So i have been trying to make the newest build of 16.0.6.8-developers-only too build on Mac M1. But have gotten myself into some problems. I have followed the https://forums.whonix.org/t/derivative-maker-automated-ci-builder/14468 thread and made sudo passwordless by adding /etc/sudoers.d/passwordless as explained in the thread. But got into some problems.

Building the gateway worked fine:
https://notes.anonpaste.org/?b65818cc9d69c9ed#9MzGBcqaLq9JaaxYMqvZbSDEpsz5gCQXvcssezPMxCb9

Used the command

$ ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64

But Building the workstation did not go so well:
https://notes.anonpaste.org/?7707cae5cebe5bc1#EKSDDMZCQkKEDLtDv97FFyUrSV2aXtybCanRhghY9AKK

I tried both of these commands

$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64
$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64 --tb open

From what i can see from the log its:

####################################################################
## BEGIN ERROR in /var/lib/dpkg/info/tb-updater.postinst detected!
##
## ERROR LOG:
## See above.
##
## BASH_COMMAND: $tool $chroot_maybe --postinst
## EXIT_CODE: 7
##
## END ERROR in /var/lib/dpkg/info/tb-updater.postinst detected!
## Please report this bug!
####################################################################

That is the problem for why the build fail.
Hope these logs can help you find out about this.

Hopefully there are some contributors out here. I’m a normal user with m1, hoping to use whonix by utm.
However, while I build my image, I get 7~8 errors during the build by debian. I just continue it, since I can’t find what’s wrong.
After I finish it and initialize it at utm, vm skips to initialize booting files and goes on to uefi interactive shell.(maybe it fails to read the file)
After the failure, I even built it by qcow2, because I thought raw is not supported by utm. (but also this seems not to be the reason)
This is my 10th attempt with building this, and it seems hopeless to retry.
Is there any other options that I can use whonix…? Maybe a pre-made tar.gz file…?

I understand this is only for experts, but please give normal users a chance to use whonix… I can’t buy another laptop because of whonix…

Unfortunately, project resources are limited and there isn’t a contributor supporting this use case.

As already said in the script error handler, please do not report bugs as a result of ignoring errors. That’s very much to be expected to have all sorts of issues including being unbootable. If anything, each error has to be investigated on its own. There are no shortcuts.

Might be fixed in 16.0.6.9-testers-only.

So i have now build the 16.0.6.9-testers-only version and it was a success.
Command used was:

$ ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64
$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64

And here is the build log:
https://notes.anonpaste.org/?03b29a924d87a3ad#3KpehejpAVY4gY6Ekf1HymxjzSB6avf6azcxKSRtx3Qy

It manages do build without the --tb open tag. I will now test the build and will make a guide or something on how to build this version if anyone is interested.

I requested it since I saw a google drive link that was sharing a image, but now the link is void.
I know it’s expected to fail by ignoring errors, but at a normal user’s stance, nothing can be done to handle these. As I said, I studied the whole vm build documentation, and searched every community posts to solve out this for a week.
Should I retry it for a month to get this done?
I hope not.

Or any other options?

My Whonix Mac M1 Build Guide 26 August 2022 (Devs-only)

Today i have successfully build on the new 16.0.6.9-testers-only build. After following another thread:
https://forums.whonix.org/t/derivative-maker-automated-ci-builder/14468 i decided to try to build again. Things have changes a bit since last time i made a guide so this is a update to that. Remember that the build guide is the official guide for building whonix on mac. This is just a help guide for the current build process.

Step 1: Setting up Debian

I expect that you guys know how to download debian and sett it up via UTM. If you are unable to perform that i highly suggest you to not try to build this project yet as its quite advance. But i will try to explain some common problems with a new debian install and some stuff that need to be done before building.

One of the most common problems with a new debian install is that apt and sudo is not setup. There is quite a lot of guides online and youtube that explain how to set it up. But its important that they are in working condition. Also it need to be debian 11 bullseye or newer for the project to build.

