End-of-life Software[edit]

It is inadvisable to run software that has reached end-of-life status. Developers do not fix existing defects, bugs or vulnerabilities in this case, leading to serious security risks.

For example, in 2018 VLC Media Player in Debian jessie ^[archive] had reached end-of-life status in May of that year. In that case, Whonix ™ users who did not utilize a different media player were at risk, because VLC in Debian jessie has unpatched security vulnerabilities. This VLC vulnerability does not apply to the current stable Whonix ™ 16 release which is based on Debian bullseye.

Installing Additional Software[edit]

See Install Software.

Updates[edit]

Standard Update vs Release Upgrade[edit]

This procedure is for normal ("everyday") updates of Qubes-Whonix ™ and will not perform a Release Upgrade.

Before applying a release upgrade, it is recommended to first complete a standard update in both the whonix-gw-16 and whonix-ws-16 Templates, via xfce4-terminal:

Qubes App Menu(blue/grey "Q") → Template: whonix-gw-16 → xfce4-terminal
Qubes App Menu(blue/grey "Q") → Template: whonix-ws-16 → xfce4-terminal

Afterward, perform the Standard Update Steps below in both terminals.

Warnings[edit]

At least once a day, Qubes users should update the system package lists in all Templates, Standalones and dom0 with the latest version information on new and updated packages that are available for download. ^[1]
Below are some warnings and issues which are general Qubes bugs and unspecific to Qubes-Whonix ™. Primary sources from Qubes OS are referenced as links with specific citations.

Quote Qubes OS "How to update" warning ^[archive]:

Updating with direct commands such as qubes-dom0-update, dnf update, and apt update is not recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the Qubes Update tool or its command-line equivalents, [...]. (By contrast, installing ^[archive] packages using direct package manager commands is fine.)

Qubes Update tool ^[archive]
For updating using command-line, refer to Qubes OS "How to update" ^[archive]:
- update using Qubes salt, update.qubes-vm ^[archive]
- update using Qubes salt, update.qubes-dom0 ^[archive]

Standard Update Steps[edit]

Note: Updating Tor Browser is a separate issue; see Update Tor Browser.

1. Update the Package Lists

At the time of writing, it is discouraged ^[archive] to update whonix-gw-16 and whonix-ws-16 Template packages lists using Qube Manager (Qube Manager → left-click whonix-gw-16 or whonix-ws-16 → Update qube system (blue arrow)). ^[2]

For similar reasons, it is also discouraged ^[archive] to open a terminal in the Template and run.

sudo apt update

sudo apt update

The output should look similar to this.

Hit:1 https://deb.qubes-os.org/r4.0/vm bullseye InRelease                      
Hit:2 tor+https://deb.debian.org/debian bullseye InRelease                     
Hit:3 tor+https://deb.whonix.org bullseye bullseye                            
Hit:4 tor+https://deb.debian.org/debian bullseye-updates InRelease             
Hit:5 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease
Hit:6 tor+https://deb.debian.org/debian-security bullseye-security InRelease
Hit:7 tor+https://deb.debian.org/debian bullseye-backports InRelease
Reading package lists... Done

Hit:1 https://deb.qubes-os.org/r4.0/vm bullseye InRelease                      
Hit:2 tor+https://deb.debian.org/debian bullseye InRelease                     
Hit:3 tor+https://deb.whonix.org bullseye bullseye                            
Hit:4 tor+https://deb.debian.org/debian bullseye-updates InRelease             
Hit:5 tor+https://fasttrack.debian.net/debian bullseye-fasttrack InRelease
Hit:6 tor+https://deb.debian.org/debian-security bullseye-security InRelease
Hit:7 tor+https://deb.debian.org/debian bullseye-backports InRelease
Reading package lists... Done

If an error message like this appears. ^[3]

Hit:1 https://deb.qubes-os.org/r4.0/vm bullseye InRelease
Ign:2 tor+https://deb.debian.org/debian bullseye InRelease
...
Err:12 tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/ bullseye/updates Release
Connection failed
Reading package lists... Done
E: The repository 'tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/ bullseye/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Done.

