Work in progress.

Design / Features[edit]

WhonixStarter(.exe):

new implementation of whonix.exe in lazarus (without NET framework)
platform independent ( later linux/mac version possible )
ui consists of two forms ( main & error )
main form has two buttons for start/stop and manage Whonix VMs
error form pops up if virtualbox is missing

WhonixStarterSetup.msi:

installs windows version of WhonixStarter
adds start menu entry
adds desktop shortcut
uninstall over Windows "Programs and Features" tool

WhonixSetup(.exe):

ui consists of a main form with several pages guiding the user through the installation process
platform independent ( later linux/mac version possible )
installs VirtualBox and WhonixOVA
executes WhonixStarterSetup.msi (Windows only)
checks installed and only reinstall missing components
does not uninstall or delete any component

Challenges:

Whonix .ova is bigger than 2 GB.
Windows .cab files have a hardcoded 2 GB maximum file size.

Requirements:

cross compile on Debian (source) for Windows (target)
building does not require Windows

Build limitations:

needs Debian bookworm or above because of minimal wixl and lazarus version

flow chart[edit]

(1) Whonix-Starter:

lazbuild → WhonixStarter.lpr → WhonixStarter.exe
wixl → WhonixStarterSetup.wxs → WhonixStarter.exe, WhonixStarterSetup.wxs → WhonixStarterSetup.msi

(2) Whonix-Installer:

lazbuild → WhonixSetup.lpr → WhonixSetup.exe
WhonixSetup.exe + append + Whonix.ova → WhonixSetup-XFCE.exe

CI[edit]

Whonix-Starter:

Whonix-Installer:

code signing[edit]

Introduction[edit]

EV (extended validation) certificate required to avoid Microsoft SmartScreen Filter warning message.

requirements[edit]

EV code signing for Windows authenticode to avoid Microsoft SmartScreen Filter warning message.
cross signing
build scripts running on Debian Linux
build result (program) running on Windows 64 bit
avoid running proprietary closed source software on local build machine
can be fully automated using build scripts
avoid hardware token (compatibility, hassle)
avoid proprietary closed source device drivers
ideally avoid non-mainline Linux kernel drivers
supports signing big files

providers[edit]

thalesgroup:

asked

Certum:

https://shop.certum.eu/open-source-code-signing.html Certum Open Source developer certificate - EV extended validation?
https://www.certum.ng/product/ev-code-signing-in-the-cloud/
https://shop.certum.eu/ev-code-signing-in-the-cloud.html
SimplySign cloud-based solution eliminates the need for a physical card and a reader
https://www.files.certum.eu/software/SimplySignDesktop/Linux-Ubuntu/2.9.8-9.1.6.0/SimplySignDesktop-2.9.8-9.1.6.0-x86_64-prod-ubuntu.bin
€379.00

sectigo:

https://sectigostore.com/code-signing/sectigo-ev-code-signing-certificate
cloud hsm supported?
$410

certerassl:

https://certerassl.com/certera-ev-code-signing-certificate
use existing token
no cloud hsm
$309

ssl.com:

https://www.ssl.com/ev/
$239
A) optional proprietary eSigner CodeSignTool
- eSigner uses ssl.com's own Cloud HSM
- actual file needs to be present to be signed
- https://www.ssl.com/guide/esigner-pricing-for-code-signing/
- When using for example Google Cloud HSM then eSigner is optional.
- minimum price for eSigner:
  - $20.00 / month (= $240 / year) or $180.00 / year
B) optional Google Cloud HSM compatibility
- https://www.ssl.com/guide/supported-cloud-hsms-document-signing-ev-code-signing/
- SSL.com’s fee for Google Cloud HSM attestation is $500.00 USD.

Google Cloud HSM;

TODO[edit]

merge[edit]

Reminder: Always please merge first before developing further.

new file location - FYI[edit]

ppcross_install has been moved.

https://github.com/Kicksecure/developer-meta-files/blob/master/usr/bin/ppcross_install

FYI (for your interest) only. This ticket (wiki chapter) can be deleted after reading.

Feel free to use this wiki page as a notepad for developers too by making notes somewhere else outside the TODO chapter.

avoid use of lazarus - replace with free pascal compiler[edit]

lazarus is an IDE, but not a compiler, right?

Can use of lazarus on command line be avoided?

(It can stay in the script as comment but out commented by default.)

Reason: Simplification; avoid dependency installation

Can the command be replaced with the free pascal compiler instead?

einsiedler90:

no, we need the binary lazbuild to compile a lazarus project from cmd, which is part of lazarus. fpc is the compiler, thats right, but it has not all the dependencies of WhonixStarter/Installer. it is impossible to compile this project without the LCL.

document ppcross_install[edit]

Why is ppcross_install needed even on Debian bookworm?

Is it because Debian doesn't compile with "make crossinstall"?

The fp-compiler (fpc) manpage states:

-sh
Tells the compiler to generate a script that can be used to assemble and link on the host system, not on the target system. Use this when cross-compiling.

-st
Tells the compiler to generate a script that can be used to assemble and link on the target system, not on the host system. Use this when cross-compiling.

Does that help?