Quick Sheet if anyone have problems with getting apt or sudo to work
login to debian
$ su
$ cd /etc/apt/
$ nano sources.list
-----------------------------------------sources.list-----------------------------------------------------------------
deb http://deb.debian.org/debian bullseye main contrib non-free
deb-src http://deb.debian.org/debian bullseye main contrib non-free

deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
deb-src http://deb.debian.org/debian-security/ bullseye-security main contrib non-free

deb http://deb.debian.org/debian bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free

deb http://deb.debian.org/debian bullseye-backports main contrib non-free
deb-src http://deb.debian.org/debian bullseye-backports main contrib non-free
------------------------------------------------------------------------------------------------------------------------
$ exit
$ exit
Restart debian

login to debain again
$ su
$ apt update
$ apt upgrade
$ apt install sudo
$ /usr/sbin/usermod -aG sudo user
$ exit
$ exit

Restart debian

When your debian vm is up and running on UTM. First thing first is to upgrade and update the repository so everything is up to date:

$ sudo apt upgrade && sudo apt update

After this your debian vm should be up to date. After this then we can download some necessary dependencies:

$ sudo apt install git time curl apt-cacher-ng lsb-release fakeroot fasttrack-archive-keyring

These are a must to have, you can also download nano, vim, emacs or neovim as your editor. I use neovim but for the example and simplicity of this guide use nano and to download that you just:

$ sudo apt install nano

Now here is something new you need to do in the new build script.
The script need you to have sudo passwordless or else the script would fail to build.

How did you set up passwordless sudo?
The following should work:

$ sudo touch /etc/sudoers.d/passwordless
$ sudo nano /etc/sudoers.d/passwordless
--------------------------passwordless------------------------------
%sudo ALL=(ALL:ALL) NOPASSWD:ALL
--------------------------------------------------------------------
$ sudo adduser user sudo

(Required to replace user with actual user name.)

Optional - Shared folders

For transferring files from vm to your mac you could use google drive or something if you debian is setup with internett and desktop environment like GNOME or KDE. But you can also transfer file via CLI. The way i used is by downloading:

$ spice-vdagent spice-webdavd davfs2

which gives you spice tools for UTM and davfs2 for shared folders. (remember to check out shared folders on the UTM settings). Then use the command:

$ sudo mkdir /mnt/dav
$ sudo mount -t davfs -o noexec http://127.0.0.1:9843/ /mnt/dav

Step 2: Build Whonix

After you have correctly setup your debian vm then you are ready to download and build the project. To download the project use the command:

$ git clone --depth=1 --branch 16.0.6.9-testers-only --jobs=4 --recurse-submodules --shallow-submodules https://github.com/derivative-maker/derivative-maker.git

In your home directory. Then navigate yourself into the derivate folder:

$ cd derivative-maker/
$ git describe
16.0.6.9-testers-only

When inside you are ready to build the gateway (NB: only do one build at a time):

$ ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64

This should be done without sudo privileges now, then build the workstation:

$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64

In version 16.0.6.9-testers-only there should be no need to use the tag --tb open unless the build fail. More on that on step 4: If tb browser fail to build.

You will now find the builded project under the $HOME/derivative-binary/16.0.6.9 folder.

Note: You should wait until a newer stable release will come out. Just replace everything mentioning 16.0.6.9-testers-only with the new tag.

Step 3: Setup Whonix

When the build is finished move the tar file locally on your mac, extract them and add the .utm for gateway and workstation to your UTM application. Then i go to setting on them both and add (fit to screen, retina mode, enable clipboard sharing) and enable virtio-ramfb-gl (gpu supported). I also for workstation add a bit more ram to 6gb but thats me. When i start both vm i also adjust the mouse, keyboard and theme setting on xfce.

On the gateway i use these commands on the terminal:

$ sudo passwd root
$ sudo passwd user
$ upgrade-nonroot
$ sudo apt install spice-vdagent spice-webdavd
$ sudo shutdown now

And start it up again, And on the workstation i use these commands:

$ sudo passwd root
$ sudo passwd user
$ upgrade-nonroot
$ sudo apt install spice-vdagent spice-webdavd
$ sudo shutdown now

You can also add shared folder function just like explained earlier. Remember to run your Gateway vm if you want to browse on the Workstation. Tor browser and everything should be operational but if not then.

Step 4: If tb browser fail to build

ONLY DO THIS IS TB FAILS ON BUILD

To build the workstation if/when the tb-browser fails to build, use the command:

$ ./derivative-maker --target utm --flavor whonix-workstation-xfce --build --arch arm64 --tb open

This will build the project without concerning downloading tb-browser right away. But then you need to download it manually.

To make it work follow this guide to manually set it up:

https://www.whonix.org/wiki/Tor_Browser/Manual_Download

But instead of the link provided there use the tor browser port from Heikki Lindholm at:

https://sourceforge.net/projects/tor-browser-ports/

This will enable Tor browser to work on the workstation OR to simplify it i have used these commands instead:

$ mkdir --parents /home/user/.tb
$ wget https://sourceforge.net/projects/tor-browser-ports/files/11.0.4-alsa/tor-browser-linux-arm64-11.5.1_en-US.tar.xz/download -P /home/user/.tb/

(might have to change the link portion on the wget command if there is a newer tb available)

Then verify the download and:

open filemanager → extract download in .tb file → change filename to tor-browser

Then you get the same result.

