Whonix-installer error line 176 (Kicksecure Whonix, updates over tor, and S76 HCL)

Support
6

Very good. Thanks, Patrick.

Tor exit issues aren’t a problem for onion: good to know. Nearly every https I navigate to on tor returns with ‘insecure connection’ (and I don’t ever agree to the slasher) but you’re right that does not happen with onions. Too bad every site isn’t onioned! Someday maybe.

I thought about torsocks also but it is already installed and the newest version. What is happening appears similar to what was going on in a Debian that I had installed on another device. I brought it up on Debian forums (user Fasterandfaster) under the topic tor + http Security Updates. The furthest I got to reaching a conclusion was that it perhaps had to do with stream isolation and onion updates could get blocked otherwise. But I’m still not sure about the solution.

The ‘pasting for support’ link says it’s ok to provide long logs. I am not sure if I understand what else is preferred in terms of formatting, however. I found twelve folders with debug logs. I think those are re-tries or reiterations. Here is the debug log. I added spaces to bust up the links because the forum won’t allow posted links, so that is an edit of the log not in the log itself.

+ xtrace=1
+ touch /home/dkwx/installer-dist-download/logs/12/debug.log
+ test -f /home/dkwx/installer-dist-download/logs/12/debug.log
+ test notice = debug
+ true 'tail -f /home/dkwx/installer-dist-download/logs/12/user.log >&3 &'
+ tail_pid=1965
+ tail -f /home/dkwx/installer-dist-download/logs/12/user.log
+ get_utilities
+ true
+ has sha512sum
++ command -v sha512sum
+ _cmd=/usr/bin/sha512sum
+ '[' -x /usr/bin/sha512sum ']'
+ checkhash=sha512sum
+ break
+ transfer_utility=rsync
+ case "${transfer_utility}" in
+ rsync=1
+ transfer_max_time_large_file=2700
+ transfer_max_time_small_file=180
+ transfer_io_timeout=600
+ transfer_connect_timeout=180
+ transfer_size_test_connection=200K
+ transfer_size_small_file=2K
+ transfer_size_large_file=3G
+ case ${transfer_utility} in
+ transfer_io_timeout_opt='--timeout 600'
+ transfer_size_opt=--max-size
+ transfer_dryrun_opt=--dry-run
+ transfer_output_dir_opt=
+ transfer_output_file_opt=
+ transfer_verbosity_opt='--no-motd --progress --verbose --verbose'
+ transfer_speed_optimization_opt='--compress --partial'
+ true
+ has sudo
++ command -v sudo
+ _cmd=/usr/bin/sudo
+ '[' -x /usr/bin/sudo ']'
+ sucmd=sudo
+ break
+ log info 'Testing root login'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ root_cmd echo 'Succesfull root login'
+ test -z echo
+ case "${sucmd}" in
+ log_run sudo -- echo 'Succesfull root login'
++ echo sudo -- echo 'Succesfull root login'
++ tr -s ' '
+ command_without_extrarenous_spaces='sudo -- echo Succesfull root login'
+ test '' = 1
+ log notice 'Executing: $ sudo -- echo Succesfull root login'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ sudo -- echo 'Succesfull root login'
+ get_download_links
+ site_clearnet_whonix=whonix .org
+ site_onion_whonix= dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd .onion
+ site_clearnet_kicksecure= kicksecure .com
+ site_onion_kicksecure =w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd  .onion
+ case "${guest}" in
+ site_clearnet=whonix  .org
+ site_onion=dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.  onion
+ case "${mirror}" in
+ site_download_clearnet=mirrors.dotsrc .org/whonix
+ site_download_onion=dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd .onion/whonix
+ case "${transfer_utility}" in
+ protocol_prefix_clearnet=rsync
+ protocol_prefix_onion=rsync
+ url_download_clearnet=rsync://mirrors.dotsrc .org/whonix
+ url_download_onion=rsync://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd. onion/whonix
+ case "${onion}" in
+ log info 'Clearnet preferred.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ test rsync = rsync
