Actions

Dev/Build Documentation/14 deb

< Dev‎ | Build Documentation


UNFINISHED!

Upgrading Whonix ™ Deb Packages from Source Code[edit]

Introduction[edit]

This assumes you are updating Whonix ™ debian packages while you are using Whonix ™.

Prerequisites[edit]

Might be a good idea to create a backup and/or clone before trying to update.

If you haven't done already, disable Whonix ™ APT repository. [1]

sudo whonix_repository --disable

Upgrade from Debian packages.

sudo apt-get update && sudo apt-get --yes dist-upgrade


Get the Signing Key[edit]

This chapter is recommended for better security, but is not strictly required. (See Trust)

gpg --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

It isn't safe to only get the signing key from one source for the download you want to verify. For better security, learn more about the Whonix Signing Key.

Get the Source Code[edit]

FREE

Ambox warning pn.svg.png By proceeding, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement. Ambox warning pn.svg.png

Install git.

sudo apt-get update && sudo apt-get install git

Get source code including git submodules.

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix

Remember it is Whonix, not whonix! If prompted for a username for github, you have mistyped the web address.

Shift to the source folder.

cd Whonix ™

OpenPGP Verify the Source Code[edit]

This chapter is recommended for better security, but is not strictly required.[2]

Retrieve a list of available git tags.

cd ~/{{project_name_short}}/ && git tag

Verify the chosen tag to build.

## ... Replace with tag you want to build.
git verify-tag 14.0.1.4.4-stable

The output should look similar to this.

object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit
tag 14.0.1.4.4
tagger Patrick Schleizer <adrelanos@riseup.net> 1392320095 +0000

.
gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]

The warning.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Is explained on the Whonix Signing Key page and can be safely ignored.

By convention, git tags should point to signed git commits. [4] (forum discussion) It is advisable to verify the signature of the git commit as well (replace 14.0.1.4.4 with the actual git tag being verified).

git verify-commit 14.0.1.4.4-stable^{commit}

The output should look similar to this.

commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
Author: Patrick Schleizer <adrelanos@riseup.net>
Date:   Sun Dec 7 01:22:22 2014 +0000

    .

Choose Version[edit]

Retrieve a list of available git tags.

git tag

Use git checkout to select the preferred version (or git branch) to build.

git checkout 14.0.1.4.4-stable

Replace 14.0.1.4.4 with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. To learn more about current Whonix ™ versions, follow the Whonix ™ News Blog.


Build Dependencies[edit]

Get all build dependencies.

sudo -E ./build-steps.d/1100_prepare-build-machine --internalrun --build --target root

Why --target root? This is correct, if you want to know why, see footnote. [5]

Create the Packages[edit]

If you're not debugging, create the packages with:

sudo -E ./build-steps.d/1200_create-debian-packages --build --internalrun --target root

If debugging, use the following command. Developers only! [6] Potentially insecure unless the untagged / uncommited changes are by you or by a trusted developer with a git gpg signature that you verified.

sudo -E ./build-steps.d/1200_create-debian-packages --build --allow-untagged true --allow-uncommitted true --internalrun --target root

Upgrade Whonix ™ Debian Packages[edit]

Upgrade Whonix ™ Debian Packages without contacting a Whonix ™ APT Repository, using your own locally created apt package repository.

For Whonix-Gateway ™.

sudo ./packages/whonix-developer-meta-files/debug-steps/locally-upgrade-whonix-debian-packages --build --target root --flavor whonix-gateway

[7]

For Whonix-Workstation ™.

sudo ./packages/whonix-developer-meta-files/debug-steps/locally-upgrade-whonix-debian-packages --build --target root --flavor whonix-workstation

There will be a lot debug output. [8]

If everything went well, you will see [9] [10]

########################################################################
## INFO: Successfully configured (postinst script) {{workstation_product_name}}. #
########################################################################

The last few highlighted messages will be similar to:

+ true 'INFO: Skipping script, because --target root: /home/user/whonix_dot/{{project_name_short}}/help-steps/unmount-img'
+ true 'INFO: End of: ./debug-steps/locally-upgrade-whonix-debian-packages | exit_code: 0 | error(s) detected: 0 | benchmark: 00:01:40'

In case any error is caught, the script will loudly complain by echoing in a red colored error message:

ERROR in ./debug-steps/locally-upgrade-whonix-debian-packages! Aborted.

Lets hope it works well. Please get in Contact should there be any issues. Leave feedback if you are using this, if it worked for you, which issues you may have had, so these instructions can be updated.

Cleanup[edit]

OPTIONAL!

Remove temporary files.

Warning, this will run git clean -d --force --force in Whonix's main source code folder (~/Whonix) as well as in all sub folders of the Whonix packages folder ~/Whonix/packages. This means, if you knowingly added any files to any of these folders that have not been committed to git, these will be deleted.

[11]

./help-steps/cleanup-files


See Also[edit]

Footnotes[edit]

  1. Whonix-APT-Repository#Disable_Whonix ™_APT_Repository
  2. See Trust.
  3. As defined by TUF: Attacks and Weaknesses:
  4. Beginning from git tag 9.6 and above.
  5. Setting the --target parameter to root will result in installing fewer build dependencies. For example VirtualBox will not be installed. These are only required to build full images, but since we just want to create updated Whonix ™ Debian Packages, this is unnecessary. Not much harm done when forgetting to use --target root, because the user is free to remove any build dependencies later.
  6. Packages are possibly not matching the quality for redistributable testes or stable builds. This is because the package will potentially built from git master, which has no proper debian/changelog release version, and no signed git tag. There may be another package of that version in the repository that is different. Distinguishing these packages is hard and would cause confusion. Therefore this is considered unclean and only developers may do this for debugging purposes.
  7. Why use --target root"? Technical explanation: --target root in context of Whonix ™ source code means "do it on the system currently running, i.e. do it directly on the root folder "/[...]", don't do it inside "vm_image/[...]".
  8. Unless you log in as root and run export WHONIX_DEB_DEBUG=0.
  9. Or saying Whonix-Gateway ™ respectively
  10. It won't, if you have export WHONIX_DEB_DEBUG=0 set.
  11. https://github.com/Whonix/Whonix/blob/master/help-steps/cleanup-files

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.