Dev/Get Whonix Source Code
From Whonix
< Dev
Contents
Get the Signing Key[edit]
This step is recommended for better security, but is not strictly required. (See Trust)
Get the Source Code[edit]
By proceeding, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.
Install git.
sudo apt-get update && sudo apt-get install git
Get source code including git submodules.
git clone --jobs=4 --recursive https://github.com/Whonix/Whonix
Remember it is Whonix, not whonix! If prompted for a username for github, you have mistyped the web address.
Shift to the source folder.
cd Whonix
OpenPGP Verify the Source Code[edit]
This chapter is recommended for better security, but is not strictly required.[1]
Retrieve a list of available git tags.
cd ~/Whonix/ && git --no-pager tag
Verify the chosen tag to build. Replace with tag you want to build.
git verify-tag 15.0.0.4.9-stable
The output should look similar to this.
object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit
tag 15.0.0.4.9
tagger Patrick Schleizer <adrelanos@riseup.net> 1392320095 +0000
.
gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2019 and now see a signature from 2018, then this might be a targeted rollback (downgrade) or indefinite freeze attack. [2]
The warning.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Is explained on the Whonix Signing Key page and can be safely ignored.
By convention, git tags should point to signed git commits. [3] (forum discussion) It is advisable to verify the signature of the git commit as well (replace 15.0.0.4.9 with the actual git tag being verified).
git verify-commit 15.0.0.4.9-stable^{commit}
The output should look similar to this.
commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Dec 7 01:22:22 2014 +0000
.
Choose Version[edit]
Retrieve a list of available git tags.
git tag
Use git checkout to select the preferred version to build.
git checkout 15.0.0.4.9-stable
Replace 15.0.0.4.9 with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. To learn more about current Whonix ™ versions, follow the Whonix ™ News Blog.
Check if you really got the version you want.
git describe 15.0.0.4.9-stable
Should show:
15.0.0.4.9-stable
[advertisement] Looking to Sell Your Company? Contact me.
Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!
https | (forcing) onion
Follow: 
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.
Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.