+ transfer_utility=rsync-ssl
+ test -n ''
+ curl_opt_ssl='--tlsv1.3 --proto =https'
+ url_origin=rsync://www.whonix.org
+ url_download=rsync://mirrors. dot src .org/ whonix
+ url_version_domain=https:// www .whonix .org
+ case "${hypervisor}" in
+ test '' = 1
+ url_version_template=VersionNew
+ signify_key='untrusted comment: Patrick Schleizer adrelanos @ whonix .org signify public key
RWQ6KRormNEETq+M8IysxRe/HAWlqZRlO8u7ACIiv5poAW0ztsirOjCQ'
+ url_domain=rsync: //mirrors. dotsrc .org /whonix/ ova
+ guest_file_ext=ova
+ url_version_prefix='w/index.php?title=Template:'
+ url_version_suffix='&stable=0&action=raw'
+ url_version='https:// www .whonix .org/w/index.php?title=Template:VersionNew&stable=0&action=raw'
+ main
+ log notice 'Saving user log to: '\''/home/dkwx/installer-dist-download/logs/12/user.log'\''.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ test -f /home/dkwx/installer-dist-download/logs/12/debug.log
+ log notice 'Saving debug log to: '\''/home/dkwx/installer-dist-download/logs/12/debug.log'\''.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ log info 'Starting main function.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
++ capitalize_first_char whonix
++ echo whonix
++ awk '{$1=toupper(substr($1,0,1))substr($1,2)}1'
+ guest_pretty=Whonix
++ capitalize_first_char xfce
++ echo xfce
++ awk '{$1=toupper(substr($1,0,1))substr($1,2)}1'
+ interface_pretty=Xfce
++ echo xfce
++ tr '[:lower:]' '[:upper:]'
+ interface_all_caps=XFCE
++ capitalize_first_char virtualbox
++ echo virtualbox
++ awk '{$1=toupper(substr($1,0,1))substr($1,2)}1'
+ hypervisor_pretty=Virtualbox
+ log info 'Parsed options:'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  directory_prefix="/home/dkwx/installer-dist-download"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  guest="whonix"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  hypervisor="virtualbox"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  interface="xfce"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ for item in ${arg_saved}
+ log info '  log_level="notice"'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ log notice 'Whonix Xfce for Virtualbox Installer.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ test '' '!=' 1
+ log notice 'If you wish to cancel installation, press Ctrl+C.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ check_license
+ '[' '' = 1 ']'
+ log notice 'The license will be show in some seconds.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ test '' '!=' 1
+ sleep 6
+ true
+ has dialog
++ command -v dialog
+ _cmd=
+ return 1
+ has whiptail
++ command -v whiptail
+ _cmd=/usr/bin/whiptail
+ '[' -x /usr/bin/whiptail ']'
+ dialog_box=whiptail
+ break
+ case "${dialog_box}" in
+ whiptail --scrolltext --title 'License agreement (scroll with arrows)' --yes-button Agree --no-button Disagree --yesno '
Please do NOT continue unless you understand everything!
 DISCLAIMER OF WARRANTY.
 .
 THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED,
 INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
 PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY.  THE PROGRAM IS BEING
 DELIVERED OR MADE AVAILABLE '\''AS IS'\'', '\''WITH ALL FAULTS'\'' AND WITHOUT WARRANTY OR
 REPRESENTATION.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
 PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
 ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
 .
 LIMITATION OF LIABILITY.
 .
 UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY
 OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE
 LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY
 DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL,
 INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH
 THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
 INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
 PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER
 OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH
 DAMAGES COULD HAVE BEEN FORESEEN.
 .
 INDEMNIFICATION.
 .
 IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT
 OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK,
 YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND
 AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF
 ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE
 ATTORNEYS'\'' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR
 IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
' 24 80
+ log notice 'User agreed with the license.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ pre_check
+ get_os
++ uname -s
+ os=Linux
++ uname -r
+ kernel=5.10.0-21-amd64
++ uname -m
+ arch=x86_64
+ distro=
+ distro_version=
+ case ${os} in
+ test -f /usr/share/kicksecure/marker
+ test -f /usr/share/whonix/marker
+ has lsb_release
++ command -v lsb_release
+ _cmd=/usr/bin/lsb_release
+ '[' -x /usr/bin/lsb_release ']'
++ lsb_release -sd
+ distro='Debian GNU/Linux 11 (bullseye)'
++ lsb_release -sc
+ distro_version=bullseye
+ distro='Debian GNU/Linux 11 (bullseye)'
+ distro='Debian GNU/Linux 11 (bullseye)'
+ case ${PATH} in
+ '[' '' ']'
+ '[' -z 5.10.0-21-amd64 ']'
+ '[' -z bullseye ']'
++ echo bullseye
++ tr -d .
+ distro_version_without_dot=bullseye
+ log notice 'Detected system: Debian GNU/Linux 11 (bullseye) bullseye.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ log notice 'Detected CPU architecture: x86_64.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ get_system_stat
+ '[' x86_64 '!=' x86_64 ']'
+ case "${interface}" in
+ min_ram_mb=3328
++ awk '/MemTotal/{print $2}' /proc/meminfo
+ total_mem_kB=7735508
+ total_mem=7735
+ '[' 7735 -lt 4200 ']'
++ df --output=avail -BG /home/dkwx/installer-dist-download
++ awk '/G$/{print substr($1, 1, length($1)-1)}'
+ free_space=10
+ '[' 10 -lt 10 ']'
+ get_host_pkgs
+ case "${os}" in
+ case "${distro}" in
+ true 'Debian GNU/Linux 11 (bullseye)'
+ install_package_debian_common
+ pkg_mngr=apt-get
+ pkg_mngr_install='apt-get install --yes'
+ pkg_mngr_update='apt-get update --yes --error-on=any'
+ pkg_mngr_check_installed='dpkg -s'
++ dpkg --audit
+ dpkg_audit_output=
+ test -n ''
+ install_pkg netcat-openbsd
+ pkgs=netcat-openbsd
+ pkg_not_installed=
+ for pkg in ${pkgs}
+ has netcat-openbsd
++ command -v netcat-openbsd
+ _cmd=
+ return 1
+ dpkg -s netcat-openbsd
+ pkg_not_installed=' netcat-openbsd'
+ test -n ' netcat-openbsd'
+ test '' = 1
+ log notice 'Updating package list.'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ root_cmd apt-get update --yes --error-on=any
+ test -z apt-get
+ case "${sucmd}" in
+ log_run sudo -- apt-get update --yes --error-on=any
++ echo sudo -- apt-get update --yes --error-on=any
++ tr -s ' '
+ command_without_extrarenous_spaces='sudo -- apt-get update --yes --error-on=any'
+ test '' = 1
+ log notice 'Executing: $ sudo -- apt-get update --yes --error-on=any'
+ test 1 = 1
+ true 'Removing xtrace for log() function.'
+ set +o xtrace
+ sudo -- apt-get update --yes --error-on=any
+ return 1
++ handle_exit 1 176
++ true 'BEGIN handle_exit() with args: 1 176'
++ last_exit=1
++ line_number=176
++ log_time
+++ get_elapsed_time
++++ date +%s
+++ printf '%s\n' 18
++ log info 'Elapsed time: 18s.'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace
++ test 1 = 0
++ test 1 = 106
++ test 1 = 107
++ log notice 'Current script: ./whonix-installer-xfce'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace
++ test -n 'return 1'
++ log notice 'Function executed: root_cmd'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace
++ log notice 'Command executed: return 1'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace
++ test 176 -gt 2
++ log error 'Error detected. Installer aborted.'
++ test 1 = 1
++ true 'Removing xtrace for log() function.'
++ set +o xtrace

