Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Update Qubes-Whonix

< Qubes

End-of-life Software[edit]

Users should not run software that has reached end-of-life status, because developers will not fix existing defects, bugs or vulnerabilities, posing serious security risks.

A recent example was VLC in Debian jessie, which reached end-of-life status in May, 2018. In that case, Whonix 13 users who did not utilize a different media player were at risk, because VLC in jessie has unpatched security vulnerabilities. This VLC vulnerability does not apply to the current stable Whonix 14 release.

Installing Additional Software[edit]

See Install Software.

Updates[edit]

Standard Upgrade vs Release Upgrade[edit]

This procedure is for every day upgrading of Qubes-Whonix and will not perform a Release Upgrade.

If a message like this appears.

WARNING: Whonix News Result:
✘ Outdated: Installed whonix-gateway-packages-dependencies 3.4.2-1 is outdated!

WARNING: Whonix News Result:
✘ Outdated: Installed whonix-workstation-packages-dependencies 3.4.2-1 is outdated!

Then most likely a Release Upgrade is necessary.

Before applying a release upgrade, it is useful to first complete a standard upgrade in both the whonix-gw-14 and whonix-ws-14 TemplateVMs, via Konsole:

  • Qubes App Menu(blue/grey "Q") -> Template: whonix-gw-14 -> Konsole
  • Qubes App Menu(blue/grey "Q") -> Template: whonix-ws-14 -> Konsole

Then perform the Standard Upgrade Steps below in both terminals.

Standard Upgrade Steps[edit]

0. Tor Browser Update

Updating Tor Browser is separate, see Update Tor Browser.

1. Update the Package Lists


To update the whonix-gw-14 and whonix-ws-14 TemplateVM packages lists, simplest is using Qube Manager:
Qube Manager -> left-click whonix-gw-14 or whonix-ws-14 -> Update qube system (blue arrow)

Alternatively, open a terminal in the TemplateVM and run.

sudo apt-get update

The output should look similar to this.

sudo apt-get update
Ign:1 tor+http://vwakviie2ienjx6t.onion/debian stretch InRelease                        
Hit:2 http://deb.whonix.org stretch-proposed-updates InRelease                          
Hit:3 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease                       
Hit:4 http://deb.qubes-os.org/r4.0/vm stretch InRelease                                 
Hit:5 tor+http://vwakviie2ienjx6t.onion/debian stretch Release           
Hit:7 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch-proposed-updates InRelease
Reading package lists... Done

If an error message like this appears. [2]

Ign:1 http://ftp.us.debian.org/debian stretch InRelease
Hit:2 http://deb.qubes-os.org/r4.0/vm stretch InRelease
...
Err:12 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release
Connection failed
Reading package lists... Done
E: The repository 'tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Done.

Or this.

500  Unable to connect

Then something went wrong. It could be:

  1. A temporary Tor exit relay or server failure that should resolve itself; or
  2. One or more Onion Services might be non-functional.

In the first case, check if the network connection is functional by changing the Tor circuit and/or run whonixcheck to try and diagnose the problem. In the second case, try setting clearnet repository links before attempting to update again.

Sometimes a message like this will appear.

Could not resolve 'security.debian.org'

It that case, it helps to run.

nslookup security.debian.org

And then try again.

2. Upgrade

If using a terminal, to install the newest versions of the current packages installed on the system, run. [3]

sudo apt-get dist-upgrade

Please note that if the Whonix APT Repository was disabled (see Disable Whonix APT Repository), then manual checks are required for new Whonix releases and manual installation from source code.

3. Never Install Unsigned Packages!

If a message like this appears.

WARNING: The following packages cannot be authenticated!
  thunderbird
Install these packages without verification [y/N]?

Then do not proceed! Press N and <enter>. Running apt-get update again should fix the problem. If not, something is broken or it is a man-in-the-middle attack, which is not that unlikely since updates are retrieved over Tor exit relays and some of them are malicious. Changing the Tor circuit is recommended if this message appears.

4. Signature Verification Warnings

There should be no signature verification warnings at present. If such a warning occurs, it will look like this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

Caution is required in this case, even though apt-get will automatically ignore repositories with expired keys or signatures, and the user will not receive upgrades from that repository. Unless the issue is already known or documented, it should be reported so it can be further investigated.

There are two possible reasons why this could happen. Either there is an issue with the repository that the maintainers have yet to fix or the user is the victim of a man-in-the-middle attack. [4] The latter is not a big issue, since no malicious packages are installed. Further, it may automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

In the past, various apt repositories were signed with an expired key. To see how the documentation looked at that point, please click on Expand on the right.

For instance, the Tor Project's apt repository key had expired and the following warning appeared.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

This issue had already been reported. There was no immediate danger and it could have safely been ignored. Just make sure to never install unsigned packages as explained above.

