Dev/Get Whonix Source Code

Get the Signing Key[edit]

This chapter is recommended for better security, but is not strictly required. (See Trust)

Download the key.

curl --tlsv1.2 --proto =https -o patrick.asc https://www.whonix.org/patrick.asc

curl --tlsv1.2 --proto =https -o patrick.asc https://www.whonix.org/patrick.asc

Check fingerprints/owners without importing anything.

[select code]

gpg patrick.asc

gpg patrick.asc

Verify it shows the following.

pub   rsa4096/0x8D66066A2EEACCDA 2014-01-16 [SC] [expires: 2021-04-17]
      916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
uid                             Patrick Schleizer <adrelanos@riseup.net>
sub   rsa4096/0x3B1E6942CE998547 2014-01-16 [E] [expires: 2021-04-17]
sub   rsa4096/0x10FDAC53119B3FD6 2014-01-16 [A] [expires: 2021-04-17]
sub   rsa4096/0xCB8D50BB77BB3C48 2014-01-16 [S] [expires: 2021-04-17]

If it checks out, import the key.

[select code]

gpg --import patrick.asc

gpg --import patrick.asc

It isn't safe to only get the signing key from one source for the download you want to verify. For better security, learn more about the Whonix Signing Key.

Get the Source Code[edit]

Install git and curl.

sudo apt-get update && sudo apt-get install git curl

Get source code including git submodules.

git clone --jobs=4 --recursive https://github.com/Whonix/Whonix

Note: If using an older version of git (from Debian Jessie, Whonix 13, etc), remove --jobs=4.

Remember it is Whonix, not whonix! If prompted for a username for github, you have mistyped the web address.

Shift to the source folder.

cd Whonix

OpenPGP Verify the Source Code[edit]

This chapter is recommended for better security, but is not strictly required.^[1]

Retrieve a list of available git tags.

cd ~/Whonix/ && git tag

Verify the chosen tag to build.

## ... Replace with tag you want to build.
git verify-tag 13.0.0.1.4-stable

The output should look similar to this.

object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit
tag 13.0.0.1.4
tagger Patrick Schleizer <adrelanos@riseup.net> 1392320095 +0000

.
gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]

The warning.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Is explained on the Whonix Signing Key page and can be safely ignored.

By convention, git tags should point to signed git commits. ^[3] (forum discussion) It is advisable to verify the signature of the git commit as well (replace 13.0.0.1.4 with the actual git tag being verified).

git verify-commit 13.0.0.1.4-stable^{commit}

The output should look similar to this.

commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
Author: Patrick Schleizer <adrelanos@riseup.net>
Date:   Sun Dec 7 01:22:22 2014 +0000

    .

Choose Version[edit]

Retrieve a list of available git tags.

git tag

Use git checkout to select the preferred version (or git branch) to build.

git checkout 13.0.0.1.4-stable

Replace 13.0.0.1.4 with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. To learn more about current Whonix versions, follow the Whonix News Blog.

Clean Up and Sanitize[edit]

This step is also important for security.

Retrieve the list of extraneous files and folders. ^[4]

git clean -ndff

See if the output looks sane; it generally should, unless Whonix source code is modified by advanced users (who understand git better anyhow). If the output looks like the following, everything is fine.

Would remove packages/apparmor-profile-gwenview/
Would remove packages/kde-privacy/

Remove these folders.

git clean -dff

The output should show.

Removing packages/apparmor-profile-gwenview/
Removing packages/kde-privacy/

Be sure to check out the right commit for each git submodule.

git submodule update --init --recursive

Check there are no extraneous files. This is important for security.

git status

The output should show the following:

nothing to commit (working directory clean)

If the directory is not clean, the extra files should be removed first.

Random News:

Have you contributed to Whonix? If so, feel free to add your name and highlight what you did on the Whonix authorship page.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)

↑ See Trust.
↑
As defined by TUF: Attacks and Weaknesses:
- https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
- http://www.webcitation.org/6F7Io2ncN
↑ Beginning from git tag 9.6 and above.
↑ There is currently a small issue with this process (a limitation of git).

[1] See Trust.

[2] As defined by TUF: Attacks and Weaknesses:
https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md

http://www.webcitation.org/6F7Io2ncN

[3] ttps://github.com/theupdateframework/tuf/blob/develop/SECURITY.md

[4] ttp://www.webcitation.org/6F7Io2ncN

[3] Beginning from git tag 9.6 and above.

[4] There is currently a small issue with this process (a limitation of git).

[1]

[2]

[3]

[4]

Dev/Get Whonix Source Code

< Dev

Contents

Get the Signing Key[edit]

Get the Source Code[edit]

OpenPGP Verify the Source Code[edit]

Choose Version[edit]

Clean Up and Sanitize[edit]