Jump to: navigation, search

Dev/Build Documentation/8 full

Fork me on GitHub

Build Documentation[edit]

Introduction[edit]

This page documents how to build Whonix VirtualBox images. If you have any questions or need help, get in Contact.

It documents how to build the stable version of Whonix. Rather, if you are interested in building the testers version of Whonix, click Build Documentation.

Knowledge assumed: basic principles of Virtualization; operation of your platform; Linux knowledge: how to install Debian and basic command line knowledge.

Only one prerequisite: you need a working internet connection.

For discussion related to the development and build process of Whonix images get in contact.

How to use the resulting images, is documented in the Documentation.

Warning[edit]

  • Short: Don't add private files to Whonix's source code folder!

Long: Technically, it would work. Everything in whonix_gateway folder will get installed on Whonix-Gateway, whonix_workstation folder respectively, whonix_shared folder goes to both Whonix machines. This is recommended against. Those files would get managed by either the whonix-gateway-files, whonix-workstation-files or the whonix-shared-files package. When you later update Whonix debian packages, your files would get deleted by the package manager. Also adding private files to Whonix's source code folder, later contributing to Whonix's development and accidentally pushing the wrong git branch would be a disaster. Better add your private files to Whonix after building Whonix. Or add a custom build step adding your files, which then get copied from a folder outside of Whonix's source folder.


  • Short: Gnome user? Please disable device auto mounter and the file indexing service. You can do this by running the following commands. (If you don't know if you are a Gnome user or not, just run this command, it won't hurt.)

Long: [1]

  • Run the following command.
gsettings set org.gnome.desktop.media-handling automount-open false
  • System Tools -> Settings -> System Settings -> Details -> Removable Media -> Uncheck "Never prompt or start programs on media insertion"
  • System Tools -> Settings -> System Settings -> Search and Indexing -> Uncheck "Monitor file and directory changes"


  • Short: KDE user? It is recommended to disable nepomuk.You can do this by running the following command.

Long: [2]

Start menu -> System Settings -> Desktop Search -> uncheck Enable Nepomuk Sematic Desktop -> Apply


  • Short: Make sure there aren't any VMs in VirtualBox already called Whonix-Gateway or Whonix-Workstation!

Long: [3]


  • Short: Check if the OpenPGP public keys are still up to date. If you are in luck, you never have to update the keys yourself and the Whonix maintainer will keep them updated.

Long: For better security.


  • Short: Do not try to build Whonix-Gateway and Whonix-Workstation at the same time!

Long: Building Whonix-Gateway and Whonix-Workstation at the same time is not supported due to limitations in the build script. In other words, do not try to run sudo ~/Whonix/whonix_build --build --tor-gateway and sudo ~/Whonix/whonix_build --build --tor-workstation at the same time. The build would probably fail.


Build Anonymity[edit]

While downloading the required tools for building Whonix your internet service provider could if he want notice that you want to build Whonix. This is especially interesting, if you want to redistribute Whonix, but still want to stay anonymous. The full story can be read in the chapter Build Anonymity.

Build Security[edit]

Especially, but not exclusively, if you want to distribute Whonix images, you should improve the security of your build environment.

  • Build on a dedicated build system, install security updates... (Security Guide)
  • All installation medium[4] and all downloaded/used code must be verified (including all software on the host).
  • Hashes, fingerprints in the scripts and the wiki is not to be trusted. Verify everything.
  • Read Trust.

Host Preparation[edit]

  • You need to build on Debian stable (currently: wheezy). (How to obtain Debian safely: [5]) [6]
  • Build dependencies and configurations get automatically applied, so you don't have to worry about that. [7]
  • It is recommended to set your terminal (for example Konsole) to unlimited scrollback, so you can watch the full build log.
  • You need ~ 30 GB free disk space. When you build inside a Virtual Machine using sparse files such as VirtualBox, consider assigning 100 GB free space. (Sparse files will grow as space is actually used. Won't take up space if it's not used. Easier to have the option to use more space than growing the image later.) More info: [8]

Building Whonix in Whonix[edit]

You only have to read this, if you want to build Whonix in Whonix.
If you are interested, click on Expand on the right.

TODO: Currently probably not possible, because there is no existing Whonix release based on Debian stable (currently: wheezy).

