Whonix on Mac M1 (ARM) - User Support (still unsupported at time of writing)

What CI does the Whonix project use? I have an M1 mac and would be willing to consider installing an agent if it would allow a pre-built (and trusted, signed) build for people to just download as with VirtualBox images.

Let me know how we can communicate the details.

First post on here, would be nice with a vertified build of it. Right now i do have a step by step guide so that i can build the newest version of whonix for UTM.

Also i saw that UTM have a new beta with a easier vm setup interface, support for QEMU 6.2 and support for apple virtualize framework. Which could be interesting to build on.

i do get som error when i install tb-browser. When the script run it will look for msgcollector and helper-script in /usr/liv/ but they are on /usr/libexec/ so for now i just copied the file over. Was that right to do? or what went wrong?

But it is sad to see that the development of this have stalled. Anyone interested in at least a updated step by step guide?

Not a lack of hardware issue.

This forums. Detailed CI discussions would be worth a separate forum thread.

Another bad news:

Tor Browser downloads using tb-updater broken.

Unfortunately this breaks arm64 downloads.



You must be having an old version. This isn’t the case anymore since the first Debian bullseye based test version. Such kind of Whonix bugs on Mac M1 versus other Whonix platforms are highly unlikely.

No, because the original issue why this would happen wasn’t figured out.

Well now i have tried multiple times to make it work. And not sure what i do wrong.
i use debian 11.2 arm for the script. And the newest repo from gitlab. Maybe som of my commands are wrong.

to download the repo i recently used

git clone --depth=1 --branch 16.0.3.7-stable --jobs=4 --recurse-submodules --shallow-submodules

and to run the script

sudo ./whonix_build --target utm --flavor whonix-workstation-xfce --build --arch arm64
sudo ./whonix_build --target utm --flavor whonix-gateway-xfce --build --arch arm64

or should i do something else? like i can compile it and get whonix to run. but i sill have to do.
sudo cp -R /usr/libexec/msgcollector/ /usr/lib/
sudo cp -R /usr/libexec/helper-scripts/ /usr/lib/

before i do

sudo apt-get install tb-updater tb-starter tb-default-browser
update-torbrowser

or else i wont be able to install torbrowser. It works but not like you mention it. What am i doing wrong?

Thank you for the info. I can contribute in other ways, but I am unsure what needs to be done. Is there some kind of list, or somewhere to start on what will get us to a downloadable build for M1 Macs on UTM?

I loosely followed this thread, but I am unsure where it stalled.

If you build an image then why do you need to install these packages anyhow? Should be installed by default inside the built image?

No. All there was ever said is in this forums thread.

I’d suggest to re-read this thread and split it into remaining tasks.

Also wiki seems out of date… This seems old…

Notes on the above:

  • For now, you will need to build from master which means running git checkout master after cloning the repo and adding --allow-untagged true to the end of the build command. Once arm64 support is in a new git tag, this will not be necessary.

Also I doubt it should/needs to be done on buster. That would be some easy wins. Would help for someone of taking charge and sticking with it.

I will re-read this thread. Then, I will put the tasks as I see them here when I am finished for posterity. I would like the link to that wiki page, so I can see about updating it as a start.

I guess what I meant in my original question was how do I make sure that I keep this compatible with your current build system for the other downloadable images, so that it can be easily integrated by the team.

Are there any documents on how the build system works?

Thank you for all your help so far.

1 Like

There’s a small introduction here:

Is that what you’re looking for?

Other than that, it’s hard keeping it up to date and also I am not sure what kind of contents is useful. Also often the more documentation is written on a topic, the harder to to keep it up to date and the more daunting things look until at some point I am wondering if it would be better if it didn’t exist and straight looking into the source code skipping any imperfect descriptions.

See this forum thread as well as CI contributions would help to prevent me from causally breaking it at some point in the future.

Well its because when i do the build as i described i cannot open up the web browser.
When i try to open it up i get a warning that says.

Be careful if x-www-browser (/user/libexec/open-link-confirmation/open-link-confirmation) is already running as your activities might get linked.
Do you want to open x-www-browser (/user/libexec/open-link-confimation/open-link-confirmation)?
(No/yes)

And i try to press yes mutliple times but it will not let me open it up. I have tried to look up multiple times on how to get past this and someone recommended to just built it up again using these commands.

upgrade-nonroot
wget <link to whonixorg/patrick.asc>
sudo apt-key --keyring /etc/apt/trusted.gpg.d/derivative.gpg add ~/patrick.asc
echo “deb buster main contrib non-free” | sudo tee /etc/apt/sources.list.d/derivative.list
sudo apt-get update
sudo cp -R /usr/libexec/msgcollector/ /usr/lib/
sudo cp -R /usr/libexec/helper-scripts/ /usr/lib/
sudo apt-get install tb-updater tb-starter tb-default-browser
update-torbrowser

