Template:Project-APT-Repository-Add

From Whonix
Jump to navigation Jump to search

There are two different options to enable the Whonix APT repository. Choose one. [1]

Using extrepo

1 extrepo setup.

1 Install package extrepo.

sudo apt install extrepo

2 Open file /etc/extrepo/config.yaml in an editor with administrative ("root") rights.

1 Select your platform.

Non-Qubes-Whonix

2 Notes.

  • Sudoedit guidance: See Kicksecure logo Open File with Root RightsOnion network Logo for details on why using sudoedit improves security and how to use it.
  • Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.

3 Open the file with root rights.

sudoedit /etc/extrepo/config.yaml

Qubes-Whonix

2 Notes.

  • Sudoedit guidance: See Kicksecure logo Open File with Root RightsOnion network Logo for details on why using sudoedit improves security and how to use it.
  • Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.
  • Template requirement: When using Qubes-Whonix, this must be done inside the Template.

3 Open the file with root rights.

sudoedit /etc/extrepo/config.yaml

4 Notes.

  • Shut down Template: After applying this change, shut down the Template.
  • Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
  • Qubes persistence: See also Kicksecure logo Qubes PersistenceOnion network Logo
  • General procedure: This is a general procedure required for Qubes and is unspecific to Qubes-Whonix.

Others and Alternatives

2 Notes.

  • Example only: This is just an example. Other tools could achieve the same goal.
  • Troubleshooting and alternatives: If this example does not work for you, or if you are not using Whonix, please refer to Open File with Root Rights.

3 Open the file with root rights.

sudoedit /etc/extrepo/config.yaml

3 Paste at the end.

- contrib - non-free

[2]

2 Enable the stable whonix APT repository. (See footnote for other options.) [3]

A : Non-Qubes-Whonix

Whonix

sudo extrepo enable whonix

B : Qubes-Whonix Template

Qubes-Whonix Template (whonix-workstation-18)

sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 extrepo enable whonix

3 Advanced options.

For advanced options such as clearnet over Tor or onion. [4]

Please press expand on the right side.

Optional.

Install apt-transport-tor.

Install package(s) apt-transport-tor following these instructions:

1 Platform specific notice.

2 Kicksecure logo Update the package lists and upgrade the systemOnion network Logo.

sudo apt update && sudo apt full-upgrade

3 Install the apt-transport-tor package(s).

Using apt command line Kicksecure logo <code>--no-install-recommends</code> optionOnion network Logo is in most cases optional.

sudo apt install --no-install-recommends apt-transport-tor

4 Platform specific notice.

  • Non-Qubes-Whonix: No special notice.
  • Qubes-Whonix: Shut down Template and restart App Qubes based on it as per Kicksecure logo Qubes Template ModificationOnion network Logo.

5 Done.

The procedure of installing package(s) apt-transport-tor is complete.

Find out the filename.

ls -la /etc/apt/sources.list.d/extrepo_*

Note: The filename will be different if using a repository other than the stable repository such as the testers repository.

Open file /etc/apt/sources.list.d/extrepo_kicksecure.sources in an editor with administrative ("root") rights.

1 Select your platform.

Non-Qubes-Whonix

2 Notes.

  • Sudoedit guidance: See Kicksecure logo Open File with Root RightsOnion network Logo for details on why using sudoedit improves security and how to use it.
  • Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.

3 Open the file with root rights.

sudoedit /etc/apt/sources.list.d/extrepo_kicksecure.sources

Qubes-Whonix

2 Notes.

  • Sudoedit guidance: See Kicksecure logo Open File with Root RightsOnion network Logo for details on why using sudoedit improves security and how to use it.
  • Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.
  • Template requirement: When using Qubes-Whonix, this must be done inside the Template.