Building Whonix in Whonix is possible as well (if the Whonix version you are using as host is also based on Debian stable (currently: wheezy)). Unfortunately, apt-cacher-ng does not like Whonix's apt repository on sourceforge.net. Adrelanos already reported a bug. As long as this bug isn't fixed, you need to disable Whonix's apt repository while building Whonix. You can do this using the whonix_repository tool.

sudo whonix_repository --disable

Introduction into Whonix Source Code[edit]

If you prefer to read and understand the source code just by reading scripts you may skip this optional chapter.

When you like to mess with the source code, it would probably help a lot if you at least know what .img, .vdi, .vmdk and .ova are being used for. See Source Code Introduction.

Preparation Steps[edit]

Only required if you want to redistribute (official) Whonix builds.

See Redistribution Pre Building.

Get Whonix Source Code[edit]

Install git and get Whonix's source code from the git repository.[9]

## Install git.
sudo apt-get install git

## Get source code.
git clone https://github.com/Whonix/Whonix

Remember it's Whonix, not whonix! If you are prompted for a username for github, it means you have mistyped the web address.

Get Whonix Signing Key[edit]

This chapter is recommended for better security, but not strictly required. (See Trust)

Get into Whonix source folder.

cd Whonix

Import the key.

gpg --import ./whonix_shared/usr/share/whonix/keys/whonix-keys.d/patrick.asc

Verify.

gpg --fingerprint 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

Should show.

pub   4096R/2EEACCDA 2014-01-16 [expires: 2015-01-16]
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
uid                 [ unknown] Patrick Schleizer <adrelanos@riseup.net>
sub   4096R/0x3B1E6942CE998547 2014-01-16 [expires: 2015-01-16]
sub   4096R/0x10FDAC53119B3FD6 2014-01-16 [expires: 2015-01-16]
sub   4096R/0xCB8D50BB77BB3C48 2014-01-16 [expires: 2015-01-16]

Only getting the signing key from one source, from the download you want to verify isn't safe. For better security, Learn about Whonix Signing Key.

Verify Whonix Source Code[edit]

This chapter is recommended for better security, but not strictly required.[10]

Get a list of available git tags.

git tag

Verify the tag you want to build.

## ... Replace with tag you want to build.
git tag -v 8.1

Output should look similar to this.

object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit
tag 8.1
tagger Patrick Schleizer <adrelanos@riseup.net> 1392320095 +0000

.
gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]

The warning.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Is explained on the Whonix Signing Key page and can be ignored.

Choose Whonix Version[edit]

Git checkout, which version (or git branch) you want to build.

In case you want to build a specific git tag.

git checkout 8.1

You have to replace 8 with the actual version you want to build. The stable version, the testers-only version or the developers version. You can learn about current versions reading Whonix News Blogs. New versions are also announced on the whonix-devel mailing list. So you could alternatively check its archives. Signing up for whonix-devel is another way to get informed about new releases.


Build Configuration (Optional)[edit]

Introduction (Optional)[edit]

OPTIONAL.

Usually you do not have to change the build configuration. Whonix build from source code comes with safe defaults. Whonix's APT Repository will NOT be used.

The most interesting build configurations (Terminal-Only, NoDefaultApps etc.) are documented in the following chapters below.

If you are interested, click on Expand on the right.

If you used build configurations earlier, it might be better to delete your build configuration folder since a few example files names change changed in meanwhile.

sudo rm -r /etc/whonix_buildconfig.d

Alternatively, if you know what you are doing, you can of course also manually get into the /etc/whonix_buildconfig.d folder, examine and change its contents to your linking.

/etc/whonix_buildconfig.d is a modular flexible .d style configuration folder.

Less popular build configurations are documented in the buildconfig.d folder and on the Dev/Source_Code_Intro#Build_Configuration page in a less user friendly documented way.

It is recommended to copy and paste text when creating build configuration files to avoid typos. Also keep care, that your editor even when you are using copy and paste, won't capitalizes variable names which are supposed to be lower case.

Terminal-Only Builds (Optional)[edit]

OPTIONAL!

Advanced users can build a no-default-gui / no-KDE / terminal-only Whonix-Gateway and/or Whonix-Workstation.

If you are interested, click on Expand on the right.

Whonix 8

terminal-only builds are less tested due to lack of contributor manpower. Should work well in principle.

NOTE: You may or may not like to combine this with NoDefaultApps Builds. See below.