For another example, see the more recent Whonix apt repository keyexpired error.

Please report any other signature verification errors if/when they appear. This outcome is considered unlikely at this time.

5. Changed Configuration Files

If a message like this appears.

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Be careful. If the updated file is not coming from a Whonix-specific package (some are called whonix-...), then press n. Otherwise, Whonix settings affecting anonymity, privacy, and security might be lost. Advanced users who know better can of course manually check the differences and merge them.

This is how to determine if the file is coming from a Whonix-specific package or not:

  • Whonix-specific packages are sometimes called whonix-.... In the example above it is saying "Setting up ifupdown ...", so the file is not coming from a Whonix-specific package. In this case, the user should press n as previously advised.
  • If the package name does include whonix-..., it is a Whonix-specific package. In that case, the safest bet is pressing y, but then any customized settings will be lost (these can be re-added afterwards). Such conflicts will hopefully rarely happen if using Whonix's modular flexible .d style configuration folders.

6. Shutdown the TemplateVM

Shutdown the TemplateVM from Qube Manager: Qube Manager -> right-click on TemplateVM -> Shutdown VM or via the contextual menu.

7. Restart/Update Whonix VMs

If new updates were available and installed, it is necessary to either:

  • Restart any running Whonix-Gateway ProxyVMs (sys-whonix) or Whonix-Workstation AppVM instances (anon-whonix) for them to be updated; or
  • Apply this same update process in any running VMs if an immediate restart is undesirable.

Note: If any dom0 packages were upgraded during Qubes system updates, reboot the computer to profit from any security updates.

Non-functional Onion Services[edit]

Often or even for extended periods the Debian, Whonix or Qubes onion servers are non-functional, meaning users cannot complete updates automatically. In that case, an error message like the following will appear.

user@host:~$ sudo apt-get update
Hit:1 http://security.debian.org stretch/updates InRelease
Hit:2 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion stretch InRelease
Ign:3 http://ftp.us.debian.org/debian stretch InRelease
Hit:4 http://deb.whonix.org stretch InRelease
Hit:5 http://ftp.us.debian.org/debian stretch Release
Err:7 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to sgvtcaew4bxjd7ln.onion (0.0.0.0:0) due to: Host unreachable (6)
Err:8 tor+http://vwakviie2ienjx6t.onion/debian stretch InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to vwakviie2ienjx6t.onion (0.0.0.0:0) due to: Host unreachable (6)
Reading package lists… Done
W: Failed to fetch tor+http://sgvtcaew4bxjd7ln.onion/dists/stretch/updates/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to sgvtcaew4bxjd7ln.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Failed to fetch tor+http://vwakviie2ienjx6t.onion/debian/dists/stretch/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to vwakviie2ienjx6t.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Some index files failed to download. They have been ignored, or old ones used instead.

To circumvent this issue until the onion service is re-established, complete the following steps in Whonix-Gateway (whonix-gw-14) and Whonix-Workstation (whonix-ws-14). [5] [6]

1. Open Debian sources.list in an editor.

Open /etc/apt/sources.list.d/debian.list in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix with KDE, run.

kdesudo kwrite /etc/apt/sources.list.d/debian.list

If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.

kdesudo mousepad /etc/apt/sources.list.d/debian.list

If you are using a terminal-only Whonix, run.

sudo nano /etc/apt/sources.list.d/debian.list

2. Comment (#) the lines with the .onion address and uncomment the lines with the clearnet address.

The first two code blocks should look like this. Note: only blocks shown need to be edited.

#deb tor+http://sgvtcaew4bxjd7ln.onion stretch/updates main contrib non-free
deb http://security.debian.org stretch/updates main contrib non-free

#deb tor+http://vwakviie2ienjx6t.onion/debian stretch main contrib non-free
deb http://ftp.us.debian.org/debian stretch main contrib non-free

Save and exit.

3. Confirm the clearnet repositories are functional.

sudo apt-get update

4. Revert and update the package lists.

It is recommended that these changes are reverted at a later time, so users benefit from the security advantages of onion repositories. Afterwards, apply Updates to refresh the package lists.

Updating with Extra Care[edit]

See How-to: Install or Update with Utmost Caution.

Footnotes[edit]

  1. See: Installing and updating software in VMs.
  2. https://forums.whonix.org/t/cant-update-any-whonixvm-in-qubes-4-0-or-whonixcheck/6023
  3. Steps 1 and 2 can be combined with: sudo apt-get update && sudo apt-get dist-upgrade
  4. Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md - http://www.webcitation.org/6F7Io2ncN.
  5. If similar problems are experienced with Whonix or Qubes onion services then the same procedure can be used to modify the whonix.list and qubes-r4.list files, respectively.
  6. http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/errors-updating-september-2018/6028

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

We are looking for video production specialists to help create demonstration, promotional and conceptual videos or tutorials.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.