Whonix on Mac M1 (ARM) - User Support (still unsupported at time of writing)

derivative-builder doesn’t contain textual strings such as libgtk, libcairo2 or libreoffice. It looks like you’re having general system configuration issues.

For debugging, try running this command:

sudo dpkg --audit

It is expected that there is no output.

But if dpkg shows something, this means that dpkg found a system configuration issue.

modified quote of the dpkg man page:

Performs database sanity and consistency checks for […] all packages. For example, searches for packages that have been installed only partially on your system or that have missing, wrong or obsolete control data or files. dpkg will suggest what to do with them to get them fixed.

The user must fix this issue before proceeding. These issue is most likely not caused by derivative-issue. This is most likely a general system configuration issue.

No, I’m trying to build on the latest Bullseye Debian.

Yes, there is a problem with configuring fp-compiler-3.2.0:arm64 because of «Invalid floating point operation». I didn’t find any solutions, unfortunately. Yet.

Having the same issue with fp-compiler-3.2.0:arm64. Unable to complete build at this moment and have yet to find any solutions.

sudo dpkg --audit

The following packages are only half configured, probably due to problems
configuring them the first time.  The configuration should be retried using
dpkg --configure <package> or the configure menu option in dselect:
 fp-compiler-3.2.0:arm64 Free Pascal - compiler
sudo dpkg --configure fp-compiler-3.2.0:arm64

Setting up fp-compiler-3.2.0:arm64 (3.2.0+dfsg-12) ...
An unhandled exception occurred at $0000000000470960:
EInvalidOp: Invalid floating point operation

dpkg: error processing package fp-compiler-3.2.0:arm64 (--configure):
 installed fp-compiler-3.2.0:arm64 package post-installation script subprocess returned error exit status 217
Errors were encountered while processing:

Needs to be reported to Debian.

Hello! I found an issue in pascal’s source repository (idk if it’s you or not). I joined the discussion, tried to build from source. See:

3.2.0 can’t be built and as of now, I haven’t found any solution. If you use emulated arm64 in utm, then 3.2.0 builds, but the system is very slow (building of whonix-gateway took 6+ hours versus ~1h on native m1 pro).

3.2.2 builds like a charm from source, but I haven’t managed to install it from backports (for some reason apt still picks 3.2.0 AND 3.2.2 despite the priorities in preferences).

Seems that maintainer of fpc suggests just to install fpc 3.2.2.

@Patrick Could you please suggest:

  1. if I manage to install 3.2.2 from backports, will it work for the installation?
  2. Should I skip the fpc error in that case, will fpc 3.2.2 be included/noticed by gateway/workstation builds?
  3. Can I build from source and tell Whonix that binaries are in a {path}?

Also: just curious, why Whonix requires the whole FP IDE in the build (I mean lazarus, fp-ide etc installations)? Could it be optional/skipped?


Hey all! Managed to build & setup Gateway & Workstation version 17. Macbook Pro M1 Pro aka MacBookPro18,1 with UTM. Just followed instructions on the wiki page.

No problems with build except Workstation build failing tor downloader/updater because of the signature. The error that it throws is not self-explanatory - see log below. It says that download location is maybe moved or wrong, or connectivity issue, but in a nutshell, as you can see much more above in the logs, it’s just a signature check failing.

I’ve build Workstation with --tb open flag and it built successfully, but now I don’t have tor browser and tb-updater inside workstation can’t download it either - same error. I guess, I can easily install it manually, but better if there is an option to make it automatic and updatable. Please, any help?

I saw in another thread (ARM64 TB Maintainer) on this forum that signature public key should be updated once a year(?). Should we do that or this is another kind of problem? Thanks.


In short it says:

gpg: key 6AF15D1E45FDCEC9: public key "Heikki Lindholm <holin@iki.fi>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Signature made Sat Jul  8 16:57:30 2023 UTC
gpg:                using EDDSA key F5DAAED7A3A5BA2F429D2C5CCFFF1D4136F3AFA6
gpg: Can'\''t check signature: No public key

Hey, glad to hear you got it to build. How did you get around the issue with fp-compiler-3.2.0:arm64?

1 Like
1 Like

I made a change to the source code. It’s not required and no longer installed for arm64 builds.


I built Whonix 17, which is built on Debian Bookworm, which has fp-compiler-3.2.2 in main repos, so there was no fp-compiler issue anymore.

Quick Question, after following the apple silicon Soc guide, and building the utm iso of whonix, the gate way is 107GB is this normal? I only have 256gb in Mac book air this is eating up so much space… Any advice on what I can do? The work station is quite large too.


Don’t know how that works on Mac.

Are these sparse files or actually taking the space?

Well I’m not 100% sure but the macos system storage is showing the space as used up, other option is uploading to iCloud or put on microSD.