Create /etc/whonix_buildconfig.d folder.

sudo mkdir --parents /etc/whonix_buildconfig.d

Create /etc/whonix_buildconfig.d/50_terminal_only build config file.

echo '# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos@riseup.net>
# See the file COPYING for copying conditions.

whonix_build_script_whonix_package+=" whonix-shared-desktop "
whonix_build_script_whonix_package+=" whonix-shared-desktop-kde "
whonix_build_script_whonix_package+=" whonix-shared-kde-accessibility "
' | sudo tee "/etc/whonix_buildconfig.d/50_terminal_only" > /dev/null

Check.

cat /etc/whonix_buildconfig.d/50_terminal_only

Should show what we echoed above.

If you want to undo this build configuration, see footnote. [11]

Whonix 9

--terminal-only


NoDefaultApps Builds (Optional)[edit]

OPTIONAL!

Advanced users can install fewer recommended packages to make the resulting build smaller and more customizable. (recommended as in useful to have, not necessary to have them for some other reason.)

If you are interested, click on Expand on the right.

Whonix 8

NoDefaultApps builds are less tested due to lack of contributor manpower. Should work well in principle.

NOTE: You most likely want to combine this with terminal-only builds, see above.

NOTE: Such a NoDefaultApps system would for example not include Arm on Whonix-Gateway. So please do not create a NoDefaultApps build and then complain, that packages are missing.

To learn, what packages for example the whonix-gateway-packages-recommended package would install, search in the debian/control file for Package: whonix-gateway-packages-recommended.

We're just excluding a few meta packages. (Meta packages are packages, which do not hold files on its own, but only instruct apt-get to install other packages.)

Create /etc/whonix_buildconfig.d folder.

sudo mkdir --parents /etc/whonix_buildconfig.d

Create /etc/whonix_buildconfig.d/50_no_default_apps build config file.

echo '# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos@riseup.net>
# See the file COPYING for copying conditions.

whonix_build_script_whonix_package+=" whonix-shared-packages-recommended "
whonix_build_script_whonix_package+=" whonix-gateway-packages-recommended "
whonix_build_script_whonix_package+=" whonix-workstation-packages-recommended "
whonix_build_script_whonix_package+=" whonix-workstation-default-applications "
' | sudo tee "/etc/whonix_buildconfig.d/50_no_default_apps" > /dev/null

Check.

cat /etc/whonix_buildconfig.d/50_no_default_apps

Should show what we echoed above.

If you want to undo this build configuration, see footnote. [12]

Whonix 9

--no-default-applications

CurrentSources Builds (Optional)[edit]

OPTIONAL!

Advanced users could install from Current Sources (custom) instead of from Frozen Sources (default in 7.4.0 and above). Both options have security advantages and disadvantages.

If you are interested, click on Expand on the right.

Whonix 8

CurrentSources builds are rarely tested due to lack of contributor manpower. Should work reasonable well in principle as long as no packages are removed from Debian. The worst thing that can probably happen, is that the build fails due to missing packages.

Frozen Sources:

  • Whonix's build script will use http://snapshot.debian.org instead of the more popular ftp.us.debian.org.
  • Snapshot.debian.org will never change, i.e. their packages and versions will remain the same forever*[currentsources 1] [currentsources 2].
  • Using Frozen Sources has the advantage, that all builders end up with a very similar [currentsources 3] image. This gives builders more confidence, that they have ended up with an intact image.
  • Are a precondition [currentsources 4] for some day providing the Verifiable Builds security feature.
  • It follows, when building a fresh image it will contain outdated packages. (You can upgrade after booting for the first time.)
  • Package downloads are still verified, but we have to ignore the valid-until field. Which means, a man-in-the-middle attack capable adversary could feed you with packages even older than configured in the version of Whonix you are building. Any packages which were ever signed with the APT repository signing key of that codename[currentsources 5]. You might not like that and therefore prefer building from Current Sources.
  • At some point, for example if remotely exploitable vulnerabilities are found in the apt-get version (defined by Frozen Sources) it may be dangerous to continue building that version.
  • We should compare our images with each other to ensure no man-in-the-middle attach has happened while building Whonix. [Before we can do this, Verifiable Builds need to be implemented. (Help welcome!)]

Current Debian APT repository:

  • Packages and versions may change over time. Packages may be removed, replaced with others, versions get security other other updates.
  • Build script may break the older the Whonix source code version release becomes. (Break as in the build won't finish - not as in creating images containing bugs.)
  • Each builder ends up with an individual image.
  • Valid-until field gets verified.