And that should be it. This is how i made whonix work on the m1 architecture with the current build. To this date as correctly as possible. Hopefully will this help someone out there. Also available to answer some questions when it comes to building up or setting up stuff on the m1 for whonix now. Also if there is anything wrong with this guide please let me know.

It seems to be a normal user-friendly guide… I definitely appreciate with your support.
I’ll try this in hours, and leave a comment whether it progresses successfully.

I was wondering if you watch videos or anything that actually uses the video card. If so, how long are the VMs open and do you minimize them for long hours at a time?

I ask because all the GPU options give me a random crash with something about Metal. It only seems to happen when I have minimized the VM, but not immediately. If you are using it similarly and have no problems, could we PM and compare notes?

I have not noticed any crashes, that being said. I do not use the vm for a very long time. So could be problems with that. Why i use the gpu supported display card is that they run way better then anything else. If i use any of them without the vm seems very slow.

Hi, I’ve tried to build as per the @Goldeneye128 above in an updated Debian 11 Bullseye UTM VM, but keep on getting the following error on the initial Gateway build:

############################################################
ERROR in ././build-steps.d/1700_install-packages detected!

dist_build_version: 16.0.6.9
dist_build_error_counter: 1
benchmark: 00:00:23
last_failed_exit_code: 1
trap_signal_type_previous: unset
trap_signal_type_last    : ERR

process_backtrace_result:
1: : init
2: : sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
3: : sshd: user [priv]
4: : sshd: user@pts/0
5: : -bash
6: : /bin/bash ./derivative-maker --target utm --flavor whonix-gateway-xfce --build --arch arm64
7: : /bin/bash ././build-steps.d/1700_install-packages

function_trace_result:
main (line number: 495)
main (line number: 491)
install-packages (line number: 205)
errorhandlerunchrootunpreventunmount (line number: 392)
errorhandlerprocessshared (line number: 211)


last_failed_bash_command: "$dist_source_help_steps_folder/mount-raw"
############################################################

Any help in troubleshooting this?

The log excerpt is too short to get any idea what’s goring wrong. → Pasting Logs for Support (Whonix is based on Kicksecure.)

In this case though, to save you some work, no log is required…

Mount issues:

• 1. Reboot required.
• 2. Might be fixed in a later git tag. Some upstream bugs in mount / kernel has been detected during CI development. A more robust use of mount working around these bugs has been implemented since. No newer testers or release available yet. You could monitor Whonix news when that happens. → Follow Whonix ™ Developments Might happen within the next 2 weeks but please don’t quote me on that.

From what i can see is that you are using the 16.0.6.9-testers-only tag which is now kinda outdated. In my guide i did mention you need to renew the tag when a new one is coming out. Did i build today just to check using this git clone command:

$ git clone --depth=1 --branch 16.0.7.9-developers-only --jobs=4 --recurse-submodules --shallow-submodules https://github.com/derivative-maker/derivative-maker.git 

As of today the newest developers-only tag is: 16.0.7.9-developers-only. I usually follow on the github for what is the newest tag to use. I do recommend you use the newest stable or developers only tag. Try the new one? maybe that works better?

EDIT: I see patrick has already responded now. So maybe i was wrong and you need to reboot for now as well. (i am tired from work and completely blind).

So did more research, Looks like qemu does not support direct gpu like what parallels do. They have more direct connection with apples hypervisors then what qemu does. As UTM is just a GUI application to qemu then this is what we get. virtio-ramfb-gl seems to be the best graphics mode with gpu acceleration. But it is a bit unstable (notice some as well). If you do not need it you can choose something else. Just wanted to let you know. It will most likely not be supported anything else for a long while (and maybe never) so this is the best for now that is FOSS.

Thanks for a great guide. But I can’t get my build to work.

