From Whonix

Chrome logo


Ambox warning pn.svg.png Warning:

In Whonix ™, for better anonymity it is recommended to use only Tor Browser for browsing the internet. Use of any browsers such as Chromium, Firefox, Opera or others is discouraged. Reasons for that are elaborated on the Tor Browser wiki page.

Ambox warning pn.svg.png Chrome is non-freedom software!

See Avoid non-freedom software.

Ambox warning pn.svg.png Documentation for this entry is incomplete. Contributions are happily considered!


These instructions are cumbersome due to Google Chrome Repository Insecurity.

(Based on Linux Software Repositories [archive] instructions.)

Signing Key Installation[edit]

notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

Download the signing key.


View OpenPGP key information.

gpg --keyid-format long --import --import-options show-only --with-fingerprint

pub   dsa1024/A040830F7FAC5991 2007-03-08 [SC]
      Key fingerprint = 4CCA 1EAF 950C EE4A B839  76DC A040 830F 7FAC 5991
uid                            Google, Inc. Linux Package Signing Key <>
sub   elg2048/4F30B6B4C07CB649 2007-03-08 [E]

gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
pub   rsa4096/7721F63BD38B4796 2016-04-12 [SC]
      Key fingerprint = EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796
uid                            Google Inc. (Linux Packages Signing Authority) <>
sub   rsa4096/78BD65473CB3BD13 2019-07-22 [S] [expires: 2022-07-21]

Convert assci armored to gpg keyring format [1]

gpg --no-default-keyring --keyring --import


Create keyring with the RSA 4096 signing key only.

gpg --no-default-keyring --keyring --armor --export "EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796" | gpg --dearmor --no-options --no-default-keyring > google.gpg

Install the Google RSA 4096 APT signing key.

sudo cp google.gpg /etc/apt/trusted.gpg.d/google.gpg

Avoid Google Chrome Automatic Repository Configuration[edit]

Due to Google Chrome Repository Insecurity.

Create file /etc/default/google-chrome to avoid Google Chrome Automatic Repository Configuration. [3]

Note: this will only work if Google Chrome Repository hasn't been previously added.

sudo touch /etc/default/google-chrome

Repository Installation[edit]

Open file /etc/apt/sources.list.d/google-chrome.list in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/apt/sources.list.d/google-chrome.list


deb [arch=amd64] stable main


Package Installation[edit]

Pick a package version.

  • google-chrome-stable
  • google-chrome-beta
  • google-chrome-unstable

Example below installs google-chrome-stable.

Install google-chrome-stable.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the google-chrome-stable package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends google-chrome-stable

The procedure of installing google-chrome-stable is complete.



  1. Because in next step, gpg can only work with keyrings. Not with assci armored public key files. This is to import only the newer signing key. Avoiding to import the insecure legacy DSA 1024 signing key.
  2. gpg --no-default-keyring --keyring --armor --export "EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796" | gpg --import

    gpg: key 7721F63BD38B4796: 2 signatures not checked due to missing keys
    gpg: key 7721F63BD38B4796: public key "Google Inc. (Linux Packages Signing Authority) <>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    gpg: no ultimately trusted keys found
  3. Note: Installing Google Chrome will add the Google repository so your system will automatically keep Google Chrome up to date. If you don’t want Google's repository, do “sudo touch /etc/default/google-chrome” before installing the package.

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Did you know that anyone can edit the Whonix ™ wiki to improve it?

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.