If you prefer to build from Current Sources, please use the following instructions.

Create /etc/whonix_buildconfig.d folder.

sudo mkdir --parents /etc/whonix_buildconfig.d

Create /etc/whonix_buildconfig.d/50_no_default_apps build config file.

echo '# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos@riseup.net>
# See the file COPYING for copying conditions.

## For more technical comments, see:
## buildconfig.d/30_apt

whonix_build_sources_list="whonix_shared/usr/share/whonix/build_sources_debian_current.list"
whonix_build_grml_sources_list="http://ftp.us.debian.org/debian"

## Reset to default verification options.
## (Remove ignoring valid-until field.)
export apt_verify_opts=""
' | sudo tee "/etc/whonix_buildconfig.d/50_current_sources" > /dev/null

Check.

cat /etc/whonix_buildconfig.d/50_current_sources

Should show what we echoed above.

If you want to undo this build configuration, see footnote. [currentsources 6]

Footnotes:

  1. Besides a few rare exceptions.
  2. As long the great snapshot.debian.org service lasts.
  3. Timestamps, temporary files and who knows what else (open research question) differ.
  4. Actually, at least in theory, not a unsolvable precondition. But verifying an image against Debian's repository after building is a sinkhole. (Too many symlinks and auto generated files. - Help welcome!) Creating similar images because building from Frozen Sources seems to require only realistic implementation effort.
  5. Codename as in Testing, Wheezy, Jessie.
  6. sudo rm /etc/whonix_buildconfig.d/50_current_sources
    

Whonix 9

--current-sources

64bit Builds (Optional)[edit]

OPTIONAL!

Advanced users can create 64bit instead of 32bit builds.

If you are interested, click on Expand on the right.

Whonix 8

64bit builds are less tested due to lack of developer manpower. Should work well in principle.

Create /etc/whonix_buildconfig.d folder.

mkdir --parents /etc/whonix_buildconfig.d

Create /etc/whonix_buildconfig.d/50_target_arch build config file.

echo '# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos@riseup.net>
# See the file COPYING for copying conditions.

## NOTE: It is impossible to create 64 bit builds on 32 bit hosts.
##       (This is a limitation of (grml-)debootstrap.)

## i386 is the default target architecture,
## if WHONIX_TARGET_ARCH variable is not set or empty.
#export WHONIX_TARGET_ARCH="i386"

## Interesting target architecture for custom builds: 64 bit
## Despite its name, works on AMD and Intel.
export WHONIX_TARGET_ARCH="amd64"

## Also interesting target architectures for custom builds: Kernel of FreeBSD
## Will not work out of the box for Whonix-Gateway, because Whonix Firewall
## is based on iptables (Linux) and the FreeBSD does not support iptables,
## its firewall is pf. The Whonix iptables rules would have to be rewritten in pf.
#export WHONIX_TARGET_ARCH="kfreebsd-amd64"
#export WHONIX_TARGET_ARCH="kfreebsd-i386"

## Deactivate installation of 486 kernel.
export WHONIX_BUILD_SKIP_SCRIPTS+=" 70_install_486_kernel "

## Deactivate installation of 686-pae kernel.
export WHONIX_BUILD_SKIP_SCRIPTS+=" 71_install_686_pae_kernel "

## Enable installation of 64 bit kernel by removing
## 71_install_amd64_kernel from WHONIX_BUILD_SKIP_SCRIPTS.
WHONIX_BUILD_SKIP_SCRIPTS="$(echo "$WHONIX_BUILD_SKIP_SCRIPTS" | sed s/" 71_install_amd64_kernel "//g)"
export WHONIX_BUILD_SKIP_SCRIPTS
' | sudo tee "/etc/whonix_buildconfig.d/50_target_arch" > /dev/null

Check.

cat /etc/whonix_buildconfig.d/50_target_arch

Should show what we echoed above.

If you want to undo this build configuration, see footnote. [13]

Whonix 9

Linux 64 bit. Less tested.

--64bit-linux

kFreeBSD 64 bit. Entirely untested.

--64bit-kfreebsd

kFreeBSD 32 bit. Entirely untested.

--32bit-kfreebsd

Whonix APT Repository (Optional)[edit]

OPTIONAL!