------------------------------------- user log ------------------------------------

whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Executing: $ sudo -- echo Succesfull root login
Succesfull root login
whonix-installer-xfce: [e[1me[35mWARNe[0m]: Missing SOCKS proxy for torified connections.
whonix-installer-xfce: [e[1me[35mWARNe[0m]: Trying tor defaults: TBB (9150) and system tor (9050).
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Testing SOCKS proxy: 127.0.0.1:9050.
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Unexpected proxy response, maybe not a tor proxy?
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Testing SOCKS proxy: 127.0.0.1:9050.
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Unexpected proxy response, maybe not a tor proxy?
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Can't connect to SOCKS proxy.
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Aborting installer.
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Current script: ./whonix-installer-xfce
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Function executed: die
whonix-installer-xfce: [e[1me[32mNOTICEe[0m]: Command executed: exit "${1}"
whonix-installer-xfce: [e[1me[31mERRORe[0m]: Exit code: 2.
7

There are actually different issues here. The debug log doesn’t match the user log. But that doesn’t matter. I am going to address both.

The following will be the improved error message in that case once the new installer version goes live.

installer-dist: [WARN]: Missing SOCKS proxy for torified connections.
installer-dist: [WARN]: Trying Tor defaults: system Tor (little-t-tor) (port: 9050) and TBB (Tor Browser Bundle) (port: 9150).
installer-dist: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9050.
installer-dist: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9050 rsync --dry-run rsync://127.0.0.1:9050’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘rsync: [Receiver] failed to connect to 127.0.0.1 (127.0.0.1): Connection refused (111)’
    installer-dist: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9150.
    installer-dist: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9150 rsync --dry-run rsync://127.0.0.1:9150’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘rsync: [Receiver] failed to connect to 127.0.0.1 (127.0.0.1): Connection refused (111)’
    installer-dist: [ERROR]: Cannot connect to Tor SOCKS proxy.
  • This issue is most likely not caused by this installer.
  • This issue is likely caused by a missing software, configuration or network issues.

Note, that for torification of connections an already functional Tor connection is required.

  • A) An already installed and running system Tor (little-t-tor). Or,
  • B) An already installed and running TBB (Tor Browser Bundle).

This installer cannot help to set up a functional Tor connection. This must be done by the system administrator.

When manually running above cmd_check_proxy it needs to include the expected_response_header.
installer-dist: [ERROR]: Aborting installer.

Does that help?

Currently due to another bug that I fixed just now, only system Tor can be automatically detected. If TBB is running, that won’t work unless configuring the SOCKS proxy on the command line.

I’ll let you know once the next Whonix Linux Installer version has been uploaded. (Not that it will help much since you’re having system configuration issues most likely. Nothing that the installer can fix. Just better SOCKS auto detection and better error messages.)

More answers from me upcoming soonish.

8

This is a different issue. The improved error message will be:

installer-dist: [ERROR]: Could not update package lists.
- This issue is most likely not caused by this installer.
- This is most likely a package manager configuration or network issue.

This is the command which the installer has just run that failed:

sudo -- apt-get update --yes --error-on=any

The user is advised to attempt to debug this.

1. Run above command.

2. If there is an issue, use search engines, documentation and if needed contract the support of
   your operating system.

3. Once this has been fixed fixed, re-run this installer.
installer-dist: [ERROR]: Aborting installer.

Does that help?

9

minor: File /usr/share/kicksecure/marker does not exist. Therefore Kicksecure was not detected. Most likely Kicksecure isn’t installed. Debian was detected. Not Kicksecure. But that doesn’t make a difference except that if Kicksecure was installed, the tor package would already be installed.
(Whonix Linux Installer doesn’t check yet if the tor package is installed.)

10

As for logs, please wrap them into.

```

text

```

Upgraded your just now account. You can post links now.
(background: Posting Links for New Users)

That is a big issue. It rarely happens to me. The Tor Project actively scans for Tor exit relays attempting malicious traffic modifications and attempting to strip https. Once found, such relays are banned. Therefore shouldn’t happen a lot.

Therefore this could be an indication of general system issues. Unrelated to Whonix Linux Installer. But such system issues would likely also break Whonix Linux Installer.

Check your time and date. Should be reasonably correct +/- 30 minutes. Otherwise, specifically if wrong several days, you’ll get tons of https and other verification errors.

The log folders are iterative. Lowest number is log of first run. Highest number is log of last run.

11

Also unrelated new bug:

12
  • Dependency issue fixed. (You didn’t experience that one yet.)
  • Better error messages.
  • But doesn’t (won’t attempt to and conceptually shouldn’t) attempt to fix any general system configuration issues.
13

Thanks Patrick for making the installation process accessible to beginners as well. Others can learn from this also. From what I understand, tor is not an exclusively elite project since the more people involved only makes the anonymity stronger. I am not certain what is difference between system tor and TBB. From my experience with tor on Debian, I found that ‘systemctl tor.service’ can be started but .onion sources will not update unless TBB is running.

[I got interested in Nyx to understand more about tor configurations and I think there should be a guide about Nyx if there isn’t one somewhere I couldn’t find.]

I did not have TBB installed on the virtualized system I am working on currently, just tor and torsocks. Now I installed TBB and ran the command you suggested.

