Actions

Template

Qubes Operating System Updates

From Whonix

1. Update the Package Lists

Info At least once a day, Qubes users should update the system package lists in all TemplateVMs, Standalone VMs and dom0 with the latest version information on new and updated packages that are available for download. [1]

To update the whonix-gw-15 and whonix-ws-15 TemplateVM packages lists, simplest is using Qube Manager:
Qube Managerleft-click whonix-gw-15 or whonix-ws-15Update qube system (blue arrow)

Alternatively, open a terminal in the TemplateVM and run.

sudo apt-get update

The output should look similar to this.

sudo apt-get update
Hit:1 tor+https://cdn-aws.deb.debian.org/debian-security buster/updates InRelease
Hit:2 tor+https://deb.whonix.org buster InRelease                              
Hit:3 https://deb.qubes-os.org/r4.0/vm buster InRelease                        
Hit:4 tor+https://cdn-aws.deb.debian.org/debian buster InRelease
Reading package lists... Done

If an error message like this appears. [2]

Ign:1 http://ftp.us.debian.org/debian stretch InRelease
Hit:2 http://deb.qubes-os.org/r4.0/vm stretch InRelease
...
Err:12 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release
Connection failed
Reading package lists... Done
E: The repository 'tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Done.

Or this.

500  Unable to connect

Then something went wrong. It could be:

  1. A temporary Tor exit relay or server failure that should resolve itself; or
  2. One or more Onion Services might be non-functional.

In the first case, check if the network connection is functional by changing the Tor circuit and/or run whonixcheck to try and diagnose the problem. In the second case, try setting clearnet repository links before attempting to update again.

Sometimes a message like this will appear.

Could not resolve 'security.debian.org'

It that case, it helps to run.

nslookup security.debian.org

And then try again.

2. Upgrade

If using a terminal, run the following command to install the latest system package versions. [3]

sudo apt-get dist-upgrade

Please note that if the Whonix APT Repository was disabled (see Disable Whonix APT Repository), then manual checks are required for new Whonix releases along with manual installation from source code.

3. Never Install Unsigned Packages!

If a message like this appears.

WARNING: The following packages cannot be authenticated!
  thunderbird
Install these packages without verification [y/N]?

Then do not proceed! Press N and <enter>. Running apt-get update again should fix the problem. If not, something is broken or it is a Man-in-the-Middle Attack, which is not that unlikely since updates are retrieved over Tor exit relays and some of them are malicious. Changing the Tor circuit is recommended if this message appears.

4. Signature Verification Warnings

There should be no signature verification warnings at present; if it occurs, it will look similar to this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

Caution is required in this case, even though apt-get will automatically ignore repositories with expired keys or signatures, and no upgrades will be received from that repository. Unless the issue is already known or documented, it should be reported for further investigation.

There are two possible reasons why this could happen. Either there is an issue with the repository that the maintainers have yet to fix or the user is the victim of a Man-in-the-Middle Attack. [4] The latter is not a big issue, since no malicious packages are installed. Further, it may automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

In the past, various apt repositories were signed with an expired key. To inspect how the documentation appeared at that point, please click on Expand on the right.

For instance, the Tor Project's apt repository key had expired [archive] and the following warning appeared.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

This issue had already been reported [archive]. There was no immediate danger and it could have safely been ignored. Just make sure to never install unsigned packages as explained above.

For another example, see the more recent Whonix apt repository keyexpired error.

Although an unlikely outcome, please report any other signature verification errors if/when they appear.

5. Changed Configuration Files

If a message like this appears.

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Be careful. If the updated file is not coming from a Whonix ™-specific package (some are called whonix-...), then press n. Otherwise, Whonix settings affecting anonymity, privacy, and security might be lost. Advanced users who know better can of course manually check the differences and merge them.

To determine if the file is coming from a Whonix ™-specific package or not, follow this advice:

  • Whonix ™-specific packages are sometimes called whonix-.... In the example above it states "Setting up ifupdown ...", so the file does not come from a Whonix ™-specific package. In this case it is recommended to press n as previously advised.
  • If the package name includes whonix-..., it is a Whonix ™-specific package. In that case, it is safest to press y, but any customized settings will be lost (these can be re-added afterwards). Conflicts like these are relatively rare if Whonix's modular flexible .d style configuration folders are used.

6. Shutdown the TemplateVM

Shutdown the TemplateVM from Qube Manager: Qube Managerright-click on TemplateVMShutdown VM or via the contextual menu.

7. Restart/Update Whonix VMs

If new updates were available and installed, it is necessary to either:

  • Restart any running Whonix-Gateway ™ ProxyVMs (sys-whonix) or Whonix-Workstation ™ AppVM instances (anon-whonix) so they are updated; or
  • Apply the same update process in any running VMs if an immediate restart is inconvenient.

Note: If any dom0 packages were upgraded during Qubes system updates, reboot the computer to profit from any security updates.

  1. See: Installing and updating software in VMs [archive].
  2. https://forums.whonix.org/t/cant-update-any-whonixvm-in-qubes-4-0-or-whonixcheck/6023 [archive]
  3. Steps 1 and 2 can be combined with: sudo apt-get-update-plus dist-upgrade
  4. Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md [archive] - http://www.webcitation.org/6F7Io2ncN [archive].