Make sure you know about CVE-2016-1252 secure apt-get upgrading.
Important! Everything must stay current.
Preparation Step 1) Configure TemplateVM proxy settings
a) Attach Whonix TemplateVMs to a Whonix-Gateway ProxyVM (commonly called sys-whonix)
Qubes VM Manager -> right click on TemplateVM whonix-gw -> VM-Settings -> NetVM -> sys-whonix
b) Repeat the same with whonix-ws.
Qubes VM Manager -> right click on TemplateVM whonix-ws -> VM-Settings -> NetVM -> sys-whonix
Preparation Step 2) Open a TemplateVM Terminal
Qubes App Menu(blue/grey "Q") -> Template: whonix-gw -> Konsole
Qubes App Menu(blue/grey "Q") -> Template: whonix-ws -> Konsole
Preparation Step 3.) Note
The following steps should be applied in both TemplateVM terminals.
1. Update your package lists.
Check at least at a daily base. Keep your host operating system updated. Update Whonix-Gateway and Whonix-Workstation packages lists.
sudo apt-get update
Should look similar to this.
Hit http://security.debian.org jessie/updates Release.gpg Hit http://security.debian.org jessie/updates Release Hit http://deb.torproject.org jessie Release.gpg Hit http://ftp.us.debian.org jessie Release.gpg Hit http://security.debian.org jessie/updates/main i386 Packages Hit http://deb.torproject.org jessie Release Hit http://security.debian.org jessie/updates/contrib i386 Packages Hit http://ftp.us.debian.org jessie Release Hit http://security.debian.org jessie/updates/non-free i386 Packages Hit http://deb.torproject.org jessie/main i386 Packages Hit http://security.debian.org jessie/updates/contrib Translation-en Hit http://ftp.us.debian.org jessie/main i386 Packages Hit http://security.debian.org jessie/updates/main Translation-en Hit http://ftp.us.debian.org jessie/contrib i386 Packages Hit http://security.debian.org jessie/updates/non-free Translation-en Hit http://ftp.us.debian.org jessie/non-free i386 Packages Ign http://ftp.us.debian.org jessie/contrib Translation-en Ign http://ftp.us.debian.org jessie/main Translation-en Ign http://ftp.us.debian.org jessie/non-free Translation-en Ign http://deb.torproject.org jessie/main Translation-en_US Ign http://deb.torproject.org jessie/main Translation-en Reading package lists... Done
If you see something like this.
W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found E: Some index files failed to download. They have been ignored, or old ones used instead. Err http://ftp.us.debian.org jessie Release.gpg Could not resolve 'ftp.us.debian.org' Err http://deb.torproject.org jessie Release.gpg Could not resolve 'deb.torproject.org' Err http://security.debian.org jessie/updates Release.gpg Could not resolve 'security.debian.org' Reading package lists... Done W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg Could not resolve 'security.debian.org' W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg Could not resolve 'ftp.us.debian.org' W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg Could not resolve 'deb.torproject.org' W: Some index files failed to download. They have been ignored, or old ones used instead.
500 Unable to connect
Then something went wrong. Could be a temporary Tor exit relay or server failure that should fix itself. Check if your network connection is functional, change your Tor circuit, then try again. Running whonixcheck might also help diagnosing the problem.
Sometimes if you see a message such as.
Could not resolve 'security.debian.org'
It helps to run.
And then trying again.
sudo apt-get dist-upgrade
3. Never install unsigned packages!
If you see something like this.
WARNING: The following packages cannot be authenticated! icedove Install these packages without verification [y/N]?
4. signature verification warnings
There should be none at the moment. If there was such a warning, it would look like this.
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681
In that case, you should be careful. Even though, apt-get will automatically ignore repositories with expired keys or signatures, you will not receive upgrades from that repository. Unless the issue is already known/documented, it should be reported so it can be further investigated
There are two possible reasons why this could happen. Either there is an issue with repository that the maintainers of that repository have to fix or you are victim of a man-in-the-middle attack.  The latter would not be a big issue  and might go away after a while automatically  or try to change your Tor circuit.
In past various apt repositories were signed with expired key. If you want to see how the documentation looked at that point, please click on expand on the right.
The Tor Project's apt repository key was expired. You saw the following warning.
W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release W: Some index files failed to download. They have been ignored, or old ones used instead.
It had already been reported. There was no immediate danger. You could have just ignored it. Just make sure, you never install unsigned packages as explained above.
See also the more recent Whonix apt repository keyexpired error.
If you were to see other signature verification errors, those should be reported, but it shouldn't happen at this time.
5. Changed Configuration Files
If you see something like the following.
Setting up ifupdown ... Configuration file `/etc/network/interfaces' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** interfaces (Y/I/N/O/D/Z) [default=N] ? N
Be careful. If the updated file isn't coming from Whonix specific package (some are called), then press . Otherwise anonymity/privacy/security settings deployed with Whonix might get lost. If you are an advanced user and know better, you can of course manually check the difference and merge them.
How could you find out if the file is coming from a Whonix specific package or not?
- Whonix specific packages are sometimes called Setting up ifupdown ...", so the file isn't coming from a Whonix specific package. In this case, you should press as advised in the paragraph above. . In the example above it's saying "
- If the package name does include Whonix modular flexible .d style configuration folders. , it's a Whonix specific package. In that case, your safest bet should be pressing , but then you would loose your customized settings. You can re-add them afterwards. Such conflicts will hopefully rarely happen, if you use
6. Restart Services after Upgrading
After upgrading either (easy) reboot.
Or (harder) if you want to omit rebooting, use needrestart. If you are interested in the latter, please click on expand on the right side.
Do once. Install needrestart.
sudo apt-get update sudo apt-get install needrestart
It will provide some advice.
Run it again after applying advice.
If nothing else has to be restarted, it should show.
No services need to be restarted.
This might become more usable and automated in future. (T324)
7. Restart after Kernel Upgrades
When linux-image-... was upgraded, reboot is required to profit from security updates.
Shutdown Whonix TemplateVM
Qubes VM Manager -> right clock on TemplateVM -> Shutdown VM
8. Restart/Update Whonix VMs
If new updates were available and installed, you will need to either simply restart your running Whonix-Gateway ProxyVMs and running Whonix-Workstation AppVMs for them to be updated -- or alternatively apply this same update process again to your running VMs if not wanting to restart them right away.
- Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md - http://www.webcitation.org/6F7Io2ncN.
- No malicious packages get installed.
- Because you got a different, non-malicious Tor exit relay.
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.