Whonix Linux Installer - Development Discussion

Debian trixie (testing) support has been added just now.

Feel free to refactor/improve.

During development, I temporarily disabled building other distro suites (Debian stable etc.) for CI builds to save some CI time. Just must not forget to re-enable. (Done.)

How could we allow installation on Debian testing based derivatives (such as kali?)?

Or installation on derivatives generally?

Do you think you could add support for Fedora? Instructions don’t look terribly difficult.

  • We could get the gpg key using extrepo. (Similar to how the installer already gets the gpg key for the Kicksecure repository)
  • Line gpgkey=https://www.virtualbox.org/download/oracle_vbox.asc looks insecure.

Qubes Fedora template folder /etc/yum.repo.d folder shows a nicer use.


This seems more secure:


Interesting but possibly not the most secure way to do this:

sudo dnf config-manager --add-repo=https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo


Fedora support has been implemented, thanks to @grass with help from @nyxnor (CI).

The updated installer has been uploaded just now.

As for Fedora, an alternative to the Oracle repository might be RPM Fusion.

RPM Fusion homepage:

RPM Fusion wiki page about VirtualBox:

RPM Fusion package search for VirtualBox:

RPM Fusion package VirtualBox:

RPM Fusion package VirtualBox-kmod:

But there might be issues with SecureBoot as the wiki page mentions or the wiki page might be outdated.

Please allow Kali host operating systems in the Kicksecure / Whonix Linux Installer for Linux.


The ban on discussing anonymous pentesting does not apply here. I see zero issues with Kicksecure or Whonix being installed on top of Kali. Unless I have forgotten my own argument, in that case please remind me, please allow Kali hosts in the installer.

The issue in above forum thread was that I wanted to avoid Whonix forums morphing into a script kiddy forum where people ask how to anonymize attack tools. That seemed not a fight, risk worth taking on top of Whonix.

A Kicksecure or Whonix VM on top of Kali doesn’t simplify any anonymous attacks because Whonix doesn’t have a feature to anonymize the traffic of the host operating system yet at time of writing and even if it had it still would not help making attack tools work over Tor. These tools would still have broken connectivity for reasons inherit to these tools (which I don’t want to elaborate on).

flathub packaging request:

Feature requests:

  • --uninstall-vms
  • --uninstall-gateway-xfce
  • --uninstall-workstation-xfce
  • --uninstall-virtualizer
  • --uninstall-all

The option names and functionality needs more thought. The overall feature request is “uninstallation support”.

Not sure about repository removal. Probably not simple to implement.
Also removing the Kicksecure repository on Kicksecure would make no sense.

The forum thread Kernel driver not installed motivated me to add a minor info level output to check if SecureBoot is enabled.

Expanding use of CI:

  • --virtualbox-only to test VirtualBox installer. That test should be very quick because it is run after the full Whonix installation.
  • --virtualbox-only --oracle-repo this might be a bit slower.

CI on Ubuntu latest:

2023-08-15T17:19:48.0572513Z usr/bin/installer-dist: line 878: url_version_domain: unbound variable

Gonna add a stopgap for that by defensibly initializing the domain name. Some help messages in some corner cases might be missing the domain name but that’s better than a unbound variable for now.

CI on Debian testing:

Version number changed to n/a. Gonna add a fix for that too.

CI issues resolved.

This doesn’t actually install VirtualBox from virtualbox.org if VirtualBox is already installed. And I am not sure it should.

Confusing output:

./usr/bin/installer-dist --non-interactive --virtualbox-only

installer-dist: [NOTICE]: Running: $ sudo – echo test
installer-dist: [NOTICE]: Saving user log to: ‘/home/user/installer-dist-download/logs/238/user.log’
installer-dist: [NOTICE]: Saving debug log to: ‘/home/user/installer-dist-download/logs/238/debug.log’
installer-dist: [NOTICE]: Installer: ‘VirtualBox Installer’
installer-dist: [NOTICE]: License Check: ‘success’ - User agreement confirmed via non_interactive setting.
installer-dist: [NOTICE]: Detected architecture: ‘x86_64’
installer-dist: [NOTICE]: Detected system: ‘Linux’
installer-dist: [NOTICE]: Detected distribution: ‘Kicksecure’
installer-dist: [NOTICE]: Detected distribution version: ‘17’
installer-dist: [WARN]: Minimum RAM Check: Your systems has a low amount of total RAM: ‘3951 MB’

Implies something is wrong but it’s complete. Working on it.

1 Like

Switching from

  • distribution package virtualbox-qt to
  • virtualbox.org (Oracle) virtualbox-$version_number package

is now implemented.


VirtualBox Installation Result: ‘SUCCESS’

The installer can now switch back and forth from distribution packages to virtualbox.org packages.

This is being tested on CI.

1 Like

New installer uploaded.

1 Like

About RPM Fusion, I don’t think it has more issues with secure boot than with Oracle Repo, I believe they have the same issues.
About trusting RPM Fusion, it is a third party repo, not from Fedora, not from Oracle, but an alternative.

Is there a preference to use RPM Fusion over Oracle for Fedora?

I haven’t found any arguments why RPM Fusion is better / more trustworthy than Oracle Repo (virtualbox.org repos).

As for SecureBoot support I am pretty sure that Oracle has worked on that. But also Fedora might have added signing of kernel modules nowadays similar to how Debian (since bookworm) and Ubuntu fixed this issue.

Many changes today.

zsh autocompletion does not work yet after the rename. [1]

Maybe zsh autocompletion cache needs to be rebuild.

Is there some command that should be run during Debian maintainer postinst script?

[1] Kicksecure ™ Linux Installer - Design Documentation chapter Naming in Kicksecure wiki

I don’t think it is because the name has changed, but because the shell did not load the new completion with the new script.

When installer bash-completion, the shell also has to be reloaded.

I dont know but rehash from the provided answer might be the best solution, but still, it doesn’t load new completions.

1 Like