Whonix on Mac M1 (ARM) - User Support (still unsupported at time of writing)

Having the same issue with fp-compiler-3.2.0:arm64. Unable to complete build at this moment and have yet to find any solutions.

sudo dpkg --audit

The following packages are only half configured, probably due to problems
configuring them the first time.  The configuration should be retried using
dpkg --configure <package> or the configure menu option in dselect:
 fp-compiler-3.2.0:arm64 Free Pascal - compiler

sudo dpkg --configure fp-compiler-3.2.0:arm64

Setting up fp-compiler-3.2.0:arm64 (3.2.0+dfsg-12) ...
An unhandled exception occurred at $0000000000470960:
EInvalidOp: Invalid floating point operation
  $0000000000470960
  $0000000000472FC0
  $0000000000472F04
  $0000000000470FA8
  $0000000000400EEC
  $0000000000402ACC
  $0000FFFF99446E18
  $0000000000400668

dpkg: error processing package fp-compiler-3.2.0:arm64 (--configure):
 installed fp-compiler-3.2.0:arm64 package post-installation script subprocess returned error exit status 217
Errors were encountered while processing:
 fp-compiler-3.2.0:arm64

Needs to be reported to Debian.

Hello! I found an issue in pascal’s source repository (idk if it’s you or not). I joined the discussion, tried to build from source. See:

3.2.0 can’t be built and as of now, I haven’t found any solution. If you use emulated arm64 in utm, then 3.2.0 builds, but the system is very slow (building of whonix-gateway took 6+ hours versus ~1h on native m1 pro).

3.2.2 builds like a charm from source, but I haven’t managed to install it from backports (for some reason apt still picks 3.2.0 AND 3.2.2 despite the priorities in preferences).

Seems that maintainer of fpc suggests just to install fpc 3.2.2.

@Patrick Could you please suggest:

1. if I manage to install 3.2.2 from backports, will it work for the installation?
2. Should I skip the fpc error in that case, will fpc 3.2.2 be included/noticed by gateway/workstation builds?
3. Can I build from source and tell Whonix that binaries are in a {path}?

Also: just curious, why Whonix requires the whole FP IDE in the build (I mean lazarus, fp-ide etc installations)? Could it be optional/skipped?

Thanks:)

Hey all! Managed to build & setup Gateway & Workstation version 17. Macbook Pro M1 Pro aka MacBookPro18,1 with UTM. Just followed instructions on the wiki page.

No problems with build except Workstation build failing tor downloader/updater because of the signature. The error that it throws is not self-explanatory - see log below. It says that download location is maybe moved or wrong, or connectivity issue, but in a nutshell, as you can see much more above in the logs, it’s just a signature check failing.

I’ve build Workstation with --tb open flag and it built successfully, but now I don’t have tor browser and tb-updater inside workstation can’t download it either - same error. I guess, I can easily install it manually, but better if there is an option to make it automatic and updatable. Please, any help?

I saw in another thread (ARM64 TB Maintainer) on this forum that signature public key should be updated once a year(?). Should we do that or this is another kind of problem? Thanks.

Logs

In short it says:

gpg: key 6AF15D1E45FDCEC9: public key "Heikki Lindholm <holin@iki.fi>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made Sat Jul  8 16:57:30 2023 UTC
gpg:                using EDDSA key F5DAAED7A3A5BA2F429D2C5CCFFF1D4136F3AFA6
gpg: Can'\''t check signature: No public key

Hey, glad to hear you got it to build. How did you get around the issue with fp-compiler-3.2.0:arm64?

I made a change to the source code. It’s not required and no longer installed for arm64 builds.

I built Whonix 17, which is built on Debian Bookworm, which has fp-compiler-3.2.2 in main repos, so there was no fp-compiler issue anymore.

Quick Question, after following the apple silicon Soc guide, and building the utm iso of whonix, the gate way is 107GB is this normal? I only have 256gb in Mac book air this is eating up so much space… Any advice on what I can do? The work station is quite large too.

Related:

Don’t know how that works on Mac.

Are these sparse files or actually taking the space?

Well I’m not 100% sure but the macos system storage is showing the space as used up, other option is uploading to iCloud or put on microSD.

Tor browser updater wont allow to download tor browser, I tried using ARCH=arm64 update-torbrowser and it fails the signatures check

