Actions

Dev/Build Documentation/15 full

From Whonix

< Dev‎ | Build Documentation



Introduction[edit]

This page documents how to build Whonix ™ VirtualBox .ova and KVM .qcow2 images. For Qubes-Whonix ™, see Qubes-Whonix ™ Build Documentation.

Host Preparation[edit]

  • You need to build on Debian buster, such as Whonix-Workstation ™ 15 or a Debian buster VM.
  • You need ~ 30 GB free disk space.
  • You need ~ 4 GB free RAM.
    • Might actually work with a lot less RAM in 15.0.0.5.8-developers-only or above.
    • Might actually work with less RAM if you have swap.
  • Do not build under user root. Login regular as user user and then use sudo as documented below.
  • You cannot build on Whonix-Gateway ™ (due to networking issues).
  • It is recommended to set your terminal (for example xfce4-terminal) to unlimited scrollback, so you can watch the full build log.
  • Short: Don't add private files to Whonix ™ source code folder! [...]

Long: [...] Unless you know what you are doing. Technically, it would work. This is recommended against. Those files would get managed by the respective package. When you later update Whonix ™ debian packages, your files would get deleted by the package manager. Also adding private files to Whonix ™ source code folder, later contributing to Whonix ™ development and accidentally pushing the wrong git branch would be a disaster. Better add your private files to Whonix ™ after building Whonix ™. Or add a custom build step adding your files, which then get copied from a folder outside of Whonix ™ source folder. See "Source Code Changes" in "Optional Build Configuration" below.


  • Short: Make sure there aren't any VMs in VirtualBox (inside your build machine) already called Whonix-Gateway ™ or Whonix-Workstation ™!

Long: Because the build script would fail, because it tries to create VMs either named Whonix-Gateway ™ or Whonix-Workstation ™. Running the clean script between builds will prevent this error.


  • Short: Do not try to build Whonix-Gateway ™ and Whonix-Workstation ™ at the same time!

Long: Building Whonix-Gateway ™ and Whonix-Workstation ™ at the same time is not supported due to limitations in the build script. In other words, do not try to run for example sudo ~/Whonix/whonix_build --flavor whonix-gateway -- --build --target virtualbox and sudo ~/Whonix/whonix_build --flavor whonix-workstation -- --build --target virtualbox at the same time. The build would probably fail.


  • Short: Don't use images created inside Continuous Integration (CI) environments for anything besides testing!

Usually you are not using CI [archive] environments without knowing.

You can find out if you are running inside a CI environment by running.

echo "$CI"

If it shows nothing, i.e.


Everything is fine.

Otherwise, if it were to show.

true

Then don't use these images for anything besides testing.

Reason: https://github.com/Whonix/Whonix/blob/master/build-steps.d/1100_prepare-build-machine#L577 [archive]


  • Install build dependencies and get the source code.

Update the package lists.

sudo apt-get update

Install build dependencies.

sudo apt-get install git time curl apt-cacher-ng lsb-release fakeroot dpkg-dev


Get the Signing Key[edit]

This step is recommended for better security, but is not strictly required. (See Trust)

Get Whonix Signing Key.

Get the Source Code[edit]

FREE

Ambox warning pn.svg.png By proceeding, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement. Ambox warning pn.svg.png

Install git.

sudo apt-get update && sudo apt-get install git

Get source code including git submodules.

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix

Remember it is Whonix, not whonix! If prompted for a username for github, you have mistyped the web address.

Shift to the source folder.

cd Whonix

OpenPGP Verify the Source Code[edit]

This chapter is recommended for better security, but is not strictly required.[1]

Retrieve a list of available git tags.

cd ~/Whonix/ && git --no-pager tag

Verify the chosen tag to build. Replace with tag you want to build.

git verify-tag 15.0.0.4.9-stable

The output should look similar to this.

object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit
tag 15.0.0.4.9
tagger Patrick Schleizer <adrelanos@riseup.net> 1392320095 +0000

.
gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]

warning Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2019 and now see a signature from 2018, then this might be a targeted rollback (downgrade) or indefinite freeze attack. [2]

The warning.

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

Is explained on the Whonix Signing Key page and can be safely ignored.

By convention, git tags should point to signed git commits. [3] (forum discussion [archive]) It is advisable to verify the signature of the git commit as well (replace 15.0.0.4.9 with the actual git tag being verified).

git verify-commit 15.0.0.4.9-stable^{commit}

The output should look similar to this.

commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Dec 7 01:22:22 2014 +0000

.

