Whonix-installer error line 176 (Kicksecure Whonix, updates over tor, and S76 HCL)

Support
7

There are actually different issues here. The debug log doesn’t match the user log. But that doesn’t matter. I am going to address both.

The following will be the improved error message in that case once the new installer version goes live.

installer-dist: [WARN]: Missing SOCKS proxy for torified connections.
installer-dist: [WARN]: Trying Tor defaults: system Tor (little-t-tor) (port: 9050) and TBB (Tor Browser Bundle) (port: 9150).
installer-dist: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9050.
installer-dist: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9050 rsync --dry-run rsync://127.0.0.1:9050’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘rsync: [Receiver] failed to connect to 127.0.0.1 (127.0.0.1): Connection refused (111)’
    installer-dist: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9150.
    installer-dist: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9150 rsync --dry-run rsync://127.0.0.1:9150’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘rsync: [Receiver] failed to connect to 127.0.0.1 (127.0.0.1): Connection refused (111)’
    installer-dist: [ERROR]: Cannot connect to Tor SOCKS proxy.
  • This issue is most likely not caused by this installer.
  • This issue is likely caused by a missing software, configuration or network issues.

Note, that for torification of connections an already functional Tor connection is required.

  • A) An already installed and running system Tor (little-t-tor). Or,
  • B) An already installed and running TBB (Tor Browser Bundle).

This installer cannot help to set up a functional Tor connection. This must be done by the system administrator.

When manually running above cmd_check_proxy it needs to include the expected_response_header.
installer-dist: [ERROR]: Aborting installer.

Does that help?

Currently due to another bug that I fixed just now, only system Tor can be automatically detected. If TBB is running, that won’t work unless configuring the SOCKS proxy on the command line.

I’ll let you know once the next Whonix Linux Installer version has been uploaded. (Not that it will help much since you’re having system configuration issues most likely. Nothing that the installer can fix. Just better SOCKS auto detection and better error messages.)

More answers from me upcoming soonish.

8

This is a different issue. The improved error message will be:

installer-dist: [ERROR]: Could not update package lists.
- This issue is most likely not caused by this installer.
- This is most likely a package manager configuration or network issue.

This is the command which the installer has just run that failed:

sudo -- apt-get update --yes --error-on=any

The user is advised to attempt to debug this.

1. Run above command.

2. If there is an issue, use search engines, documentation and if needed contract the support of
   your operating system.

3. Once this has been fixed fixed, re-run this installer.
installer-dist: [ERROR]: Aborting installer.

Does that help?

9

minor: File /usr/share/kicksecure/marker does not exist. Therefore Kicksecure was not detected. Most likely Kicksecure isn’t installed. Debian was detected. Not Kicksecure. But that doesn’t make a difference except that if Kicksecure was installed, the tor package would already be installed.
(Whonix Linux Installer doesn’t check yet if the tor package is installed.)

10

As for logs, please wrap them into.

```

text

```

Upgraded your just now account. You can post links now.
(background: Posting Links for New Users)

That is a big issue. It rarely happens to me. The Tor Project actively scans for Tor exit relays attempting malicious traffic modifications and attempting to strip https. Once found, such relays are banned. Therefore shouldn’t happen a lot.

Therefore this could be an indication of general system issues. Unrelated to Whonix Linux Installer. But such system issues would likely also break Whonix Linux Installer.

Check your time and date. Should be reasonably correct +/- 30 minutes. Otherwise, specifically if wrong several days, you’ll get tons of https and other verification errors.

The log folders are iterative. Lowest number is log of first run. Highest number is log of last run.

11

Also unrelated new bug:

12
  • Dependency issue fixed. (You didn’t experience that one yet.)
  • Better error messages.
  • But doesn’t (won’t attempt to and conceptually shouldn’t) attempt to fix any general system configuration issues.
13

Thanks Patrick for making the installation process accessible to beginners as well. Others can learn from this also. From what I understand, tor is not an exclusively elite project since the more people involved only makes the anonymity stronger. I am not certain what is difference between system tor and TBB. From my experience with tor on Debian, I found that ‘systemctl tor.service’ can be started but .onion sources will not update unless TBB is running.

[I got interested in Nyx to understand more about tor configurations and I think there should be a guide about Nyx if there isn’t one somewhere I couldn’t find.]

I did not have TBB installed on the virtualized system I am working on currently, just tor and torsocks. Now I installed TBB and ran the command you suggested.