Whonix's APT Repository is disabled by default since Whonix 7.3.3. You may enjoy this for Trust reasons. You can later update Whonix debian packages from source code if you want. If you are interested in enabling Whonix's APT repository right after building (you could do that also after booting your build for the first time if you wanted) for convenience while sacrificing the extra security of not updating from source code, click on Expand on the right side.

Whonix 8

Do you want to opt-in for Whonix's APT Repository? Then do these steps as it follows.

Create /etc/whonix_buildconfig.d folder.

sudo mkdir --parents /etc/whonix_buildconfig.d

Create /etc/whonix_buildconfig.d/50_whonix_apt_repository build config file.

echo '# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos@riseup.net>
# See the file COPYING for copying conditions.

## Do use or do not use Whonix APT Repository.
## 0: do use.
## 1: do not use.
export WHONIX_APT_REPOSITORY_DISTRUST_ENV="0"

## Which version of Whonix you want to use.
## Defaults to stable.
#export WHONIX_APT_REPOSITORY_DISTRIBUTION_CONFIG="stable"
#export WHONIX_APT_REPOSITORY_DISTRIBUTION_CONFIG="testers"
#export WHONIX_APT_REPOSITORY_DISTRIBUTION_CONFIG="developers"

## Technical comment:
## Using export so the /usr/bin/whonix_repository tool and
## /usr/share/whonix/postinst.d/70_whonix_apt_key can read it.
' | sudo tee "/etc/whonix_buildconfig.d/50_whonix_apt_repository" > /dev/null

Check.

cat /etc/whonix_buildconfig.d/50_whonix_apt_repository

Should show what we echoed above.

If you want to undo this build configuration, see footnote. [14]

Whonix 9

--enable-whonix-apt-repository
--whonix-apt-repository-distribution stable
--whonix-apt-repository-distribution testers
--whonix-apt-repository-distribution developers

Only Minimal Report (Optional)[edit]

OPTIONAL!

By default Whonix's last build step creates a report file of all hdd contents. (See Verifiable Builds for details.) This step is optional. First introduced in Whonix 7.4.8. Whonix should work fine without that step. It is used for extra security. This step takes quite some time. This step is recommended. If you want to disable it, click on Expand on the right side.

Whonix 8

Do you want to opt-out of the report creation build step? Then do these steps as it follows.

Create /etc/whonix_buildconfig.d folder.

sudo mkdir --parents /etc/whonix_buildconfig.d

Create /etc/whonix_buildconfig.d/50_no_report build config file.

echo '# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos@riseup.net>
# See the file COPYING for copying conditions.

whonix_build_script_minimal_report="1"
' | sudo tee "/etc/whonix_buildconfig.d/50_no_report" > /dev/null

Check.

cat /etc/whonix_buildconfig.d/50_no_report

Should show what we echoed above.

If you want to undo this build configuration, see footnote. [15]

Whonix 9

--minimal-report

APT Cache (Optional)[edit]

OPTIONAL!

When building with --bare-metal option in a virtual machine, builders can use their own http proxy (apt cache) on the host, which will greatly improve build speed when building several times in a row (debugging, development).

If you are interested, click on Expand on the right.

This isn't required when you are building virtual machine images, because then apt-cacher-ng is automatically set up for you. Only useful when using --bare-metal in a virtual machine.

Requires Whonix 7.7.3.7 or above.

Example.

On the host.

sudo apt-get install apt-cacher-ng

Be sure to have a firewall, so not the whole internet can use your apt-cacher-ng service.

Inside your Virtual Machine.

Don't forget to replace 192.168.0.1 with your host's internal IP (use "sudo ifconfig" on your host to find out what your internal IP is).

export http_proxy=http://192.168.0.1:3142

Don't forget to add -E to sudo, so environment variables are preserved. Examples.

sudo -E ./whonix_build --bare-metal --tor-gateway --build
sudo -E ./build-steps.d/1100_prepare-build-machine --bare-metal --tor-gateway

Custom Build Tags[edit]

Only if you are using your own git tags! In that case click on Expand on the right.

If you created for example a git tag "8.1" and want to receive Whonix News for "8", apply this.

Please look into whonix_shared/etc/whonix.d/30_whonixcheck_default. Look for.

## Override what version whonixcheck will show in its window title and which
## Whonix News will be downloaded. Change only if you know what you are doing.
#whonix_build_version="6"
#whonix_deb_package_version="2:7-debpackage1"

Create a file whonix_shared/etc/whonix.d/50_whonixcheck_user and add for example. (You still have to replace "7" with the custom git tag you are using.

whonix_build_version="7"
whonix_deb_package_version="2:7-debpackage1"

When you later update from Whonix debian packages from for example "8.1" to "9", these settings have to be commented out.