3 Open the file with root rights.

sudoedit /etc/apt/sources.list.d/extrepo_kicksecure.sources

4 Notes.

  • Shut down Template: After applying this change, shut down the Template.
  • Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
  • Qubes persistence: See also Kicksecure logo Qubes PersistenceOnion network Logo
  • General procedure: This is a general procedure required for Qubes and is unspecific to Qubes-Whonix.

Others and Alternatives

2 Notes.

  • Example only: This is just an example. Other tools could achieve the same goal.
  • Troubleshooting and alternatives: If this example does not work for you, or if you are not using Whonix, please refer to Open File with Root Rights.

3 Open the file with root rights.

sudoedit /etc/apt/sources.list.d/extrepo_kicksecure.sources

Choose either option A) or B).

  • A) Clearnet over Tor Repository: To enable clearnet over Tor, tor+ needs to be prepended in front of https. In other words, look for Uris: https and replace it with Uris: tor+https .
  • B) Onion Repository: To enable onion, look for the line starting with Uris:. Delete the whole line. Or comment it out by adding a hash ("#") in front of it. Then add a new line: Uris: tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion

4 Done.

The Whonix APT repository has been enabled.[5]

Manually

Add Signing Key

Complete the following steps to add the Whonix Signing Key to the system's APT keyring.

Open a terminal.

1 Package curl needs to be installed.

Install package(s) curl following these instructions:

1 Platform specific notice.

2 Kicksecure logo Update the package lists and upgrade the systemOnion network Logo.

sudo apt update && sudo apt full-upgrade

3 Install the curl package(s).

Using apt command line Kicksecure logo <code>--no-install-recommends</code> optionOnion network Logo is in most cases optional.

sudo apt install --no-install-recommends curl

4 Platform specific notice.

  • Non-Qubes-Whonix: No special notice.
  • Qubes-Whonix: Shut down Template and restart App Qubes based on it as per Kicksecure logo Qubes Template ModificationOnion network Logo.

5 Done.

The procedure of installing package(s) curl is complete.

2 Download Whonix Signing Key. [6]

Choose your operating system.

A : Debian

If you are using Debian, run.

Choose TLS or onion.
TLS (Debian)

TLS.

sudo curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.whonix.org/keys/derivative.asc

onion (Debian)

Note: Downloading over onion requires an already functional system Tor.

sudo curl --proxy socks5h://127.0.0.1:9050 --output /usr/share/keyrings/derivative.asc --url http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/keys/derivative.asc

B : Qubes App Qube

If you are using a Qubes Debian App Qube, run.

Choose TLS or onion.
TLS (Qubes-App-Qube)

TLS.

sudo curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.whonix.org/keys/derivative.asc

onion (Qubes-App-Qube)

Note: Downloading over onion requires an already functional system Tor.

sudo curl --proxy socks5h://127.0.0.1:9050 --output /usr/share/keyrings/derivative.asc --url http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/keys/derivative.asc

B : Qubes Template

If you are using a Qubes Debian Template, run.

Choose TLS or onion.
TLS (Qubes-Template)

TLS.

sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 curl --tlsv1.3 --output /usr/share/keyrings/derivative.asc --url https://www.whonix.org/keys/derivative.asc

onion (Qubes-Template)

Note: Downloading over onion requires an already functional system Tor.

sudo http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 curl --output /usr/share/keyrings/derivative.asc --url http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/keys/derivative.asc

3 Signing key verification.

Optional. Recommended for Advanced Users only. If you have a good understanding of Kicksecure logo Verifying Software SignaturesOnion network Logo you can check the Whonix Signing Key for additional security.

4 Done.

The procedure of adding the Whonix signing key is now complete.

Add Repository

Add the Whonix APT Repository.

Choose exactly one option: Option A, Option B OR Option C.

A : Onion Rep.

Option A: Add the Whonix Onion repository.

This option configures APT to access the Whonix repository via an onion service for maximum network anonymity.

