1. Update the Package Lists

For similar reasons, it is also discouraged to open a terminal in the Template and run.

sudo apt update

The output should look similar to this.

Hit:1 https://deb.qubes-os.org/r4.0/vm bookworm InRelease Hit:2 tor+https://deb.debian.org/debian bookworm InRelease Hit:3 tor+https://deb.whonix.org bullseye bookworm Hit:4 tor+https://deb.debian.org/debian bookworm-updates InRelease Hit:5 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease Hit:6 tor+https://deb.debian.org/debian-security bookworm-security InRelease Hit:7 tor+https://deb.debian.org/debian bookworm-backports InRelease Reading package lists... Done

If an error message like this appears. ^[3]

Hit:1 https://deb.qubes-os.org/r4.0/vm bookworm InRelease Ign:2 tor+https://deb.debian.org/debian bookworm InRelease ... Err:12 tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/ bookworm/updates Release Connection failed Reading package lists... Done E: The repository 'tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/ bookworm/updates Release' does no longer have a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. Done.

Or this.

500 Unable to connect

Then something went wrong. It could be:

1. A temporary Tor exit relay or server failure that should resolve itself; or
2. One or more Onion Services might be non-functional.

In the first case, check if the network connection is functional by changing the Tor circuit and/or run systemcheck to try and diagnose the problem. In the second case, try setting clearnet repository links before attempting to update again.

Sometimes a message like this will appear.

Could not resolve 'security.debian.org'

It that case, it helps to run.

nslookup security.debian.org

And then try again.

2. Upgrade

If using a terminal, run the following command to install the latest system package versions. ^[4]

sudo apt full-upgrade

Please note if the Whonix APT Repository was disabled (see Disable Whonix APT Repository), then manual checks are required for new Whonix releases along with manual installation from source code.

3. Never Install Unsigned Packages!

If a message like this appears.

WARNING: The following packages cannot be authenticated! thunderbird Install these packages without verification [y/N]?

Then do not proceed! Press N and <enter>. Running apt update again should fix the problem. If not, something is broken or it is a Man-in-the-Middle Attack, which is not that unlikely since updates are retrieved over Tor exit relays and some of them are malicious. Changing the Tor circuit is recommended if this message appears.

4. Signature Verification Warnings

There should be no signature verification warnings at present; if it occurs, it will look similar to this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

Caution is required in this case, even though apt will automatically ignore repositories with expired keys or signatures, and no upgrades will be received from that repository. Unless the issue is already known or documented, it should be reported for further investigation.

There are two possible reasons why this could happen. Either there is an issue with the repository that the contributors have yet to fix or the user is the victim of a Man-in-the-Middle Attack. ^[5] The latter is not a big issue, since no malicious packages are installed. Further, it may automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

5. Changed Configuration Files

Be careful if a message like this appears.

Setting up ifupdown ... Configuration file `/etc/network/interfaces' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package contributor's version N or O : keep your currently-installed version D : show the differences between the versions Z : background this process to examine the situation The default action is to keep your current version. *** interfaces (Y/I/N/O/D/Z) [default=N] ? N

It is safest to press y, but any customized settings will be lost (these can be re-added afterwards). ^{[6] [7]}

See also:

• Reset Configuration Files to Vendor Default
• Configuration Files

6. Shutdown the Template

Shutdown the Template from Qube Manager: Qube Manager → right-click on Template → Shutdown VM or via the contextual menu.

7. Restart/Update Whonix VMs

If new updates were available and installed, it is necessary to either:

• Restart any running Whonix-Gateway^™ ProxyVMs (sys-whonix) or Whonix-Workstation^™ App Qube instances (anon-whonix) so they are updated; or
• Apply the same update process in any running VMs if an immediate restart is inconvenient.

Note: If any dom0 packages were upgraded during Qubes system updates, reboot the computer to profit from any security updates.

1. Open Debian sources.list in an editor.

Open file /etc/apt/sources.list.d/debian.list in an editor with root rights.

Non-Qubes-Whonix^™

This box uses sudoedit for better security.

Qubes-Whonix^™

NOTE: When using Qubes-Whonix, this needs to be done inside the Template.

Others and Alternatives

• This is just an example. Other tools could achieve the same goal.
• If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian.list

2. Comment (#) the .onion address lines and uncomment the clearnet address lines.

The code blocks should look like this; only these entries require editing. ^[10]

deb tor+https://deb.debian.org/debian bullseye main contrib non-free deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free #deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free #deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free #deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free #deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the clearnet repositories are functional.

sudo apt update

4. Optional: Revert and update the package lists.

Consider reverting these changes later on because onion repositories have various security advantages. Afterwards, apply Updates to refresh the package lists.