Here is the result from terminal with TBB running in the background:
. . .
dkwx@deb:~$ sudo – apt-get update --yes --error-on=any
[sudo] password for dkwx:
Hit:1 tor+https://deb.debian.org/debian bullseye InRelease
Get:2 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease [12.9 kB]
Err:2 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY C47F8A8AAD743EF7
Get:3 tor+https://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 tor+https://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:5 tor+https://deb.debian.org/debian bullseye-backports InRelease [49.0 kB]
Get:6 tor+https://deb.debian.org/debian bullseye-backports/main amd64 Packages.diff/Index [63.3 kB]
Get:7 tor+https://deb.debian.org/debian bullseye-backports/main amd64 Packages T-2023-03-18-1410.53-F-2023-03-17-0204.57.pdiff [2,552 B]
Get:8 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye InRelease [39.7 kB]
Get:7 tor+https://deb.debian.org/debian bullseye-backports/main amd64 Packages T-2023-03-18-1410.53-F-2023-03-17-0204.57.pdiff [2,552 B]
Get:9 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye/main amd64 Packages [48.6 kB]
Get:10 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye/contrib amd64 Packages [511 B]
Get:11 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye/non-free amd64 Packages [1,578 B]
Reading package lists… Done
W: GPG error: tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY C47F8A8AAD743EF7
E: The repository ‘tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Release file for tor+https://deb.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 1h 42min 37s). Updates for this repository will not be applied.
. . .

I have found the “invalid for another X hrs” message several times before. There are also the “timed out” “404 not found” and “InRelease not signed” error messages which occur from time to time. At other times, .onion sources download perfectly. I’m not sure why this happens. The “invalid for X hrs” message is new to me. I have described these errors in Debian forums and Tor forums (user Fasterandfaster and Strongerandstronger respectively) but never found a satisfactory response.

I will continue working on trying to make the installation work and let you know what I find out. Thanks for developing the installer further.

14

This is not supposed to be happening.
The fasttrack repository was added but fasttrack-archive-keyring was not downloaded, thus it says it can’t verify the signature.

 sudo apt install fasttrack-archive-keyring
1 Like
15

I re-installed the keyring and then ran the update. There’s the same error message with “invalid for another” several hours (between 3 to 6 hrs) and the hours always change strangely and not according to the expected time elapsed since last the command was run.

I have given the virtual machine 7.5 G of memory and tried reinstalling with 10 G but Boxes won’t allow that. Here is the result:
. . .
whonix-installer-xfce: [ERROR]: You need at least 10G of available space, you only have 9G.
whonix-installer-xfce: [ERROR]: Aborting installer.
whonix-installer-xfce: [NOTICE]: Current script: ./whonix-installer-xfce
whonix-installer-xfce: [NOTICE]: Function executed: die
whonix-installer-xfce: [NOTICE]: Command executed: exit “${1}”
whonix-installer-xfce: [ERROR]: Exit code: 101.
. . .
9G is not 7.5G of memory with 20G available to the virtual disk. So, actually, it must not be the parameters of the VM.

16

The installer’s free disk space check determines that by essentially running the following command:

df --output=avail -BG ~/installer-dist-download

Please try to run that command manually.

Expected output:

Avail
  9G

Which means there’s only 9G disk space available which is insufficient.

Check your system date/clock. If more than 30 minutes slow or fast you will keep running into issues.

Which VM?

How? What do you mean?

Boxes?

The installer doesn’t look at sizes of any installed VMs. Only at the total available disk space. It does so with above command.

17

Yes, the installer is correct. That command provided the same result. I think I need to add the amount Kicksecure (?G) requires plus Whonix (10G) and install Debian in a new VM with the total value.

The system time is correct. Almost exactly according to NIST (time.gov), so definitely not outside of +/- 30 min. I can’t install other applications also because of the “invalid for X hrs” and “is not gpg signed” error messages and it remains invalid for another several hours after I try again and I do not know how to sign the InRelease. I hypothesize that there is an advanced way of disrupting updates. On Qubes, saltmgmt was rendered inoperable and I have encountered disruptions of .onion in multiple systems that utilize the method of updates over tor (TAILS, Qubes, Debian onion repositories).