VM Settings (Optional)[edit]

OPTIONAL!

Whonix 8

Only relevant for VM builds.

Not available. You can change them manually after building Whonix.

Whonix 9

Only relevant for VM builds.

--vmram 128
--vram 12
--vmsize 200G

Skip Steps (Optional)[edit]

OPTIONAL!

Whonix 8

Undocumented.

Whonix 9

--skip-verifiable
--skip-sanity-tests

Source Code Changes[edit]

Only in case you made changes to the Whonix source folder! In that case click on Expand on the right.
Not required if you only added using your own build configuration in /etc/whonix_buildconfig.d folder.

If you made changes to the Whonix source code, those have to be git committed before building Whonix. Otherwise you'll get an error message. (Which looks like this: [16])

To git commit changes, some basic git knowledge would be of help. To give you an idea, the workflow could look like this.

git status
git add *
git status
#git add path-to-file
## Preview.
#git diff --cached
git commit -a
git status

VM Creation[edit]

Open a terminal (such as Konsole).

Delete eventually already existing Whonix-Gateway virtual machine. Warning: This will delete a virtual machine named Whonix-Gateway from Virtual Box!

sudo ~/Whonix/whonix_build --clean --tor-gateway

Delete eventually already existing Whonix-Workstation virtual machine. Warning: This will delete a virtual machine named Whonix-Workstation from Virtual Box!

sudo ~/Whonix/whonix_build --clean --tor-workstation

From now, you have two options. If you do not wish to use different build configurations for Whonix-Gateway and Whonix-Workstation (for example, if you do not wish to create a terminal-only Whonix-Gateway and a full Whonix-Workstation), you could use the sudo ~/Whonix/whonix_build_both wrapper script to build both virtual machines at once. If you wish to use different build configurations, you must use the whonix_build script to build one after the other as described below.

Build a Whonix-Gateway virtual machine image.

sudo ~/Whonix/whonix_build --build --tor-gateway

Eventually, if you wish to use a different build configuration for Whonix-Workstation, change the contents in your /etc/whonix_buildconfig.d folder.

Build a Whonix-Workstation virtual machine image.

sudo ~/Whonix/whonix_build --build --tor-workstation

The resulting .ova images can be found in ~/whonix_binary folder.

While building, you might see a few Expected Build Warnings.

Check if all went ok.

Please report back any issues!

Build Verification (Optional)[edit]

OPTIONAL!

Since Whonix 7.5.2, advanced users who build Whonix from source code can increase certainty, that their image is free from perhaps anonymity critical bugs, by verifying, that their image is very similar to redistributed Whonix .ova's. This is optional, but can improve security.

If you are interested, click on Expand on the right.

Congratulations, you already created your own build of Whonix. If you want, you can compare your build with official builds for better security. See Verifiable Builds.

Cleanup[edit]

OPTIONAL!

Remove temporary files from debian folder and delete debian packages from parent directory[17].

make clean


Debugging[edit]

OPTIONAL (Only in case something goes wrong or if you want to audit or develop Whonix.)

See Debugging.

Final Steps[edit]

Only required if you want to redistribute (official) Whonix builds.

See Redistribution Post Building.

Source Code / Hacking / Development Tickets[edit]

See Developer Portal.

Contact[edit]

Development Forum | Developer Mailing List | github | Contact

Expected Build Warnings[edit]

Can not write log, openpty() failed (/dev/pts not mounted?)

Does not affect the build. [18]

[....] Your system does not have the CPU extensions required to use KVM. Not doing anything. ...[ FAIL ]

Does not affect the build. [19]

[....] Stopping VirtualBox kernel modules [ ok ].
[....] Starting VirtualBox kernel modules[....] No suitable module for running kernel found ...[ FAIL ]
invoke-rc.d: initscript virtualbox, action "restart" failed.

Does not affect the build. [20]

WARNING: The character device /dev/vboxdrv does not exist.
	 Please install the virtualbox-ose-dkms package and the appropriate
	 headers, most likely linux-headers-486.

	 You will not be able to start VMs until this problem is fixed.