Retrieve a list of available git tags.

git --no-pager tag

Use git checkout to select the preferred version to build.

git checkout --recursive-submodules 15.0.0.4.9-stable

Replace 15.0.0.4.9-stable with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. Follow the Whonix ™ News Blog as it might contain information.

Check if you really got the version you want.

git describe

Should show:

15.0.0.4.9-stable


VM Creation[edit]

The following build targets are available:

--target virtualbox

--target qcow2

--target raw

--target root

  • --target virtualbox creates VirtualBox VMs.
  • --target qcow2 creates .qcow2 images for KVM and QEMU.
  • --target raw creates .raw images.
  • --target root is for Physical Isolation Build Documentation.
  • --target virtualbox, --target qcow2, and --target raw can be combined to build multiple images at once.

Choose a flavor.

  • --flavor whonix-gateway-cli
  • --flavor whonix-gateway-xfce
  • --flavor whonix-workstation-cli
  • --flavor whonix-workstation-cli

Optional. Enable Whonix ™ APT repository inside the images. [4] See Trust. This is done for official Whonix ™ redistributeable builds.

--repo true

See also Optional Build Configuration.

Note: These instructions use VirtualBox as an example, assume you have the Whonix ™ source code in your home folder (at ~/.)


Delete any existing Whonix-Gateway ™ virtual machine with the following command. Warning: This will delete any virtual machine named Whonix-Gateway ™ from VirtualBox installed on your build machine!

sudo ~/Whonix/whonix_build --flavor whonix-gateway-xfce --target virtualbox --clean

Delete any existing Whonix-Workstation ™ virtual machine with the following command. Warning: This will delete any virtual machine named Whonix-Workstation ™ from VirtualBox installed on your build machine!

sudo ~/Whonix/whonix_build --flavor whonix-workstation-xfce --target virtualbox --clean


Build a Whonix-Gateway ™ virtual machine image.

sudo ~/Whonix/whonix_build --flavor whonix-gateway-xfce --target virtualbox --build

Build a Whonix-Workstation ™ virtual machine image.

Tor Browser Version: We are setting tbb_version="8.5.5", i.e. instructing tb-updater to download Tor Browser version 8.5.5 because Whonix ™ 15.0.0.4.9 points to a tb-updater version that hardcodes Tor Browser version 8.5.4 which is no longer available for download which would make the build fail. This version number might need to be updated. Check RecommendedTBBVersions [archive] for latest stable Tor Browser version.

sudo tbb_version="8.5.5" ~/Whonix/whonix_build --flavor whonix-workstation-xfce --target virtualbox --build


While building, you might see a few Expected Build Warnings.

Build Result[edit]

  • VirtualBox: Te newly created VMs can be seen in VirtualBox user interface and in the usual VirtualBox data folders.
  • KVM, QEMU, raw images: The resulting .qcow2 and/or .raw images can be found in ~/whonix_binary folder.

To create a (unified [archive]) .ova image(s) or libvirt.xz archives, there are two options.

  • A) Automated, a bit difficult (since it expects preexisting signing keys), using prepare_release script, OR
  • B) Manually.
    • VirtualBox: Using the VirtualBox graphical or command line interface VM export feature could be used. [5]
    • KVM: Manually.

Prepare Release[edit]

prepare_release [archive] is useful for:

  • creation of a unified [archive] .ova image or libvirt.xz archive
  • creation of torrent files
  • creation of hash sum files
  • creation of software signatures
  • Adding license agreement.
  • Adding disclaimer.
  • Redistribution
  • Example:
    sudo -E /home/user/Whonix/packages/whonix-developer-meta-files/release/prepare_release --build --target virtualbox --flavor whonix-workstation-xfce

For private builds, i.e. for builds which are not supposed to be redistributed to others, none of this is important. If any of this was important, it could also be done manually.

Footnotes[edit]

  1. See Trust.
  2. As defined by TUF: Attacks and Weaknesses:
  3. Beginning from git tag 9.6 and above.
  4. --redistribute will set export whonix_build_redistribute="true" which results in setting
    WHONIX_APT_REPOSITORY_OPTS="--enable --codename $whonix_build_apt_stable_release"
    export WHONIX_APT_REPOSITORY_OPTS
    

    whonix_build_apt_stable_release defaults to buster and could optionally through a build configuration set to buster-proposed-updates, buster-testers or buster-developers.

  5. This is sane since important VM settings were already configured in https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm [archive]. prepare_release VM export does nothing special/important for privately used builds.


We are looking for maintainers and developers.

https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png