Whonix Linux Installer - Development Discussion

The download command is non-ideal.

curl --tlsv1.3 --proto "=https" --output whonix-installer-xfce --url https://www.whonix.org/installer-dist
  • Too long.
  • The quotes for "=https" are required for zsh compatibility → related: Change default shell from bash to zsh by default? - #117 by Patrick
  • --tlsv1.3 by itself is unfortunately insufficient to enforce TLS. --tlsv1.3 is useful to prevent TLS version downgrade attacks. But without --proto "=https" the following command would work.

.

curl --tlsv1.3 --max-time 180 --output ~/test.txt http://httpforever.com/

It only fails as it should when using:

curl --tlsv1.3 --proto "=https" --max-time 180 --output ~/test.txt http://httpforever.com/

But I might be mistaken. Curl might enforce the correct protocol “https” based on the url starting with “https://” and disallow “http”.

https://manpages.debian.org/bullseye/curl/curl.1.en.html

–proto-default
Tells curl to use protocol for any URL missing a scheme name.

An unknown or unsupported protocol causes error CURLE_UNSUPPORTED_PROTOCOL (1).

This option does not change the default proxy protocol (http).

Without this option set, curl guesses protocol based on the host name, see –url for details.

–url
Specify a URL to fetch. This option is mostly handy when you want to specify URL(s) in a config file.

If the given URL is missing a scheme name (such as “http://” or “ftp://” etc) then curl will make a guess based on the host.

If you specify URL without protocol:// prefix, curl will attempt to guess what protocol you might want.

PROTOCOLS

curl supports numerous protocols, or put in URL terms: schemes. Your particular build may not support them all.

HTTP(S)
curl supports HTTP with numerous options and variations. It can speak HTTP version 0.9, 1.0, 1.1, 2 and 3 depending on build options and the correct command line options.

Looking at `curl --verbose’ it can also be seen that curl makes a difference for http vs https.

related:
https://phabricator.whonix.org/T673

By looking at the old tickets at curl all of this seems to have improved. So when using https:// there’s no need to use --proto =https. Wiki updated.

new bug on Debian stable (currently: bullseye):

The following packages have unmet dependencies:
virtualbox : Depends: libtpms0 (>= 0.8.0~dev1) but it is not installable

Need to enable backports.

Does not happen on Kicksecure because Kicksecure enables the APT backports repository by default.

Fixed. Along with other improvements.

New version of Whonix Installer has been uploaded just now.

debian 11 vm.
on whonix, the problem doesn’t appear.

dpkg: dependency problems prevent configuration of virtualbox:
 virtualbox depends on virtualbox-dkms (>= 7.0.6-dfsg-1~fto11+1) | virtualbox-source (>= 7.0.6-dfsg-1~fto11+1) | virtualbox-modules; however:
  Package virtualbox-dkms is not configured yet.
  Package virtualbox-source is not installed.
  Package virtualbox-modules is not installed.
  Package virtualbox-dkms which provides virtualbox-modules is not configured yet.

dpkg: error processing package virtualbox (--configure):
 dependency problems - leaving unconfigured
Processing triggers for man-db (2.9.4-2) ...
Errors were encountered while processing:
 virtualbox-dkms
 virtualbox
E: Sub-process /usr/bin/dpkg returned an error code (1)
1 Like

In a Qubes Debian VM or real Debian?

Assuming a Qubes Debian VM:
This is unfortunately an invalid test. In Qubes this is expected to fail. So the log above from what you pasted. It’s because DKMS is failing to compile the VirtualBox kernel module. And that is failing because the kernel in Qubes is “weird”. It’s the dom0 kernel. Not the VM kernel. That causes various issues including this one.

You’d have to use https://www.qubes-os.org/doc/managing-vm-kernels/#using-kernel-installed-in-the-vm.

1 Like

Should the installer check if it’s run in Qubes and exit with an error or warn that this will likely fail unless using Qubes VM kernel?

Or we could go fancy and check similar as DKMS is doing this when it is saying:

It is likely that xxx.qubes.fc32.x86_64 belongs to a chroot’s host

Also the minimum RAM check might show a false positive warning because of Qubes dynamic RAM assignment. That test should then also be skipped in Qubes.

With these modifications, an installation of VirtualBox inside Qubes would probably succeed. But I didn’t test if any VMs could be actually started and I don’t know if anyone would want that. Maybe useful during development / for testing?

It might still be possible to install VirtualBox in a Qubes Debian VM. The VirtualBox kernel module and VirtualBox VMs would be broken but vboxmanage might be functional. I used this in the past to build Non-Qubes-Whonix from inside a Qubes VM. That might also be handy here for developer testing.

1 Like

For testing on qubes, I use the dirty mode --allow-errors. But that is not “good” because I just want to skip the precheck, not all the errors.

It is, on whonix vms, it works, but I have to review. Vbox is installed. Of course it can’t start.

1 Like

I am pushing to the master branch now.

1 Like

It currently fails in some steps, I will see how to not fail on qubes…, although it might require dealing differently with a lot of the steps.

1 Like

Disabling apt recommends has the effect of not installing the virtualbox graphical interface, more specifically, virtualbox-qt.

Edit: fixed and pushed.

1 Like

Commits can be merge, tested with --onion and --proxy.

1 Like

The CI runs as root, it is broken now because root was blocked on the last commit. Fixing the CI.

1 Like

Fixed build running as root.

1 Like

CI still broken.

2023-03-31T08:47:09.4130706Z + sudo -- echo 'Successful root login'
2023-03-31T08:47:09.4131187Z installer-dist: [e[1me[32mNOTICEe[0m]: Executing: $ sudo -- echo Successful root login
2023-03-31T08:47:09.4191491Z 
2023-03-31T08:47:09.4191738Z We trust you have received the usual lecture from the local System
2023-03-31T08:47:09.4192125Z Administrator. It usually boils down to these three things:
2023-03-31T08:47:09.4192321Z 
2023-03-31T08:47:09.4192447Z     #1) Respect the privacy of others.
2023-03-31T08:47:09.4192690Z     #2) Think before you type.
2023-03-31T08:47:09.4192976Z     #3) With great power comes great responsibility.
2023-03-31T08:47:09.4193161Z 
2023-03-31T08:47:09.4193653Z sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
2023-03-31T08:47:09.4194198Z sudo: a password is required
2023-03-31T08:47:09.4200564Z + return 1
2023-03-31T08:47:09.4200940Z + die 1 'Failed to run test command as root.'
2023-03-31T08:47:09.4201477Z + log error 'Failed to run test command as root.'
2023-03-31T08:47:09.4201875Z + test 1 = 1

Needs setting up passwordless sudo.

(Based on Kicksecure /etc/sudoers.d/user-passwordless)

%sudo   ALL=(ALL:ALL) NOPASSWD:ALL

Probably needs to be setup by .github/workflows/builds.yml.

Strange, I don’t know why your merge did not get my last commits, maybe you forgot to fetch them before merging?

Anyway, was trying to trigger the build not only when the installer is changed, but also when the workflow has changed:

It eases testing and avoids making extraneous commits to the installer, but couldn’t get it to work last time, will try again.

1 Like

Fixed that problem with CI outputs.

1 Like