Jump to: navigation, search


Make sure you know about CVE-2016-1252 secure apt-get upgrading.

Important! Everything must stay current.

Preparation Step 1) Configure TemplateVM proxy settings

Attach Whonix TemplateVMs to a Whonix-Gateway ProxyVM (commonly called sys-whonix).

Qubes VM Manager -> right-click on TemplateVM whonix-gw -> VM-Settings -> NetVM -> sys-whonix

Qubes-Whonix-Gateway TemplateVM Qubes VM Manager Settings.png

Repeat this procedure with whonix-ws.

Qubes VM Manager -> right-click on TemplateVM whonix-ws -> VM-Settings -> NetVM -> sys-whonix

Preparation Step 2) Open a TemplateVM Terminal

Qubes App Menu(blue/grey "Q") -> Template: whonix-gw -> Konsole

Qubes App Menu(blue/grey "Q") -> Template: whonix-ws -> Konsole

Preparation Step 3.) Note

The following steps should be applied in both TemplateVM terminals.

1. Update the Package Lists

Check package lists on at least a daily basis and keep the host operating system updated. To update Whonix-Gateway and Whonix-Workstation packages lists, run.

sudo apt-get update

The output should look similar to this.

Hit http://security.debian.org jessie/updates Release.gpg                                                                                                    
Hit http://security.debian.org jessie/updates Release                                                                                                        
Hit http://deb.torproject.org jessie Release.gpg                           
Hit http://ftp.us.debian.org jessie Release.gpg
Hit http://security.debian.org jessie/updates/main i386 Packages
Hit http://deb.torproject.org jessie Release                                             
Hit http://security.debian.org jessie/updates/contrib i386 Packages    
Hit http://ftp.us.debian.org jessie Release                           
Hit http://security.debian.org jessie/updates/non-free i386 Packages  
Hit http://deb.torproject.org jessie/main i386 Packages               
Hit http://security.debian.org jessie/updates/contrib Translation-en  
Hit http://ftp.us.debian.org jessie/main i386 Packages                
Hit http://security.debian.org jessie/updates/main Translation-en                        
Hit http://ftp.us.debian.org jessie/contrib i386 Packages                                
Hit http://security.debian.org jessie/updates/non-free Translation-en                    
Hit http://ftp.us.debian.org jessie/non-free i386 Packages                               
Ign http://ftp.us.debian.org jessie/contrib Translation-en              
Ign http://ftp.us.debian.org jessie/main Translation-en
Ign http://ftp.us.debian.org jessie/non-free Translation-en
Ign http://deb.torproject.org jessie/main Translation-en_US
Ign http://deb.torproject.org jessie/main Translation-en
Reading package lists... Done

If you see something like this.

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/contrib/binary-i386/Packages 404 Not Found

W: Failed to fetch http://ftp.us.debian.org/debian/dist/jessie/non-free/binary-i386/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

Err http://ftp.us.debian.org jessie Release.gpg
  Could not resolve 'ftp.us.debian.org'
Err http://deb.torproject.org jessie Release.gpg
  Could not resolve 'deb.torproject.org'
Err http://security.debian.org jessie/updates Release.gpg
  Could not resolve 'security.debian.org'
Reading package lists... Done
W: Failed to fetch http://security.debian.org/dists/jessie/updates/Release.gpg  Could not resolve 'security.debian.org'

W: Failed to fetch http://ftp.us.debian.org/debian/dists/jessie/Release.gpg  Could not resolve 'ftp.us.debian.org'

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/jessie/Release.gpg  Could not resolve 'deb.torproject.org'

W: Some index files failed to download. They have been ignored, or old ones used instead.

Or this.

500  Unable to connect

Then something went wrong. It could be a temporary Tor exit relay or server failure that should resolve itself. Check if the network connection is functional by changing the Tor circuit and trying again. Running whonixcheck might also help to diagnose the problem.

Sometimes a message like this will appear.

Could not resolve 'security.debian.org'

It that case, it helps to run.

nslookup security.debian.org

And then try again.

2. Upgrade

sudo apt-get dist-upgrade

Please note that if the Whonix APT Repository was disabled (see Disable_Whonix_APT_Repository), then manual checks are required for new Whonix releases and manual installation from source code.

3. Never Install Unsigned Packages!

If a message like this appears.

WARNING: The following packages cannot be authenticated!
Install these packages without verification [y/N]?

Then don't proceed! Press N and <enter>. Running apt-get update again should fix it. If not, something is broken or it is a man-in-the-middle attack, which isn't that unlikely since updates are retrieved over Tor exit relays and some of them are malicious. Changing the Tor circuit is recommended if this message appears.

4. Signature Verification Warnings

There should be no signature verification warnings at the moment. If such a warning appears, it will look like this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

Caution is required in this case, even though apt-get will automatically ignore repositories with expired keys or signatures, and the user will not receive upgrades from that repository. Unless the issue is already known or documented, it should be reported so it can be further investigated.

There are two possible reasons why this could happen. Either there is an issue with the repository that the maintainers have yet to fix or the user is the victim of a man-in-the-middle attack. [1] The latter is not a big issue, since no malicious packages are installed. Further, it may automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

In the past, various apt repositories were signed with an expired key. To see how the documentation looked at that point, please click on Expand on the right.

For instance, the Tor Project's apt repository key had expired and the following warning appeared.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

This issue had already been reported. There was no immediate danger and it could have safely been ignored. Just make sure to never install unsigned packages as explained above.

For another example, see the more recent Whonix apt repository keyexpired error.

Please report any other signature verification errors if/when they appear. This outcome is considered unlikely at this time.

5. Changed Configuration Files

If a message like this appears.

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Be careful. If the updated file isn't coming from a Whonix specific package (some are called whonix-...), then press n. Otherwise, Whonix settings affecting anonymity, privacy, and security might be lost. Advanced users who know better can of course manually check the differences and merge them.

This is how to determine if the file is coming from a Whonix-specific package or not:

  • Whonix-specific packages are sometimes called whonix-.... In the example above it is saying "Setting up ifupdown ...", so the file isn't coming from a Whonix-specific package. In this case, the user should press n as previously advised.
  • If the package name does include whonix-..., it is a Whonix-specific package. In that case, the safest bet is pressing y, but then any customized settings will be lost (these can be re-added afterwards). Such conflicts will hopefully rarely happen if using Whonix's modular flexible .d style configuration folders.

6. Restart Services After Upgrading

To restart services after upgrading, either simply reboot.

sudo reboot

Or to omit rebooting, use the needrestart method (harder). For users interested in the latter method, please click on Expand on the right side.

Do this once. Install needrestart.

sudo apt-get update
sudo apt-get install needrestart

Run needrestart.

sudo needrestart

The program will provide some advice. Run it again after applying the advice.

sudo needrestart

If nothing else has to be restarted, it should show.

No services need to be restarted.

This feature might become more usable and automated in the future. (T324)

7. Restart After Kernel Upgrades

When linux-image-... is upgraded, a reboot is required to profit from any security updates.

Shutdown Whonix TemplateVM

Qubes VM Manager -> right click on TemplateVM -> Shutdown VM

8. Restart/Update Whonix VMs

If new updates were available and installed, you will need to either simply restart your running Whonix-Gateway ProxyVMs and running Whonix-Workstation AppVMs for them to be updated -- or alternatively apply this same update process again to your running VMs if not wanting to restart them right away.


  1. Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md - http://www.webcitation.org/6F7Io2ncN.

Random News:

We are looking for maintainers and developers.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)