To add the Whonix repository over Onion, first install apt-transport-tor and tor from the Debian repository.

sudo apt install apt-transport-tor tor

Add the Whonix APT repository for the default Whonix setup using Debian stable. At the time of writing, this was trixie.

echo "Types: deb URIs: tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion Suites: trixie Components: main contrib non-free Enabled: yes Signed-By: /usr/share/keyrings/derivative.asc" | sudo tee /etc/apt/sources.list.d/derivative.sources

B : Clearnet Rep. via Tor

Option B: Add the Whonix clearnet repository via Tor.

This option accesses the clearnet repository but routes all traffic through Tor.

To add the Whonix repository over torified clearnet, install apt-transport-tor from the Debian repository.

sudo apt install apt-transport-tor

Add the Whonix APT repository for the default Whonix setup using Debian stable. At the time of writing, this was trixie.

echo "Types: deb URIs: tor+https://deb.whonix.org Suites: trixie Components: main contrib non-free Enabled: yes Signed-By: /usr/share/keyrings/derivative.asc" | sudo tee /etc/apt/sources.list.d/derivative.sources

C : Clearnet Rep.

Option C: Add the Whonix clearnet repository over clearnet.

This option uses a direct clearnet connection without Tor.

Note: When later using the Whonix repository tool, this configuration will be upgraded to "Clearnet Rep. via Tor", unless noted otherwise. [7]

To add the Whonix repository over clearnet, add the Whonix APT repository for the default Whonix setup using Debian stable. At the time of writing, this was trixie.

echo "Types: deb URIs: https://deb.whonix.org Suites: trixie Components: main contrib non-free Enabled: yes Signed-By: /usr/share/keyrings/derivative.asc" | sudo tee /etc/apt/sources.list.d/derivative.sources

The procedure for adding the Whonix APT repository is now complete.

Footnotes

  1. extrepo vs manual:
    • Usability:
      • There are some detail usability differences. Using onion connection might be easier with manual method until Whonix gets ported to Debian 13 / trixie because extrepo might get onion support then.
      • Apart from that, extrepo's usability seems generally better.
    • Security:
      • A detailed comparative research of both methods is unavailable.
      • If usability is considered a security feature, then extrepo might be considered more secure. This is because users do not have to learn as much about Verifying Software Signatures, OpenPGP, its many Software Signature Verification Usability Issues. Debian which is already trusted by the user providing a trust path to the Whonix signing key. Manual key fingerprint verification not required.
      • The extrepo project is a huge amount of work adding all the signing keys for many different projects. The code for securely downloading a signing key in the Python is not among the most difficult programming tasks to get correct. Compared with curl (written in C), it might be more secure.
    • Keeping support for manual method:
      • Removal of the manual method is not planned. Since already written, the maintenance effort for that very part of documentation is low. In case extrepo signing key is outdated, get deprecated, it's easy to switch back to manual method.
  2. The following comments in that file...
    # - contrib
    # - non-free
    

    ...could be deleted, but that is completely optional.

  3. stable-proposed-updates repository: sudo extrepo enable whonix_proposed testers repository: sudo extrepo enable whonix_testers developers repository: sudo extrepo enable whonix_developers
  4. extrepo feature request: extrepo apt-transport-tor and onion supportarchive.org iconarchive.today icon
  5. forum discussion: extrepo - safely adding reposarchive.org iconarchive.today icon
  6. See Secure Downloads to understand why curl and the parameters --tlsv1.3 are used instead of wget.

    Placing an additional signing key into folder /usr/share/keyrings by itself alone has no impact on security as this folder is not automatically used by Debian's APT by default. Only when an APT sources list configuration file points to folder /usr/share/keyrings using the signed-by keyword the signing key will be actually used. Therefore deleting keys in /usr/share/keyrings is optional if intending to disable an APT repository. See also Kicksecure logo APT Signing Key FoldersOnion network Logo.
  7. Unless using repository-dist --transport plain-tls. See also man repository-dist.
Notification image

We believe security software like Whonix needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 14 year success story and maybe DONATE!