Here is the result from terminal with TBB running in the background:
. . .
dkwx@deb:~$ sudo – apt-get update --yes --error-on=any
[sudo] password for dkwx:
Hit:1 tor+https://deb.debian.org/debian bullseye InRelease
Get:2 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease [12.9 kB]
Err:2 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY C47F8A8AAD743EF7
Get:3 tor+https://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 tor+https://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:5 tor+https://deb.debian.org/debian bullseye-backports InRelease [49.0 kB]
Get:6 tor+https://deb.debian.org/debian bullseye-backports/main amd64 Packages.diff/Index [63.3 kB]
Get:7 tor+https://deb.debian.org/debian bullseye-backports/main amd64 Packages T-2023-03-18-1410.53-F-2023-03-17-0204.57.pdiff [2,552 B]
Get:8 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye InRelease [39.7 kB]
Get:7 tor+https://deb.debian.org/debian bullseye-backports/main amd64 Packages T-2023-03-18-1410.53-F-2023-03-17-0204.57.pdiff [2,552 B]
Get:9 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye/main amd64 Packages [48.6 kB]
Get:10 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye/contrib amd64 Packages [511 B]
Get:11 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye/non-free amd64 Packages [1,578 B]
Reading package lists… Done
W: GPG error: tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY C47F8A8AAD743EF7
E: The repository ‘tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Release file for tor+https://deb.debian.org/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 1h 42min 37s). Updates for this repository will not be applied.
. . .

I have found the “invalid for another X hrs” message several times before. There are also the “timed out” “404 not found” and “InRelease not signed” error messages which occur from time to time. At other times, .onion sources download perfectly. I’m not sure why this happens. The “invalid for X hrs” message is new to me. I have described these errors in Debian forums and Tor forums (user Fasterandfaster and Strongerandstronger respectively) but never found a satisfactory response.

I will continue working on trying to make the installation work and let you know what I find out. Thanks for developing the installer further.

14

This is not supposed to be happening.
The fasttrack repository was added but fasttrack-archive-keyring was not downloaded, thus it says it can’t verify the signature.

 sudo apt install fasttrack-archive-keyring
1 Like
15

I re-installed the keyring and then ran the update. There’s the same error message with “invalid for another” several hours (between 3 to 6 hrs) and the hours always change strangely and not according to the expected time elapsed since last the command was run.

I have given the virtual machine 7.5 G of memory and tried reinstalling with 10 G but Boxes won’t allow that. Here is the result:
. . .
whonix-installer-xfce: [ERROR]: You need at least 10G of available space, you only have 9G.
whonix-installer-xfce: [ERROR]: Aborting installer.
whonix-installer-xfce: [NOTICE]: Current script: ./whonix-installer-xfce
whonix-installer-xfce: [NOTICE]: Function executed: die
whonix-installer-xfce: [NOTICE]: Command executed: exit “${1}”
whonix-installer-xfce: [ERROR]: Exit code: 101.
. . .
9G is not 7.5G of memory with 20G available to the virtual disk. So, actually, it must not be the parameters of the VM.

16

The installer’s free disk space check determines that by essentially running the following command:

df --output=avail -BG ~/installer-dist-download

Please try to run that command manually.

Expected output:

Avail
  9G

Which means there’s only 9G disk space available which is insufficient.

Check your system date/clock. If more than 30 minutes slow or fast you will keep running into issues.

Which VM?

How? What do you mean?

Boxes?

The installer doesn’t look at sizes of any installed VMs. Only at the total available disk space. It does so with above command.

17

Yes, the installer is correct. That command provided the same result. I think I need to add the amount Kicksecure (?G) requires plus Whonix (10G) and install Debian in a new VM with the total value.

The system time is correct. Almost exactly according to NIST (time.gov), so definitely not outside of +/- 30 min. I can’t install other applications also because of the “invalid for X hrs” and “is not gpg signed” error messages and it remains invalid for another several hours after I try again and I do not know how to sign the InRelease. I hypothesize that there is an advanced way of disrupting updates. On Qubes, saltmgmt was rendered inoperable and I have encountered disruptions of .onion in multiple systems that utilize the method of updates over tor (TAILS, Qubes, Debian onion repositories).