Only then am i able to use the tor-browser. And cannot find a tor browser before i do this on the system. So thats how i ended up with this. If there is another way to deal with this problem then that would be great. Or documentation for where to read more about this? again i did use debain 11.2 for the script. And whonix 16.0.3.7-stable. The commands i used on debian are these:

sudo apt update
sudo apt upgrade
sudo apt install git time curl apt-cacher-ng lsb-release fakeroot dpkg-dev fasttrack-archive-keyring spice-vdagent spice-webdavd davfs2
sudo mkdir /mnt/dav
sudo mount -t davfs -o noexec /mnt/dav
git clone --depth=1 --branch 16.0.3.7-stable --jobs=4 --recurse-submodules --shallow-submodules
cd Whonix
sudo ./whonix_build --target utm --flavor whonix-workstation-xfce --build --arch arm64
sudo ./whonix_build --target utm --flavor whonix-gateway-xfce --build --arch arm64
cd
cd whonix_binary
cd 16.0.3.7
sudo cp Whonix-Workstation-XFCE.utm.tar.gz /mnt/dav/
sudo cp Whonix-Gateway-XFCE.utm.tar.gz /mnt/dav/
shutdown now

Sorry for the long post, and thanks for your replies. Also cannot post links thats why i write as a replacement. I am a computer engineer student but i am kinda new to this. Hopefully i can contribute one day to this project in anyway.

Don’t use buster.

(It’s not /user/. It really is /usr/.)

Where you get this from? Installing a package from the binary repository and building from source code are very different things. Not to be mixed up.

If you build from source code you won’t be needing any additional packages from the repository.

Certainly don’t use buster. This shouldn’t be necessary. This might actually mess up things here.

Best to mention which instructions you’re following from where by sharing the link when asking.

Sorry first one was a typo, i meant (/usr/

and for the rest its a copy and paste from noelnoel post in august 21 last year in this forum.
it was the only thing that i found that worked. And i know he did this on a older version of whonix that was build on buster. But there as no step by step guides to build it on Bullseye correctly on UTM.

And i am using Debian 11.2 Bullseye NOT buster when i build this from source.

and for why i used the buster repo, well it was because it was the only thing that worked.
When i try to download tb-updater tb-starter tb-default-browser, it will just say

Note, selecting ‘dummy-dependency’ instead of ‘tb-updater’

and so on for all 3 download. When i try to run update-torbrowser

bash: update-torbrowser: command not found

So when i do build the source code from Bullseye, tor browser does not work.
I cannot open it because i get.

Be careful if x-www-browser (/user/libexec/open-link-confirmation/open-link-confirmation) is already running as your activities might get linked.
Do you want to open x-www-browser (/user/libexec/open-link-confimation/open-link-confirmation)?
(No/yes)

And everytime i press yes. It loops and i cannot open the web browser. So i tried my best to make it work with what information i had. And it worked. But i understood something was off so i had to ask here in the forums on what i have done wrong so i can make it work correctly.

I don’t know what the user was doing there but it makes no sense. The Whonix repository can be enabled using --repo true. Can be appended to the whonix_build command. And should be documented.

Don’t do it and if you do, don’t post here about it. Too confusing.

It’s supposedly installed by default for --flavor whonix-workstation-xfce in Whonix-Workstation.

If it’s not, please don’t try any workarounds but post the build commands and build log instead.

First of all i want to thank you so much that you take your time to help me with this.
And i want to apologies if i did make things more confusing for people here. That was not my intention.

Now to clarify what i am building on. Again i am using Debian 11.2 Bullseye with all dependencies installed as prescribed in the build guide. As mention on the Apple silicon guide for QEMU it was recommended to use the git master repository to build on. So the gir clone command i used is:

git clone --depth=1 --jobs=4 --recurse-submodules --shallow-submodules https://gitlab.com/whonix/Whonix.git

Now for the Build command i used. I used the allow untagged true so that i could build on the master repo as prescribed in the apple silicon qemu guide. Then i added as you said repo true.