Yes, I am using Gnu Boxes on Fedora to virtualize. Whonix on Oracle Virtual Box works very well. But I thought it would be interesting to try Boxes because it is KVM/QEMU which is not proprietary like Oracle. So my design goal was to virtualize Whonix like Qubes does. In this system, there is not Xen and Dom0 but there is a virtualization barrier and the optimizations of Kicksecure. Maybe the newest version of Qubes 4.1.2 will be compatible with my hardware, but virtualizing Kiscksecure might have its own virtues which can be done on Qubes anyway so it is good to learn how to install Whonix on Kicksecure regardless.

18

I think there there might be a bit of unsupported mixing going on here.

Qubes as a host operating system:

do:

  • If you use Qubes as a host operating system with a Debian Template you can (clone and) morph this Template into Kicksecure. → Kicksecure for Qubes
  • If you use Qubes as a host operating system and want to use Whonix, then use Qubes-Whonix. → Qubes-Whonix Overview
  • That’s it. Nothing else.

not do:

Debian (or other Linux) as a host operating system:

do:

This is not the root cause. This is conceptually wrong. These files are not supposed to be signed by the user. And if so, that defeats the point and would be insecure. This isn’t the root cause.

This is the root cause. Is the date correct? Check in UTC.

date --utc

Your date might be wrong because you think it’s a different date format where month and day is swapped?

You most likely need to find support for this elsewhere because I am running out of ideas. → Free Support for Whonix

At time of writing, this virtualizer is unsupported. → Undocumented, Untested or Unsupported Features

Won’t work. This requires developer skills.

Kicksecure is available for download as VM for VirtualBox. → Kicksecure for Windows, macOS, Linux inside VirtualBox (And KVM.) It can run on any host operating system supported by VirtualBox, usually Windows, Mac, Linux, Debian, Kicksecure.
(On the “AMD64” platform which means “Intel and AMD.”)

This is generally simple. Kicksecure runs on hardware. Then install Whonix normally as per instructions. Do not mix Qubes into this as it is not designed for this and won’t work.

And in case you’re thinking, “I want Qubes-Whonix mixed with Kicksecure”, don’t. Unnecessary. (Qubes-)Whonix is already based on Kicksecure.

1 Like
19

Ok. Very clear. I am doing my best to work within hardware constraints since as of the time of writing, Qubes was not entirely compatible.

That being said, I have not found support elsewhere in Debian or Qubes forums where I have raised similar questions. There is a way of disrupting updates. I have the correct time:
. . .
X@deb:~$ date --utc
Mon 20 Mar 2023 [correct time] AM UTC
. . .
Thanks for clarifying:

I don’t know why anyone would want a Kicksecure template in Qubes, then.

I was not aware that the code is tailored to specific virtualizers. I was thinking that since KVM is supported and GnuBoxes is KVM/QEMU, then it wouldn’t be too dissimilar. But now I understand that the software is very specific and that is why there is the differentiation between supported and unsupported.

Thanks for answering all these questions. I will restate that there must be a vulnerability in updates over tor. I haven’t been precise enough to be persuasive here (e.g. I am not signing gpg, for some reason the system can’t find the gpg signatures for the release) but I recognize that must be a phenomenon that does not effect enough people in the software community for ready answers to be available. Yes, it is ideal to follow the prescribed methodology and developer models.

Thanks!

20

Kicksecure is a hardened version of Debian.

21

I understand that the virtualizer is not the method proscribed. But wouldn’t you agree that it is good to have multiple pathways to access the software? For example, I said earlier that Whonix work perfectly on VirtualBox but yesterday maybe there was a cyber attack on the dnf update because the .ova was aborted. There is no way to onionize dnf. Oracle went into “Guru Meditation” and I had to rebuild her all over again. Now it works again and it’s the latest update. Maybe the KVM method on the Whonix website is the method I should implement if Fedora sometimes reconfigures VirtualBox with updates that make the imported appliances disfunctional.

So I had decided to return to Qubes thinking that R 4.1.2 might be compatible with my hardware but it still does not recognize Alder Lake Wifi (lspci “unknown”) and the backlight is not at full brightness. Debian also does not recognize Alder Lake Wifi, so I can’t install Debian and then morph it to Kicksecure and install Whonix. I can only virtualize. Now I’m back where I started but I did learn a few things and I think there is more to discover through troubleshooting.

I restarted installing everything with 10G more for the vda. There is no easy way to resize the vda in Gnome Boxes. I tried. Suggestions I found online did not work.