Yes, I am using Gnu Boxes on Fedora to virtualize. Whonix on Oracle Virtual Box works very well. But I thought it would be interesting to try Boxes because it is KVM/QEMU which is not proprietary like Oracle. So my design goal was to virtualize Whonix like Qubes does. In this system, there is not Xen and Dom0 but there is a virtualization barrier and the optimizations of Kicksecure. Maybe the newest version of Qubes 4.1.2 will be compatible with my hardware, but virtualizing Kiscksecure might have its own virtues which can be done on Qubes anyway so it is good to learn how to install Whonix on Kicksecure regardless.

18

I think there there might be a bit of unsupported mixing going on here.

Qubes as a host operating system:

do:

  • If you use Qubes as a host operating system with a Debian Template you can (clone and) morph this Template into Kicksecure. → Kicksecure for Qubes
  • If you use Qubes as a host operating system and want to use Whonix, then use Qubes-Whonix. → Qubes-Whonix Overview
  • That’s it. Nothing else.

not do:

Debian (or other Linux) as a host operating system:

do:

This is not the root cause. This is conceptually wrong. These files are not supposed to be signed by the user. And if so, that defeats the point and would be insecure. This isn’t the root cause.

This is the root cause. Is the date correct? Check in UTC.

date --utc

Your date might be wrong because you think it’s a different date format where month and day is swapped?

You most likely need to find support for this elsewhere because I am running out of ideas. → Free Support for Whonix

At time of writing, this virtualizer is unsupported. → Undocumented, Untested or Unsupported Features

Won’t work. This requires developer skills.

Kicksecure is available for download as VM for VirtualBox. → Kicksecure for Windows, macOS, Linux inside VirtualBox (And KVM.) It can run on any host operating system supported by VirtualBox, usually Windows, Mac, Linux, Debian, Kicksecure.
(On the “AMD64” platform which means “Intel and AMD.”)

This is generally simple. Kicksecure runs on hardware. Then install Whonix normally as per instructions. Do not mix Qubes into this as it is not designed for this and won’t work.

And in case you’re thinking, “I want Qubes-Whonix mixed with Kicksecure”, don’t. Unnecessary. (Qubes-)Whonix is already based on Kicksecure.

1 Like
19

Ok. Very clear. I am doing my best to work within hardware constraints since as of the time of writing, Qubes was not entirely compatible.

That being said, I have not found support elsewhere in Debian or Qubes forums where I have raised similar questions. There is a way of disrupting updates. I have the correct time:
. . .
X@deb:~$ date --utc
Mon 20 Mar 2023 [correct time] AM UTC
. . .
Thanks for clarifying:

I don’t know why anyone would want a Kicksecure template in Qubes, then.

I was not aware that the code is tailored to specific virtualizers. I was thinking that since KVM is supported and GnuBoxes is KVM/QEMU, then it wouldn’t be too dissimilar. But now I understand that the software is very specific and that is why there is the differentiation between supported and unsupported.

Thanks for answering all these questions. I will restate that there must be a vulnerability in updates over tor. I haven’t been precise enough to be persuasive here (e.g. I am not signing gpg, for some reason the system can’t find the gpg signatures for the release) but I recognize that must be a phenomenon that does not effect enough people in the software community for ready answers to be available. Yes, it is ideal to follow the prescribed methodology and developer models.

Thanks!

20

Kicksecure is a hardened version of Debian.

21

I understand that the virtualizer is not the method proscribed. But wouldn’t you agree that it is good to have multiple pathways to access the software? For example, I said earlier that Whonix work perfectly on VirtualBox but yesterday maybe there was a cyber attack on the dnf update because the .ova was aborted. There is no way to onionize dnf. Oracle went into “Guru Meditation” and I had to rebuild her all over again. Now it works again and it’s the latest update. Maybe the KVM method on the Whonix website is the method I should implement if Fedora sometimes reconfigures VirtualBox with updates that make the imported appliances disfunctional.

So I had decided to return to Qubes thinking that R 4.1.2 might be compatible with my hardware but it still does not recognize Alder Lake Wifi (lspci “unknown”) and the backlight is not at full brightness. Debian also does not recognize Alder Lake Wifi, so I can’t install Debian and then morph it to Kicksecure and install Whonix. I can only virtualize. Now I’m back where I started but I did learn a few things and I think there is more to discover through troubleshooting.

I restarted installing everything with 10G more for the vda. There is no easy way to resize the vda in Gnome Boxes. I tried. Suggestions I found online did not work.

This time around, I found that “su” does not work when Installing KicksecureTM Inside Debian (morphing) but “sudo su” does provide root access. If you look at the sudoers file, the permissions are eqivalent, aren’t they?

