From Whonix
< Dev
Jump to navigation Jump to search

Design and Developer Documentation about Redistribution of Whonix.


Developers only!

These are notes for producing official downloadable binary Whonix images.

info Only required if you want to redistribute (official) Whonix builds.

Pre Building[edit]

Major Upgrade[edit]

Point Release[edit]

1. package timesanitycheck: ./usr/share/timesanitycheck/date-minimum-file-create


Clean source code

  • [1]
  • [2]
  • You can get a list of unwanted files with git clean -dfxn and remove them with git clean -dfx.
  • Update Whonix debian package repository.
  • add your own default-key to your own /home/user/.gnupg/gpg.conf.
  • Check that all packages point to a signed git commit and signed git tag.

dm-packaging-helper-script pkg_verify_signed_commit_and_tag

  • push the source code to github

git push origin master

  • Check, that the current git commit is a signed. [3]

git log --show-signature HEAD^..HEAD

Or use the generic makefile as a shortcut.

make git-commit-verify

  • Create an OpenPGP signed git tag. This will also be used as Whonix version number.

git tag -s version

  • Make sure the current git head is a signed git commit and signed git tag.

To simplify this, you could use the generic makefile.

make git-verify

  • Push the OpenPGP signed git tag to github.

git push origin version



1. Remote Repository: By convention, enable Whonix stable repository by default. To do so, use --repo true. Already included in build command below.

2. For other options and platforms also see build documentation.


1. Build Whonix-Gateway. For example Whonix-Gateway with Xfce for VirtualBox.

./derivative-maker --build --target virtualbox --flavor whonix-gateway-xfce --repo true

2. Build Whonix-Workstation. For example Whonix-Workstation with Xfce for VirtualBox.

./derivative-maker --build --target virtualbox --flavor whonix-workstation-xfce --repo true

Post Building[edit]

Image Signing

  • A) own custom builds: Optionally sign the images.
  • B) official Whonix builds: Mandatory sign the images.
  • OpenPGP sign the images.

dm-packaging-helper-script --flavor whonix-workstation --target virtualbox --build

Only required if you want to redistribute (official) Whonix builds.

  • Upload the images.



  • /usr/share/whonix-ws-firewall/unit_tests/stream_isolation_test
  • At least a few testers should test final releases before posting a news. Testers may be found by posting a news.
  • Leak Tests!
  • Test the images before final release! (Testers-only releases can be uploaded straight away.)

Update Permanent Links[edit]

Update permalinks.

sudoedit /etc/nginx/conf.d/download_redirects


Git Tag[edit]

Create -testers-only or -stable git tag.

Announcement Text Creation[edit]

Create Changelog and Announcement.

dm-packaging-helper-script pkg_git_packages_git_log_writer

Wiki Page Updates[edit]

Only required if you want to redistribute (official) Whonix builds.



Only required if you want to redistribute (official) Whonix builds.




  • any deprecated repositories (none at time of writing)

See Also[edit]


  1. get rid of .directory files inside the source code: thunarpreferencesgeneralbehavioruse common view properties for all folders
  2. Get rid of ~backup files. In other words, get rid of files starting with ~. find ./ -name '*~' | xargs trash-put
  3. You might wish using a git or bash alias to safe typing.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!