This time around, I found that “su” does not work when Installing KicksecureTM Inside Debian (morphing) but “sudo su” does provide root access. If you look at the sudoers file, the permissions are eqivalent, aren’t they?

I also found that there is an onion for fasttrack now (5phj…)

And there is a way the clock can be skewed in Gnome-Redhat Boxes virtualizer. My host system time is not effected, but the guest in Boxes can be skewed and I don’t know how that happens. I corrected the time an so far it has remained on time but I didn’t close any “hole” that skewed it in the first place because I don’t know how timing attacks are carried out.

Both system tor and TBB are functional but there are the same error messages. I will upload texts of the commands and outputs.
. . .
root@debian: systemctl status tor.service
Active: active

debian@debian: ./tor-browser/Browser/start-tor-browser
curl check.torproject.org - yes connected to the tor network with new ip every time a new circuit is created

This is the result from Nyx with TBB running:
nyx - debian (Linux 5.10.9-20-amd64) Tor 0,4,7,13 (recommended)

debian@debian: torsocks w3m https://check.torproject.org
Congratulations.
. . .
I discovered that the timewas off in another OS on Boxes but was correct on the Debian I morphed but ran out of space so deleted. The current enlarged morph has an skewed clock. NTP can get attacked. I have seen an off by a minute skew attack if synced over network but that shouldn’t matter because less than 30min, right? What is the best way to keep the clock correct and why is it off I wonder? Shouldn’t the time have been set correctly during installation?

I manually set the date to the correct time and the errors persist.
Not sure what is going on with Nyx (there should be a Nyx guide)

  1. but torsocks,
  2. TBB,
  3. and system tor
    all appear to be working correctly according to the tests.
22

Troubleshooting information
. . .
@debian:~$ sudo apt update && sudo apt full-upgrade
Hit:1 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye InRelease
Get:6 tor+http://5phjdr2nmprmhdhw4fdqfxvpvt363jyoeppewju2oqllec7ymnolieyd.onion/debian bullseye-fasttrack InRelease [12.9 kB]
Reading package lists… Done
E: Release file for tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 4h 36min 38s). Updates for this repository will not be applied.
E: Release file for tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye-updates/InRelease is not valid yet (invalid for another 4h 58min 27s). Updates for this repository will not be applied.
E: Release file for tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye-backports/InRelease is not valid yet (invalid for another 4h 58min 26s). Updates for this repository will not be applied.
E: Release file for tor+http://5phjdr2nmprmhdhw4fdqfxvpvt363jyoeppewju2oqllec7ymnolieyd.onion/debian/dists/bullseye-fasttrack/InRelease is not valid yet (invalid for another 5h 45min 26s). Updates for this repository will not be applied.

debian@debian:~$ sudo su
root@debian:/home/debian# bash ./whonix-installer-xfce --onion
whonix-installer-xfce: [NOTICE]: Executing: $ sudo – echo Successful root login
Successful root login
whonix-installer-xfce: [WARN]: Missing SOCKS proxy for torified connections.
whonix-installer-xfce: [WARN]: Trying Tor defaults: system Tor (little-t-tor) (port: 9050) and TBB (Tor Browser Bundle) (port: 9150).
whonix-installer-xfce: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9050.
whonix-installer-xfce: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9050 rsync --dry-run rsync://127.0.0.1:9050’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘./whonix-installer-xfce: line 1569: rsync: command not found’
    whonix-installer-xfce: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9150.
    whonix-installer-xfce: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9150 rsync --dry-run rsync://127.0.0.1:9150’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘./whonix-installer-xfce: line 1569: rsync: command not found’
    whonix-installer-xfce: [ERROR]: Cannot connect to Tor SOCKS proxy.

root@debian:/home/debian# su
root@debian:/home/debian# bash ./whonix-installer-xfce --onion
whonix-installer-xfce: [NOTICE]: Executing: $ sudo – echo Successful root login
Successful root login
root@debian:/home/debian#
root@debian:/home/debian# systemctl status tor.service
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: e>
Active: active (exited)
Main PID: (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 7062)
Memory: 0B
CPU: 0
CGroup: /system.slice/tor.service

Mar 23 09:29:54 debian systemd[1]: Starting Anonymizing overlay network for TCP>
Mar 23 09:29:54 debian systemd[1]: Finished Anonymizing overlay network for TCP>
lines 1-11/11 (END)

debian@debian:~$ firejail --private=~/tor-browser ./Browser/start-tor-browser
Reading profile /etc/firejail/start-tor-browser.profile
Child process initialized in 164.63 ms
[also tried without firejail sandboxing and same result]
. . .