I get the following error,

W: listening on child socket failed:
D: 5028 5784 finish to listen for hooks
E: /home/xxxxxx/derivative-maker/help-steps/pbuilder-debootstrap-command-filter failed
E: debootstrap.log not present
W: Aborting with an error
E: pbuilder create failed
I: forking: rm -rf /var/cache/pbuilder/base.cow_arm64

and

last_failed_bash_command: return “$cowbuilder_exit_code”
############################################################
’
++ unset error_reason
++ ‘[’ ERR = INT ‘]’
++ ‘[’ ERR = TERM ‘]’
++ ‘[’ ERR = ERR ‘]’
++ ‘[’ ‘!’ 0 = 0 ‘]’
++ true ‘INFO: dist_build_auto_retry set to 0 (–retry-max). No auto retry.’
++ unset dist_build_auto_retry_counter
++ true
++ ignore_error=false
++ answer=
++ ‘[’ ERR = ERR ‘]’
++ ‘[’ ‘’ = true ‘]’
++ ‘[’ -t 0 ‘]’
++ true ‘INFO: stdin connected to terminal, using interactive error handler.’
++ true 'ERROR: in ././build-steps.d/1130_cowbuilder-setup detected!

It seems that a lot of packages can’t be downloaded because I get “502 Connection reset by peer [IP: 127.0.0.1 3142]” error on the “apt” downloading.

I have also tried with the latest developers tag, but same issue.

Thanks.

Not sure what is wrong then. Can you use https://notes.anonpaste.org/ (make sure to hook off Burn after reading or else it will delete itself right away) and post the entire build log? Kinda hard to see what is wrong with just this.

And just to be sure, can you ping? (you got stable net?), what do you get when you type the command lsb_release -a on the terminal? have you done any changes on image itself? Had any problem downloading or installing anything else before?

Ok. Seems that my apt-cacher-ng is the problem, because I get download problems with “apt install” when I’m using the apt-cacher-ng.
I tried the version in backports, but still same error. Is it possible to build without that function?

I can ping deb . debian . org without any problems or loss. I have not done any changes on the image.

lbs_release -a gives this information,

No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 11 (bullseye)
Release:	11
Codename:	bullseye

Thanks.

Well if you could give out the entire build log it would help out a lot. Also if you get problems with apt install then you should fix that. Maybe try a round of:

$ sudo apt upgrade && sudo apt update

If you cannot upgrade or update. It most likely mean your config at /etc/apt/sources.list is not good.

$ sudo apt install git time curl apt-cacher-ng lsb-release fakeroot fasttrack-archive-keyring

Also remember to download all the dependencies as well.

No.

Not without source code modifications. apt-cacher-ng is used by default on developer machines. https repositories for apt-cacher-ng being able to cache these need to be in a special format. There are already too many. Maintaining a set for apt-cacher-ng vs non-apt-cacher-ng would be too much effort. That’s why this feature won’t be added.

No special configuration of build machine /etc/apt/sources.list /etc/apt/sources.list.d is required.

Since this is the first time this doesn’t work, I also suspect a local configuration issue and not apt-cacher-ng issue.

If I’m running “apt” commands without “apt-cacher-ng” activated I have no problem at all, as soon as I activate “apt-cacher-ng” I have to run “apt upgrade && sudo apt update” like 3-4 times, then it work.

I have tried different debian mirrors in my /etc/apt/sources.list and as stated above, it works without any problem without apt-cacher-ng activated, but as soon as I activate apt-cacher-ng, I got problems with "502 Connection reset by peer [IP: 127.0.0.1 3142]"

And my /etc/apt/sources.list should not have anything with the building to do? Because I think my source.list gets replaced with other repos in the source code? Because when I run a build it does not use any other mirror, just the orginial deb.debian.org.

I have all dependencies installed. For example I have “gcc-10-base” installed already, but the “derivate-maker” build is downloading that again. I don’t really know how this “derivate-maker” build works, but it makes a new environment and downloads packages into that environment? And using “apt-cacher-ng” which causes my problems.

here is a paste of the build log,
https://notes.anonpaste.org/?badef3a769d95e85#3JdEBfa3cZf1BswBGADWhezxknmJNdK9Q2GirW78q8af

The problem starts at row 1406.

I have tried to download some of the packages with “wget” and that works just fine.

Cheers!

I have now successfully built Whonix with 16.0.8.2-stable & imported it into UTM. I use mullvad-vpn on my Mac & in order to make other VMs bypass the VPN & connect via clearnet - I change the networking to Bridged & this works for them without disabling Mullvad (split-tunnelling is not available on the Mac for wireguard/Mullvad) for other work on the same Mac.

The option to change the networking mode is available on other VMs manually created in UTM but is NOT available with the prebuilt Whonix Gateway. I presume that it has to be added/edited in QEMU arguments. Can anyone let me know how that is done? UTM documentation asks to change it in the options but as mentioned this isn’t available on the imported Whonix.