Does not affect the build. [21]

dpkg: warning: failed to open configuration file '/root/.dpkg.cfg' for reading: Permission denied

Does not affect the build. [22]

Related forum topic:
Expected Build Warnings

Footnotes[edit]

  1. Otherwise a file manager may open Whonix's chroot folder (the directory, in which the image which is currently build is mounted) while building Whonix which could lead to failing umount because the device is still busy.
  2. Nepomuk indexing the whonix_binary folder wastes some time indexing.
  3. Because the build script would fail, because it tries to create VMs either named Whonix-Gateway or Whonix-Workstation.
  4. Such as DVD or USB.
  5. Debian ISO OpenPGP verification
  6. The build scripts could be adapted to run on other *NIX systems as well but currently they assume apt-get and grml-debootstrap to be available.
  7. By build-steps.d/1100_prepare-build-machine.))
  8. ~ 25 GB might suffice as well. We haven't messured that in detail yet. Less space required, if you only want to build either Whonix-Gateway or Whonix-Workstation. Less space for Whonix-Gateway required than for Whonix-Workstation.
  9. From https://github.com/adrelanos/Whonix and not from https://github.com/Whonix/Whonix, because only adrelanos/Whonix contains git tags of the testers-only version.
  10. See Trust.
  11. sudo rm /etc/whonix_buildconfig.d/50_terminal_only
    
  12. sudo rm /etc/whonix_buildconfig.d/50_no_default_apps
    
  13. sudo rm /etc/whonix_buildconfig.d/50_target_arch
    
  14. sudo rm /etc/whonix_buildconfig.d/50_whonix_apt_repository
    
  15. sudo rm /etc/whonix_buildconfig.d/50_no_report
    
  16. + true './build-steps.d/1200_create-debian-packages ERROR: Git reports uncommitted changes! '
    + true './build-steps.d/1200_create-debian-packages INFO: Running "git status" for your convenience. '
    + git status
    # On branch master
    # Changes not staged for commit:
    #   (use "git add <file>..." to update what will be committed)
    #   (use "git checkout -- <file>..." to discard changes in working directory)
    #
    #       modified:   whonix_build_both
    #
    no changes added to commit (use "git add" and/or "git commit -a")
    + true './build-steps.d/1200_create-debian-packages INFO: Running
    git "clean --dry-run -d --force --force" for your convenience. '
    + git clean --dry-run -d --force --force
    + true './build-steps.d/1200_create-debian-packages You most likely like to revert debian/control to run:
        git checkout -- debian/control
        make clean
    or if you know what you are doing:
        git clean --dry-run -d --force --force
        git reset --hard'
    + error 'Uncommitted changes! See above!'
    ./build-steps.d/1200_create-debian-packages: line 109: error: command not found
    ++ error_handler_general
    ++ local return_code=127
    ++ rm --force /etc/apt/sources.list.d/whonixtestingtemp.list
    ++ rm --force /etc/apt/apt.conf.d/90whonix-build-confold
    +++ caller
    ++ echo '
    BASH_COMMAND: error "Uncommitted changes! See above!"
    return_code: 127
    ERROR ./build-steps.d/1200_create-debian-packages: |
    caller: 109 ./build-steps.d/1200_create-debian-packages
    '
    
    BASH_COMMAND: error "Uncommitted changes! See above!"
    return_code: 127
    ERROR ./build-steps.d/1200_create-debian-packages: |
    caller: 109 ./build-steps.d/1200_create-debian-packages
    
    ++ exit 1
    
  17. I.e. ../, most likely /home/user.
  18. Nothing to worry about. Only happens because we are running commands inside chroot. If you research this "issue", you'll read that it is purely cosmetic.
  19. KVM gets installed as dependency of our build dependency libguestfs-tools. We don't need KVM for building the actual images.
  20. Only means, that VirtualBox can not be started. VirtualBox kernel modules could not be complied, because the linux-headers-$(uname -r) package was not installed prior installing VirtualBox (prior starting Whonix's build script). The build script doesn't start VirtualBox, hence does not affect the build. The build script only uses VBoxManage for creation of virtual machine description files and that tool doesn't need VirtualBox kernel modules.
  21. Same as above.
  22. This happens because we are running debuild as user, not root. Probably a bug in dpkg. If you research this, you'll see, there were many such bugs in dpkg.


Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss

https | .onion [note] | Mirror | Mirror

This is a wiki. Want to improve this page? See Conditions for Contributions to Whonix, then Edit it! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.