Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information



< Dev



While the project is small adrelanos thinks it is best not to make a too difficult policy.


  • Adrelanos's progress of work.
  • Not calling it unstable, because the changes will most likely never make it unstable but it is just not tested if it still builds.
  • Branching model, project readme, information, gpg...


  • last released and recommended Whonix version
  • ready to include hotfixes


  • does currently not exist, since only one adding code
  • candidate for next Whonix version
  • must always build
  • currently restructuring
  • we can make an always building development branch as soon as someone else commits code



perhaps 0.5.x etc. as release branches[edit]

feature branches when it makes sense[edit]

signed git tags[edit]

Releases will be tagged and gpg signed.

temporary git tags[edit]

Will be named like: adretemp1 or 96adretemp

Can get deleted from time to time.

Link to Source Code[edit]

subscribe to code changes[edit]


Git clone github.

A git specific work flow could be:

git fetch

every (few) day(s) and then git diff(tool), merge, etc.

rss feed notification[edit]

manually in your browser[edit]

Check every now and then

Github Commits Mailing List[edit]

Whonix-commits read only mailing list

(Stay hosted on Barely anyone is signed up and it is quite high traffic.)


If you prefer Twitter, use the Secondary Twitter Account for Source Code Commit Notification.

grep Whonix source code[edit]

Get the Signing Key[edit]

This chapter is recommended for better security, but is not strictly required. (See Trust)

gpg --keyserver hkp:// --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

It isn't safe to only get the signing key from one source for the download you want to verify. For better security, learn more about the Whonix Signing Key.

Get the Source Code[edit]


Install git and curl.

sudo apt-get update && sudo apt-get install git curl

Get source code including git submodules.

git clone --jobs=4 --recursive

Note: If using an older version of git (from Debian Jessie, Whonix 13, etc), remove --jobs=4.

Remember it is Whonix, not whonix! If prompted for a username for github, you have mistyped the web address.

Shift to the source folder.

cd Whonix

OpenPGP Verify the Source Code[edit]

This chapter is recommended for better security, but is not strictly required.[1]

Retrieve a list of available git tags.

cd ~/Whonix/ && git tag

Verify the chosen tag to build.

## ... Replace with tag you want to build.
git verify-tag

The output should look similar to this.

object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit
tagger Patrick Schleizer <> 1392320095 +0000

gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <>" [ultimate]

The warning.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Is explained on the Whonix Signing Key page and can be safely ignored.

By convention, git tags should point to signed git commits. [3] (forum discussion) It is advisable to verify the signature of the git commit as well (replace with the actual git tag being verified).

git verify-commit^{commit}

The output should look similar to this.

commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <>" [ultimate]
Author: Patrick Schleizer <>
Date:   Sun Dec 7 01:22:22 2014 +0000


Choose Version[edit]

Retrieve a list of available git tags.

git tag

Use git checkout to select the preferred version (or git branch) to build.

git checkout

Replace with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. To learn more about current Whonix versions, follow the Whonix News Blog.

Clean Up and Sanitize[edit]

This step is also important for security.

Retrieve the list of extraneous files and folders. [4]

git clean -ndff

See if the output looks sane; it generally should, unless Whonix source code is modified by advanced users (who understand git better anyhow). If the output looks like the following, everything is fine.

Would remove packages/apparmor-profile-gwenview/
Would remove packages/kde-privacy/

Remove these folders.

git clean -dff

The output should show.

Removing packages/apparmor-profile-gwenview/
Removing packages/kde-privacy/

Be sure to check out the right commit for each git submodule.

git submodule update --init --recursive

Check there are no extraneous files. This is important for security.

git status

The output should show the following:

nothing to commit (working directory clean)

If the directory is not clean, the extra files should be removed first.


mkdir ~/bin

set -x
exec \
grep \ \
--exclude=GPLv2 \
--exclude=GPLv3 \
--exclude=COPYING \
--exclude=changelog.upstream-old1 \
--exclude-dir=mnt \
--exclude-dir=qubes-src/linux-template-builder/mnt \
--exclude=changelog.upstream \
--exclude-dir=".git" \
--exclude-dir=chroot-debian \
--exclude-dir=chroot-stretch \
--exclude-dir=chroot-jessie "$@"

cd Whonix

mygrep -r grub-pc

Put folder under Git Version Control[edit]


Update the package lists.

sudo apt-get update

Install git.

sudo apt-get install git

Unless you want to use git for pushing changes to remotes which you probably won't in a testing VM you can use the following git config without using any real names or pseudonyms. (These are the git suggested defaults. [5])

git config --global ""

git config --global "Your Name"

Enable Git Version Control for Folder[edit]

Go to the folder you want to set under git version control.

cd ~

Initialize git version control.

git init

Add all files to git version control.

git add -A

Commit all files to git. [6]

git commit -a -m .

Do changes such as changing KDE settings.

See what changed.

git diff


Optional. Just sharing. Like it or not.


apt-get source[edit]

You need to enable deb-src in /etc/apt/sources.list.d/whonix.list!

sudo apt-get update
Hit:1 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch InRelease
Hit:2 stretch InRelease                                            
Ign:3 tor+http://vwakviie2ienjx6t.onion/debian stretch InRelease                                   
Hit:4 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease                                  
Hit:5 tor+http://vwakviie2ienjx6t.onion/debian stretch Release                                     
Ign:7 stretch InRelease                                            
Hit:8 stretch/updates InRelease                                  
Hit:9 stretch Release                                       
Hit:11 stretch InRelease                             
Reading package lists... Done 
E: Failed to fetch tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/dists/stretch/InRelease  Unable to find expected entry 'contrib/source/Sources' in Release file (Wrong sources.list entry or malformed file)
E: Failed to fetch  Unable to find expected entry 'non-free/source/Sources' in Release file (Wrong sources.list entry or malformed file)
E: Some index files failed to download. They have been ignored, or old ones used instead.

The following can be ignored:

  • "Unable to find expected entry 'contrib/source/Sources'" and
  • "Unable to find expected entry 'non-free/source/Sources'"

There is nothing in these repositories. Does not limit functionality in any way. Inconinent message but won't fix since only asked once in 5 years.

apt-get source fully functional.

apt-get source apparmor-profiles-hardened-debian
Reading package lists... Done
Picking 'anon-meta-packages' as source package instead of 'apparmor-profiles-hardened-debian'
NOTICE: 'anon-meta-packages' packaging is maintained in the 'Git' version control system at:
Please use:
git clone
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 48.9 kB of source archives.
Get:1 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch/main anon-meta-packages 3:7.9-1 (dsc) [5,513 B]
Get:2 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch/main anon-meta-packages 3:7.9-1 (tar) [37.8 kB]
Get:3 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch/main anon-meta-packages 3:7.9-1 (diff) [5,588 B]
Fetched 48.9 kB in 2s (19.4 kB/s)             
dpkg-source: info: extracting anon-meta-packages in anon-meta-packages-7.9
dpkg-source: info: unpacking anon-meta-packages_7.9.orig.tar.xz
dpkg-source: info: unpacking anon-meta-packages_7.9-1.debian.tar.xz

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Please contribute by helping to answer Whonix questions.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.

  1. See Trust.
  2. As defined by TUF: Attacks and Weaknesses:
  3. Beginning from git tag 9.6 and above.
  4. There is currently a small issue with this process (a limitation of git).
  5. git commit -a -m .
    *** Please tell me who you are.
      git config --global ""
      git config --global "Your Name"
    to set your account's default identity.
    Omit --global to set the identity only in this repository.
    fatal: empty ident name (for <(null)>) not allowed
  6. Without any useful commit message. . is the commit message here.