I also found that there is an onion for fasttrack now (5phj…)

And there is a way the clock can be skewed in Gnome-Redhat Boxes virtualizer. My host system time is not effected, but the guest in Boxes can be skewed and I don’t know how that happens. I corrected the time an so far it has remained on time but I didn’t close any “hole” that skewed it in the first place because I don’t know how timing attacks are carried out.

Both system tor and TBB are functional but there are the same error messages. I will upload texts of the commands and outputs.
. . .
root@debian: systemctl status tor.service
Active: active

debian@debian: ./tor-browser/Browser/start-tor-browser
curl check.torproject.org - yes connected to the tor network with new ip every time a new circuit is created

This is the result from Nyx with TBB running:
nyx - debian (Linux 5.10.9-20-amd64) Tor 0,4,7,13 (recommended)

debian@debian: torsocks w3m https://check.torproject.org
Congratulations.
. . .
I discovered that the timewas off in another OS on Boxes but was correct on the Debian I morphed but ran out of space so deleted. The current enlarged morph has an skewed clock. NTP can get attacked. I have seen an off by a minute skew attack if synced over network but that shouldn’t matter because less than 30min, right? What is the best way to keep the clock correct and why is it off I wonder? Shouldn’t the time have been set correctly during installation?

I manually set the date to the correct time and the errors persist.
Not sure what is going on with Nyx (there should be a Nyx guide)

  1. but torsocks,
  2. TBB,
  3. and system tor
    all appear to be working correctly according to the tests.
22

Troubleshooting information
. . .
@debian:~$ sudo apt update && sudo apt full-upgrade
Hit:1 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bullseye InRelease
Get:6 tor+http://5phjdr2nmprmhdhw4fdqfxvpvt363jyoeppewju2oqllec7ymnolieyd.onion/debian bullseye-fasttrack InRelease [12.9 kB]
Reading package lists… Done
E: Release file for tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security/dists/bullseye-security/InRelease is not valid yet (invalid for another 4h 36min 38s). Updates for this repository will not be applied.
E: Release file for tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye-updates/InRelease is not valid yet (invalid for another 4h 58min 27s). Updates for this repository will not be applied.
E: Release file for tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye-backports/InRelease is not valid yet (invalid for another 4h 58min 26s). Updates for this repository will not be applied.
E: Release file for tor+http://5phjdr2nmprmhdhw4fdqfxvpvt363jyoeppewju2oqllec7ymnolieyd.onion/debian/dists/bullseye-fasttrack/InRelease is not valid yet (invalid for another 5h 45min 26s). Updates for this repository will not be applied.

debian@debian:~$ sudo su
root@debian:/home/debian# bash ./whonix-installer-xfce --onion
whonix-installer-xfce: [NOTICE]: Executing: $ sudo – echo Successful root login
Successful root login
whonix-installer-xfce: [WARN]: Missing SOCKS proxy for torified connections.
whonix-installer-xfce: [WARN]: Trying Tor defaults: system Tor (little-t-tor) (port: 9050) and TBB (Tor Browser Bundle) (port: 9150).
whonix-installer-xfce: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9050.
whonix-installer-xfce: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9050 rsync --dry-run rsync://127.0.0.1:9050’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘./whonix-installer-xfce: line 1569: rsync: command not found’
    whonix-installer-xfce: [NOTICE]: Testing SOCKS proxy: 127.0.0.1:9150.
    whonix-installer-xfce: [ERROR]: Unexpected proxy response, maybe not a Tor proxy?

Debugging information:

  • cmd_check_proxy:
    ‘RSYNC_PROXY=127.0.0.1:9150 rsync --dry-run rsync://127.0.0.1:9150’
  • expected_response_header:
    ‘HTTP/1.0 501 Tor is not an HTTP Proxy’
  • actual_response_header:
    ‘./whonix-installer-xfce: line 1569: rsync: command not found’
    whonix-installer-xfce: [ERROR]: Cannot connect to Tor SOCKS proxy.

root@debian:/home/debian# su
root@debian:/home/debian# bash ./whonix-installer-xfce --onion
whonix-installer-xfce: [NOTICE]: Executing: $ sudo – echo Successful root login
Successful root login
root@debian:/home/debian#
root@debian:/home/debian# systemctl status tor.service
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: e>
Active: active (exited)
Main PID: (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 7062)
Memory: 0B
CPU: 0
CGroup: /system.slice/tor.service

Mar 23 09:29:54 debian systemd[1]: Starting Anonymizing overlay network for TCP>
Mar 23 09:29:54 debian systemd[1]: Finished Anonymizing overlay network for TCP>
lines 1-11/11 (END)

debian@debian:~$ firejail --private=~/tor-browser ./Browser/start-tor-browser
Reading profile /etc/firejail/start-tor-browser.profile
Child process initialized in 164.63 ms
[also tried without firejail sandboxing and same result]
. . .

