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye/contrib amd64 Packages [511 B]
Get:11 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye/non-free amd64 Packages [1,578 B]
Reading package lists… Done
W: GPG error: tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY C47F8A8AAD743EF7
E: The repository ‘tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Release file for tor+https://deb.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 1h 42min 37s). Updates for this repository will not be applied.
. . .

I have found the “invalid for another X hrs” message several times before. There are also the “timed out” “404 not found” and “InRelease not signed” error messages which occur from time to time. At other times, .onion sources download perfectly. I’m not sure why this happens. The “invalid for X hrs” message is new to me. I have described these errors in Debian forums and Tor forums (user Fasterandfaster and Strongerandstronger respectively) but never found a satisfactory response.

I will continue working on trying to make the installation work and let you know what I find out. Thanks for developing the installer further.

14

This is not supposed to be happening.
The fasttrack repository was added but fasttrack-archive-keyring was not downloaded, thus it says it can’t verify the signature.

 sudo apt install fasttrack-archive-keyring
1 Like
15

I re-installed the keyring and then ran the update. There’s the same error message with “invalid for another” several hours (between 3 to 6 hrs) and the hours always change strangely and not according to the expected time elapsed since last the command was run.

I have given the virtual machine 7.5 G of memory and tried reinstalling with 10 G but Boxes won’t allow that. Here is the result:
. . .
whonix-installer-xfce: [ERROR]: You need at least 10G of available space, you only have 9G.
whonix-installer-xfce: [ERROR]: Aborting installer.
whonix-installer-xfce: [NOTICE]: Current script: ./whonix-installer-xfce
whonix-installer-xfce: [NOTICE]: Function executed: die
whonix-installer-xfce: [NOTICE]: Command executed: exit “${1}”
whonix-installer-xfce: [ERROR]: Exit code: 101.
. . .
9G is not 7.5G of memory with 20G available to the virtual disk. So, actually, it must not be the parameters of the VM.

16

The installer’s free disk space check determines that by essentially running the following command:

df --output=avail -BG ~/installer-dist-download

Please try to run that command manually.

Expected output:

Avail
  9G

Which means there’s only 9G disk space available which is insufficient.

Check your system date/clock. If more than 30 minutes slow or fast you will keep running into issues.

Which VM?

How? What do you mean?

Boxes?

The installer doesn’t look at sizes of any installed VMs. Only at the total available disk space. It does so with above command.

17

Yes, the installer is correct. That command provided the same result. I think I need to add the amount Kicksecure (?G) requires plus Whonix (10G) and install Debian in a new VM with the total value.

The system time is correct. Almost exactly according to NIST (time.gov), so definitely not outside of +/- 30 min. I can’t install other applications also because of the “invalid for X hrs” and “is not gpg signed” error messages and it remains invalid for another several hours after I try again and I do not know how to sign the InRelease. I hypothesize that there is an advanced way of disrupting updates. On Qubes, saltmgmt was rendered inoperable and I have encountered disruptions of .onion in multiple systems that utilize the method of updates over tor (TAILS, Qubes, Debian onion repositories).

Yes, I am using Gnu Boxes on Fedora to virtualize. Whonix on Oracle Virtual Box works very well. But I thought it would be interesting to try Boxes because it is KVM/QEMU which is not proprietary like Oracle. So my design goal was to virtualize Whonix like Qubes does. In this system, there is not Xen and Dom0 but there is a virtualization barrier and the optimizations of Kicksecure. Maybe the newest version of Qubes 4.1.2 will be compatible with my hardware, but virtualizing Kiscksecure might have its own virtues which can be done on Qubes anyway so it is good to learn how to install Whonix on Kicksecure regardless.

18

I think there there might be a bit of unsupported mixing going on here.

Qubes as a host operating system:

do:

  • If you use Qubes as a host operating system with a Debian Template you can (clone and) morph this Template into Kicksecure. → Kicksecure for Qubes
  • If you use Qubes as a host operating system and want to use Whonix, then use Qubes-Whonix. → Qubes-Whonix Overview
  • That’s it. Nothing else.

not do:

Debian (or other Linux) as a host operating system:

do:

This is not the root cause. This is conceptually wrong. These files are not supposed to be signed by the user. And if so, that defeats the point and would be insecure. This isn’t the root cause.

This is the root cause. Is the date correct? Check in UTC.

date --utc

Your date might be wrong because you think it’s a different date format where month and day is swapped?

You most likely need to find support for this elsewhere because I am running out of ideas. → Free Support for Whonix

At time of writing, this virtualizer is unsupported. → Undocumented, Untested or Unsupported Features

Won’t work. This requires developer skills.

Kicksecure is available for download as VM for VirtualBox. → Kicksecure for Windows, macOS, Linux inside VirtualBox (And KVM.) It can run on any host operating system supported by VirtualBox, usually Windows, Mac, Linux, Debian, Kicksecure.
(On the “AMD64” platform which means “Intel and AMD.”)

This is generally simple. Kicksecure runs on hardware. Then install Whonix normally as per instructions. Do not mix Qubes into this as it is not designed for this and won’t work.

And in case you’re thinking, “I want Qubes-Whonix mixed with Kicksecure”, don’t. Unnecessary. (Qubes-)Whonix is already based on Kicksecure.

1 Like
19

Ok. Very clear. I am doing my best to work within hardware constraints since as of the time of writing, Qubes was not entirely compatible.

That being said, I have not found support elsewhere in Debian or Qubes forums where I have raised similar questions. There is a way of disrupting updates. I have the correct time:
. . .
X@deb:~$ date --utc
Mon 20 Mar 2023 [correct time] AM UTC
. . .
Thanks for clarifying:

I don’t know why anyone would want a Kicksecure template in Qubes, then.

I was not aware that the code is tailored to specific virtualizers. I was thinking that since KVM is supported and GnuBoxes is KVM/QEMU, then it wouldn’t be too dissimilar. But now I understand that the software is very specific and that is why there is the differentiation between supported and unsupported.

Thanks for answering all these questions. I will restate that there must be a vulnerability in updates over tor. I haven’t been precise enough to be persuasive here (e.g. I am not signing gpg, for some reason the system can’t find the gpg signatures for the release) but I recognize that must be a phenomenon that does not effect enough people in the software community for ready answers to be available. Yes, it is ideal to follow the prescribed methodology and developer models.

Thanks!

20

Kicksecure is a hardened version of Debian.