23

Clock inside VM can be different form clock on the host.

To check inside VM, run inside the VM:

date

Most likely your clock is fast by approximately 5 hours.

Also note:

To fix until we fix that in the installer:

sudo apt install rsync

I agree but resources are limited.

Malware, Computer Viruses, Firmware Trojans and Antivirus Scanners chapter Valid Compromise Indicators versus Invalid Compromise Indicators in Kicksecure wiki

Kicksecure ™ in VirtualBox - Troubleshooting - Kicksecure ™ does not Start? chapter Guru Mediation in Kicksecure wiki

Safely Use Root Commands chapter Substitute User (su) Command in Kicksecure wiki

24

Thank you. I will read up on the information you provided and see if I can make it work. You have the best collection of internet privacy and security guides I have found online!

But the time is correct. The time has been correct and still is but the installer does not complete.

I noticed that Whonix Gateway has a troubleshooting feature in the connections dialogue that provides the option of looking at journalctl if the circuit failed to build. Is there a precise command for looking up the relevant information about the tor connection so I can prove to you that it is not about the time?f

For example,
sudo journalctl -o short
produced this sample:
. . .
timesanitycheck.service
tor.service
tor@default.service
udisks2.service
ufw.service
upower.service
user-runtime-dir@1000.service
user@1000.service
wpa_supplicant.service
-.slice
system-getty.slice
system-modprobe.slice
system-tor.slice
, . .

time.gov result

01:31:26 P.M.
Your clock is off by:
+0.196 s

Yes, now the installation is downloading after installing rsync. There is a warning about nested virtualization. Is there a way to make an iso of a virtual guest image so I could un-nest it now that it is built and install directly on hardware? I see that there is even better security with physical isolation. I was thinking about installing Whonix Gateway on a Mobian Posh morphed into Kicksecure with Pine64 LTE and then tethering that to a Whonix Workstation laptop.
. . .
whonix-installer-xfce: [WARN]: Missing SOCKS proxy for torified connections.
whonix-installer-xfce: [WARN]: Trying Tor defaults: system Tor (little-t-tor) (port: 9050) and TBB (Tor Browser Bundle) (port: 9150).
. . .

? ? ? But: torsocks w3m https://forums.whonix.org
Powered by Discourse, best used with JavaScript enabled
And TBB and tor.service running

? ? ? Clock changes itself spontaneously but I can reset it manually.

Host can be compromised
That’s why I wanted Qubes but Incompatible with Alder Wifi.

------------ > Download ova complete!
Towards the end, Whonix Installer asks, agree to start virtualizer? y/n - Y - and then VirtualBox doesn’t start. So nesting won’t work. I read about nesting causing more attack surface but doesn’t Qubes nest qubes-vms on top of Xen hypervisor? So there must be a great deal of complexity involved in VM nesting properly. If I studied Kubevirt would that help to figure out how to nest VMs?

Hopefully Kicksecure or maybe Whonix will complete an iso soon that is compatible with the latest Intel (Alder Lake). Qubes and Debian are not at the moment. What are your fundraising goals?

So the method I tried cannot be done at present. The best I can do is harden Fedora so VirtualBox Guest Whonix is not made derelict with a compromising dnf update. CentOS has onionized EPEL. Maybe Arch with Pacman over tor would be a more secure host.

Thanks for exploring this method. Learned a lot!

25

Just completed the KVM installation (Virtual Machine Manager) for Fedora of Whonix. It works just like VirtualBox except for sudo setup-dist on the Gateway which is cli. Then, booting live, entering user and password, what comes next? Isrunning sudo systemctl start tor.service on Gateway cli the same as tor connection control panel on the Gateway gui? The Workstation can connect to tor this way but I am not sure what is the best method. Then, if I want to add obs4 there are commands to input into the KVM Gateway cli? The KVM Whonix page does not elaborate. There a a lot of fine-tuning options for Qemu listed but is there any information about Gateway cli commands available?