Otherwise can this be reported against Debian as a question, a bug or feature request? If yes, please write a draft for a feature request. (Patrick will review and post it.)

Bug report probably already exists: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845498

Does this help...? https://gist.github.com/o11c/cf98115ba716ebdd1dc2cc75b290f321

einsiedler90:

fpc is a kind of wrapper that redirects to the cross/compiler. we could use ppcx64 to compile from linux 64bit to windows 64bit, but it cannot found the windows system units without the install_ppcross() steps in the script. it generates the needed precompiled windows units in /usr/lib/fpc/X.X.X/units/x86_64-win64

if a debian package with this files exists somewhere in the wild we could use this instead.

avoid use of git clone[edit]

ppcross_install

abolish need to fetch from https://gitlab.com/freepascal.org/fpc/source.git

just use the existing compiler from Debian[edit]

fpc -Twin64 -Fi/usr/share/fpcsrc/3.2.2/rtl/win64 -Fi/usr/share/fpcsrc/3.2.2/rtl/win -Fi/usr/share/fpcsrc/3.2.2/rtl/inc -Fi/usr/share/fpcsrc/3.2.2/rtl/x86_64 -Fu/usr/share/fpcsrc/3.2.2/rtl/win64 -Fu/usr/share/fpcsrc/3.2.2/rtl/inc -FU/tmp/rtl -FE/tmp test

based on fpc source package[edit]

Could it be based on apt-get source?

apt-get source fpc

Contains same contents as https://salsa.debian.org/pascal-team/fpc? No. Debian does some modifications. Lacks Makefile.fpc, which can be re-generated.

Can we edit https://salsa.debian.org/pascal-team/fpc/-/blob/master/debian/rules to add cross compilation? Maybe not even needed.

debian/rules is a makefile.

make -f debian/rules

It supports ifdef (similar to an environment variable) CROSSOPT. On Debian source packages are usually built using dpkg-buildpackage. It might be as simple as setting the correct environment variables. Here's an untested attempt.

sudo apt build-dep fpc

CROSSINSTALL=1 CROSSOPT="OS_TARGET=x86_64 CPU_TARGET=win64" dpkg-buildpackage

Setting the environment variable might be more complicated than initially editing debian/rules manually.

maybe helpful: https://wiki.debian.org/PortsDocs/BootstrappingFPC

regenerate Makefile.fpc

https://wiki.freepascal.org/Fpcmake

fpcmake -w -Tall

fpcmake -w -Tx86_64-win64

based on fpc-source binary package[edit]

Less promising approach.

sudo apt install fpc-source

sudo apt install fpc-source -t bullseye-backports

cd /usr/share/fpcsrc

cd /usr/share/fpcsrc/3.2.2/compiler/

fpcmake

building on Debian stable - bullseye[edit]

building Whonix-Installer on Debian stable - bullseye[edit]

Whonix-Installer

+ lazbuild -B WhonixSetup.lpr --cpu=x86_64 --os=win64 --compiler=/usr/bin/ppcrossx64
CopySecondaryConfigFile /etc/lazarus/environmentoptions.xml -> /home/user/.lazarus/environmentoptions.xml
Error: (lazbuild) project has no main unit
Error: Process completed with exit code 2.

Unfixable?

building Whonix-Starter on Debian stable - bullseye[edit]

Whonix-Starter

+ lazbuild -B Whonix.lpr --cpu=x86_64 --os=win64 --compiler=/usr/bin/ppcrossx64
CopySecondaryConfigFile /etc/lazarus/environmentoptions.xml -> /home/user/.lazarus/environmentoptions.xml
Error: (lazbuild) project has no main unit
Error: Process completed with exit code 2.

Unfixable?

Whonix ™ Windows Installer - Design Documentation

Contents

Design / Features[edit]

flow chart[edit]

CI[edit]

code signing[edit]

Introduction[edit]

requirements[edit]

providers[edit]

TODO[edit]

merge[edit]

new file location - FYI[edit]

avoid use of lazarus - replace with free pascal compiler[edit]

document ppcross_install[edit]

avoid use of git clone[edit]

just use the existing compiler from Debian[edit]

based on fpc source package[edit]

based on fpc-source binary package[edit]

building on Debian stable - bullseye[edit]

building Whonix-Installer on Debian stable - bullseye[edit]

building Whonix-Starter on Debian stable - bullseye[edit]

See Also[edit]

Navigation menu

Whonix ™ Windows Installer - Design Documentation

Design / Features[edit]

flow chart[edit]

CI[edit]

code signing[edit]

Introduction[edit]

requirements[edit]

providers[edit]

TODO[edit]

merge[edit]

new file location - FYI[edit]

avoid use of lazarus - replace with free pascal compiler[edit]

document ppcross_install[edit]

avoid use of git clone[edit]

just use the existing compiler from Debian[edit]

based on fpc source package[edit]

based on fpc-source binary package[edit]

building on Debian stable - bullseye[edit]

building Whonix-Installer on Debian stable - bullseye[edit]

building Whonix-Starter on Debian stable - bullseye[edit]

See Also[edit]

Donate

Navigation menu

Search