update-torbrowser
INFO: chroot: is_chroot=true is not set, ok.
INFO: Auto detecting ARCH…
INFO: ARCH ‘aarch64’ detected.
INFO: Auto detecting ARCH_DOWNLOAD…
INFO: ARCH_DOWNLOAD ‘linux-arm64’ detected.
INFO: CURL_PROXY: --proxy socks5h://tb-updater_4450ccdb-4805-4b5e-aef4-e81f03ba0094:password@10.152.152.10:9115
INFO: Not running inside Qubes Disposable Template, ok.
INFO: Using stable version. For alpha version, see: Tor Browser Essentials
INFO: Running Tor enabled check… Done.
INFO: Running Tor bootstrap check… Done.
INFO: Skipping ‘tb_connectivity_checks_curl’, because tb_skip_functions includes it.
INFO: Find out latest version… Downloading…: https://aus1.torproject.org/torbrowser/update_3/release/downloads.json
INFO: CURL_OUT_FILE: /home/user/.cache/tb/RecommendedTBBVersions
INFO: Learn more about this Download Confirmation Notification.
https://www.whonix.org/wiki/Tor_Browser/Download_Confirmation_Notification
INFO: Previously downloaded version: none
INFO: Currently installed version: None installed. (Folder /home/user/.tb/tor-browser does not exist.)
INFO: Online detected version: 12.5.2
QUESTION: Download now?
y/n?
y
INFO: Requested Tor Browser version only support an ALL locale, fetching it.
INFO: Because you are not using --nokilltb, now killing potentially still running instances of Tor Browser…
firefox.real: no process found
INFO: Digital signature (GPG) download… Will take a moment…
INFO: Downloading…: Download tor-browser-linux-arm64-12.5.2_ALL.tar.xz.asc (Tor Browser Ports)
INFO: CURL_OUT_FILE: /home/user/.cache/tb/files/tor-browser-linux-arm64-12.5.2_ALL.tar.xz.asc
INFO: Downloading Tor Browser…
INFO: Downloading…: Download tor-browser-linux-arm64-12.5.2_ALL.tar.xz (Tor Browser Ports)
INFO: CURL_OUT_FILE: /home/user/.cache/tb/files/tor-browser-linux-arm64-12.5.2_ALL.tar.xz
INFO: Digital signature (GPG) verification… This will take a moment…
INFO: Using digital signature signing key by Heikki Lindholm.
ARM64 Tor Browser Maintainer
ERROR: Digital signature (GPG) could NOT be verified.
Tor Browser update failed! Try again later.

gpg_bash_lib_output_alright_status:
gpg_bash_lib_output_failure:

gpg_bash_lib_output_diagnostic_message:

gpg_bash_lib_internal_gpg_verify_status_fd_file: /home/user/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /home/user/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
gpg_bash_lib_output_gpg_import_output:
gpg: keybox ‘/home/user/.cache/tb/gpgtmpdir/pubring.kbx’ created
gpg: /home/user/.cache/tb/gpgtmpdir/trustdb.gpg: trustdb created
gpg: key 6AF15D1E45FDCEC9: public key "Heikki Lindholm " imported
gpg: Total number processed: 1
gpg: imported: 1
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made Sun Aug 6 13:09:04 2023 UTC
gpg: using EDDSA key F5DAAED7A3A5BA2F429D2C5CCFFF1D4136F3AFA6
gpg: Can’t check signature: No public key
gpg_bash_lib_output_gpg_verify_status_fd_output:
zsh: exit 12 update-torbrowser

Probably outdated tb-updater package version.

Your image was probably created without --repo true, so without Kicksecure and without Whonix repository, so you’re not getting updates.

Solution:

Either A) update tb-udpater from source code or B) update from distribution repository.

1. Enable the repository with the following command or by reading Whonix ™ APT Repository.

sudo repository-dist --enable --repository stable

2. Update according to the usual documentation. (Operating System Software and Updates) (Whonix is based on Kicksecure.)

3. Done.

Might be fixed.

Outdated.

translation:
“Please send me malware.”

Bad idea inviting strangers sending binaries.

Note:

• Whonix ™ Binary Images Policy
• (Whonix on Mac M1 (ARM) - User Support (still unsupported at time of writing) - #143 by Patrick)

Took a while to figure it out, so I’ll share for anyone who might find it useful.

On Debian 11, the trick was to install the fpc-3.2.2 package (free Pascal compiler) from the Debian backports repo, instead of version 3.2.0 (fp-compiler-3.2.0) that is installed with the build. The backports repo was added as explained in https://backports.debian.org/Instructions/, and then apt install fpc/bullseye-backports. After this, building worked using these commands (thanks to @moonme):

git clone --jobs=4 --recurse-submodules https://github.com/Whonix/derivative-maker.git

cd derivative-maker && git checkout --recurse-submodules 16.1.1.5-stable

~/derivative-maker/derivative-maker --flavor whonix-gateway-xfce --target utm --arch arm64 --build --tb open

~/derivative-maker/derivative-maker --flavor whonix-workstation-xfce --target utm --arch arm64 --build --tb open

After these steps, ~/derivative-binary/16.1.1.5/ contained the .tar.gz archives.

Why use Debian 11 / bullseye and Whonix 16 if both are already oldstable, meaning not the latest stable?

Um, mostly because I followed the macOS Wiki that said to download Debian bullseye

I actually tried to build Whonix 17 on Debian 12, but the build failed after some time, so I wasn’t sure if I should wait for a “stable” tag before trying stuff out…

Anyway, tried it again after your message, building tag 17.0.4.0 worked, so thanks!

Whonix ™ VM Build Documentation chapter Choose Version in Whonix wiki