So the command for workstation and gateway is:

sudo ./whonix_build --target utm --flavor whonix-workstation-xfce --build --arch arm64 --allow-untagged true --repo true
sudo ./whonix_build --target utm --flavor whonix-gateway-xfce --build --arch arm64 --allow-untagged true --repo true

after setting up both gateway and workstation. I still get the same warning and problems on the workstation when i try to open the webbrowser:

Be careful if x-www-browser (/user/libexec/open-link-confirmation/open-link-confirmation) is already running as your activities might get linked.
Do you want to open x-www-browser (/user/libexec/open-link-confimation/open-link-confirmation)?
(No/yes)

I try to press yes, and it wont let me continue and the message loops. I try to use the update-torbrowser command on terminal and get:

bash: update-torbrowser: command not found

The only difference now is that i have access to the right apt-repo so that i can download tb-updater tb-starter tb-default-browser without adding any new apt repositories. But after i have installed these and try to use the update-torbrowser command. i get this:

QUESTION: Download now?
y/n?
y
INFO: Tor Browser language variable TB_LANG was not yet set. Therefore defaulting TB_LANG to ‘en-US’, ok.
INFO: Because you are not using --nokilltb, now killing potentially still running instances of Tor Browser…
firefox.real: no process found
INFO: Digital signature (GPG) download… Will take a moment…
INFO: Downloading…: Tor Browser Ports - Browse Files at SourceForge.net
INFO: CURL_OUT_FILE: /home/user/.cache/tb/files/tor-browser-linux-arm64-11.0.3_en-US.tar.xz.asc
ERROR: Failed to download: Tor Browser Ports - Browse Files at SourceForge.net
Possible reasons:
-The download server is down.
-File size exceeded (endless data attack triggered).
-Tor Browser Downloader (by Whonix developers) has been broken due to upstream changes.
Recommendations:
-Try again later. If the error persists it probably won’t solve itself before the next update.
-Check News: Follow Whonix Developments
-Manually update: Tor Browser: Manual Download
(Debugging information: curl_status_message: [22] - [HTTP page not retrieved. The requested url was not found or returned another error with the HTTP error code being 400 or above. This return code only appears if -f, --fail is used.])

This is as far as i have gotten. And i cannot get the browser to work. I am new to this so not sure what part of the build log you would need? if you need any.

Great.

Don’t. That is horribly outdated. Now updated in wiki.

It probably means the tb-updater / tb-starter package isn’t installed. Check

dpkg -l | grep tb-updater

Share the build log of the build it is not installed. → Pasting Logs for Support

The major issue is that this is even needed. Should be installed by default. Please share the build log.

Now this is going to be a separate issue. That file does not exist indeed.

The issue was mentioned here:

And there is no solution that any user could use to fix tb-updater functionality.

Anyway. I highly recommend to fix the other issue of tb-updater not being installed by default as this point at a broken/incomplete image build which would result in many more strange issues.

Tor Browser ARM64 download issues using tb-updater, see:

Wiki updated.


sequential next steps:

  1. The user must make sure that their builds is fixed. tb-updater should be installed by default and there should be no other broken/incomplete build issues. This cannot be skipped
  2. Only then start looking into other Tor Browser issues.

As for other Tor Browser issues:

  1. only if there are no issues with the image build and tb-updater / tb-starter being installed by default
  2. please read Tor Browser Manual Update
  3. instructions Tor Browser: Manual Download are currently only for Tor Browser on the Intel / AMD64 platform

Until the issue ARM64 Tor Browser - #8 by Patrick is fixed, users can only manually install Tor Browser from:

There are currently no instructions for Tor Browser ARM64 manual download, verification, extraction. Help welcome.

So when i used the dpkg -l | grep tb-updater command nothing showed up. I double checked by just running dpkg -l and found nothing of tb-updater.

Here is the full build log i have when i created the workstation

https://anonpaste.org/?b7ac982f99e3c224#Fa7h6dfwCVGRZoicfb4ySQYie7aygG8AeRVSwgZw6yCx

Would a more correct build command for UTM be this?

sudo ./whonix_build --target utm --flavor whonix-gateway-xfce --build --arch arm64 --repo true
sudo ./whonix_build --target utm --flavor whonix-workstation-xfce --build --arch arm64 --tb open --repo true

Also i think you have a typo on the new mac guide for apple silicon. Under workstation you used gateway commands and on gateway you used workstation command.

And i will look into Tor browser documentation for manual downloads. Thank you for all the links i have so that i can read into it.

If you need the log for gateway as well then i will send it if necessary.

There is no UTM until a developer invents it and properly adds it to the build script and wiki.

Referring to forum posts for this kind of things is just horrible.

This is now fixed by unduplicating the build instructions.

For now not needed.

Thank you. Issue is here:

The following additional packages will be installed
dummy-dependency

Somehow dummy-dependency is installed instead of tb-updater. That’s a bug. An arm64 porting issue.

Background information, to learn about that package:

apt-cache show dummy-dependency

So some dependency cannot be fulfilled and therefore dummy-dependency is installed instead which then prevents tb-updater being installed.

More related background information:

Next step:

sudo apt purge dummy-dependency