23

Clock inside VM can be different form clock on the host.

To check inside VM, run inside the VM:

date

Most likely your clock is fast by approximately 5 hours.

Also note:

To fix until we fix that in the installer:

sudo apt install rsync

I agree but resources are limited.

Malware, Computer Viruses, Firmware Trojans and Antivirus Scanners chapter Valid Compromise Indicators versus Invalid Compromise Indicators in Kicksecure wiki

Kicksecure ™ in VirtualBox - Troubleshooting - Kicksecure ™ does not Start? chapter Guru Mediation in Kicksecure wiki

Safely Use Root Commands chapter Substitute User (su) Command in Kicksecure wiki

24

Thank you. I will read up on the information you provided and see if I can make it work. You have the best collection of internet privacy and security guides I have found online!

But the time is correct. The time has been correct and still is but the installer does not complete.

I noticed that Whonix Gateway has a troubleshooting feature in the connections dialogue that provides the option of looking at journalctl if the circuit failed to build. Is there a precise command for looking up the relevant information about the tor connection so I can prove to you that it is not about the time?f

For example,
sudo journalctl -o short
produced this sample:
. . .
timesanitycheck.service
tor.service
tor@default.service
udisks2.service
ufw.service
upower.service
user-runtime-dir@1000.service
user@1000.service
wpa_supplicant.service
-.slice
system-getty.slice
system-modprobe.slice
system-tor.slice
, . .

time.gov result

01:31:26 P.M.
Your clock is off by:
+0.196 s

Yes, now the installation is downloading after installing rsync. There is a warning about nested virtualization. Is there a way to make an iso of a virtual guest image so I could un-nest it now that it is built and install directly on hardware? I see that there is even better security with physical isolation. I was thinking about installing Whonix Gateway on a Mobian Posh morphed into Kicksecure with Pine64 LTE and then tethering that to a Whonix Workstation laptop.
. . .
whonix-installer-xfce: [WARN]: Missing SOCKS proxy for torified connections.
whonix-installer-xfce: [WARN]: Trying Tor defaults: system Tor (little-t-tor) (port: 9050) and TBB (Tor Browser Bundle) (port: 9150).
. . .

? ? ? But: torsocks w3m https://forums.whonix.org
Powered by Discourse, best used with JavaScript enabled
And TBB and tor.service running

? ? ? Clock changes itself spontaneously but I can reset it manually.

Host can be compromised
That’s why I wanted Qubes but Incompatible with Alder Wifi.

------------ > Download ova complete!
Towards the end, Whonix Installer asks, agree to start virtualizer? y/n - Y - and then VirtualBox doesn’t start. So nesting won’t work. I read about nesting causing more attack surface but doesn’t Qubes nest qubes-vms on top of Xen hypervisor? So there must be a great deal of complexity involved in VM nesting properly. If I studied Kubevirt would that help to figure out how to nest VMs?

Hopefully Kicksecure or maybe Whonix will complete an iso soon that is compatible with the latest Intel (Alder Lake). Qubes and Debian are not at the moment. What are your fundraising goals?

So the method I tried cannot be done at present. The best I can do is harden Fedora so VirtualBox Guest Whonix is not made derelict with a compromising dnf update. CentOS has onionized EPEL. Maybe Arch with Pacman over tor would be a more secure host.

Thanks for exploring this method. Learned a lot!

25

Just completed the KVM installation (Virtual Machine Manager) for Fedora of Whonix. It works just like VirtualBox except for sudo setup-dist on the Gateway which is cli. Then, booting live, entering user and password, what comes next? Isrunning sudo systemctl start tor.service on Gateway cli the same as tor connection control panel on the Gateway gui? The Workstation can connect to tor this way but I am not sure what is the best method. Then, if I want to add obs4 there are commands to input into the KVM Gateway cli? The KVM Whonix page does not elaborate. There a a lot of fine-tuning options for Qemu listed but is there any information about Gateway cli commands available?

26

Please create another thread regarding KVM issue. Let’s keep this thread focused on the installer.