Tor browser updater wont allow to download tor browser, I tried using ARCH=arm64 update-torbrowser and it fails the signatures check

INFO: chroot: is_chroot=true is not set, ok.
INFO: Auto detecting ARCH…
INFO: ARCH ‘aarch64’ detected.
INFO: Auto detecting ARCH_DOWNLOAD…
INFO: ARCH_DOWNLOAD ‘linux-arm64’ detected.
INFO: CURL_PROXY: --proxy socks5h://tb-updater_4450ccdb-4805-4b5e-aef4-e81f03ba0094:password@
INFO: Not running inside Qubes Disposable Template, ok.
INFO: Using stable version. For alpha version, see: Tor Browser Essentials
INFO: Running Tor enabled check… Done.
INFO: Running Tor bootstrap check… Done.
INFO: Skipping ‘tb_connectivity_checks_curl’, because tb_skip_functions includes it.
INFO: Find out latest version… Downloading…: https://aus1.torproject.org/torbrowser/update_3/release/downloads.json
INFO: CURL_OUT_FILE: /home/user/.cache/tb/RecommendedTBBVersions
INFO: Learn more about this Download Confirmation Notification.
INFO: Previously downloaded version: none
INFO: Currently installed version: None installed. (Folder /home/user/.tb/tor-browser does not exist.)
INFO: Online detected version: 12.5.2
QUESTION: Download now?
INFO: Requested Tor Browser version only support an ALL locale, fetching it.
INFO: Because you are not using --nokilltb, now killing potentially still running instances of Tor Browser…
firefox.real: no process found
INFO: Digital signature (GPG) download… Will take a moment…
INFO: Downloading…: Download tor-browser-linux-arm64-12.5.2_ALL.tar.xz.asc (Tor Browser Ports)
INFO: CURL_OUT_FILE: /home/user/.cache/tb/files/tor-browser-linux-arm64-12.5.2_ALL.tar.xz.asc
INFO: Downloading Tor Browser…
INFO: Downloading…: Download tor-browser-linux-arm64-12.5.2_ALL.tar.xz (Tor Browser Ports)
INFO: CURL_OUT_FILE: /home/user/.cache/tb/files/tor-browser-linux-arm64-12.5.2_ALL.tar.xz
INFO: Digital signature (GPG) verification… This will take a moment…
INFO: Using digital signature signing key by Heikki Lindholm.
ARM64 Tor Browser Maintainer
ERROR: Digital signature (GPG) could NOT be verified.
Tor Browser update failed! Try again later.



gpg_bash_lib_internal_gpg_verify_status_fd_file: /home/user/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /home/user/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
gpg: keybox ‘/home/user/.cache/tb/gpgtmpdir/pubring.kbx’ created
gpg: /home/user/.cache/tb/gpgtmpdir/trustdb.gpg: trustdb created
gpg: key 6AF15D1E45FDCEC9: public key "Heikki Lindholm " imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: Signature made Sun Aug 6 13:09:04 2023 UTC
gpg: using EDDSA key F5DAAED7A3A5BA2F429D2C5CCFFF1D4136F3AFA6
gpg: Can’t check signature: No public key
zsh: exit 12 update-torbrowser

Probably outdated tb-updater package version.

Your image was probably created without --repo true, so without Kicksecure and without Whonix repository, so you’re not getting updates.


Either A) update tb-udpater from source code or B) update from distribution repository.

1. Enable the repository with the following command or by reading Whonix ™ APT Repository.

sudo repository-dist --enable --repository stable

2. Update according to the usual documentation. (Operating System Software and Updates) (Whonix is based on Kicksecure.)

3. Done.

Might be fixed.


“Please send me malware.”

Bad idea inviting strangers sending binaries.


Took a while to figure it out, so I’ll share for anyone who might find it useful.

On Debian 11, the trick was to install the fpc-3.2.2 package (free Pascal compiler) from the Debian backports repo, instead of version 3.2.0 (fp-compiler-3.2.0) that is installed with the build. The backports repo was added as explained in https://backports.debian.org/Instructions/, and then apt install fpc/bullseye-backports. After this, building worked using these commands (thanks to @moonme):

git clone --jobs=4 --recurse-submodules https://github.com/Whonix/derivative-maker.git

cd derivative-maker && git checkout --recurse-submodules

~/derivative-maker/derivative-maker --flavor whonix-gateway-xfce --target utm --arch arm64 --build --tb open

~/derivative-maker/derivative-maker --flavor whonix-workstation-xfce --target utm --arch arm64 --build --tb open

After these steps, ~/derivative-binary/ contained the .tar.gz archives.

Why use Debian 11 / bullseye and Whonix 16 if both are already oldstable, meaning not the latest stable?

Um, mostly because I followed the macOS Wiki that said to download Debian bullseye :sweat_smile:

I actually tried to build Whonix 17 on Debian 12, but the build failed after some time, so I wasn’t sure if I should wait for a “stable” tag before trying stuff out…