Hit:1 https://deb.qubes-os.org/r4.0/vm bullseye InRelease
Ign:2 tor+https://deb.debian.org/debian bullseye InRelease
...
Err:12 tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/ bullseye/updates Release
Connection failed
Reading package lists... Done
E: The repository 'tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/ bullseye/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Done.

Or this.

500  Unable to connect

500  Unable to connect

Then something went wrong. It could be:

A temporary Tor exit relay or server failure that should resolve itself; or
One or more Onion Services might be non-functional.

In the first case, check if the network connection is functional by changing the Tor circuit and/or run systemcheck to try and diagnose the problem. In the second case, try setting clearnet repository links before attempting to update again.

Sometimes a message like this will appear.

Could not resolve 'security.debian.org'

Could not resolve 'security.debian.org'

It that case, it helps to run.

nslookup security.debian.org

nslookup security.debian.org

And then try again.

2. Upgrade

If using a terminal, run the following command to install the latest system package versions. ^[4]

sudo apt full-upgrade

sudo apt full-upgrade

Please note if the Whonix ™ APT Repository was disabled (see Disable Whonix ™ APT Repository), then manual checks are required for new Whonix ™ releases along with manual installation from source code.

3. Never Install Unsigned Packages!

If a message like this appears.

WARNING: The following packages cannot be authenticated!
  thunderbird
Install these packages without verification [y/N]?

WARNING: The following packages cannot be authenticated!
  thunderbird
Install these packages without verification [y/N]?

Then do not proceed! Press N and <enter>. Running apt update again should fix the problem. If not, something is broken or it is a Man-in-the-Middle Attack, which is not that unlikely since updates are retrieved over Tor exit relays and some of them are malicious. Changing the Tor circuit is recommended if this message appears.

4. Signature Verification Warnings

There should be no signature verification warnings at present; if it occurs, it will look similar to this.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

Caution is required in this case, even though apt will automatically ignore repositories with expired keys or signatures, and no upgrades will be received from that repository. Unless the issue is already known or documented, it should be reported for further investigation.

There are two possible reasons why this could happen. Either there is an issue with the repository that the contributors have yet to fix or the user is the victim of a Man-in-the-Middle Attack. ^[5] The latter is not a big issue, since no malicious packages are installed. Further, it may automatically resolve itself after a period of time when a different, non-malicious Tor exit relay is used, or following a manual change of the Tor circuit.

In the past, various apt repositories were signed with an expired key. To inspect how the documentation appeared at that point, please click on Expand on the right.

For instance, the Tor Project's apt repository key had expired ^[archive] and the following warning appeared.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.torproject.org stable Release: The following signatures were invalid: KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681 KEYEXPIRED 1409325681

W: Failed to fetch http://deb.torproject.org/torproject.org/dists/stable/Release  

W: Some index files failed to download. They have been ignored, or old ones used instead.

This issue had already been reported ^[archive]. There was no immediate danger and it could have safely been ignored. Just make sure to never install unsigned packages as explained above.

For another example, see the more recent Whonix apt repository keyexpired error.

Although an unlikely outcome, please report any other signature verification errors if/when they appear.

5. Changed Configuration Files

Be careful if a message like this appears.

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package contributor's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

Setting up ifupdown ...
Configuration file `/etc/network/interfaces'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package contributor's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** interfaces (Y/I/N/O/D/Z) [default=N] ? N

It is safest to press y, but any customized settings will be lost (these can be re-added afterwards). ^[6] ^[7]

Non-functional Onion Services[edit]

Sometimes the Debian, Whonix ™ or Qubes onion servers are non-functional. This means updates cannot be completed automatically and an error message similar to below will appear.

user@host:~$ sudo apt update
Hit:1 http://security.debian.org bullseye/updates InRelease
Hit:2 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye InRelease
Ign:3 http://ftp.us.debian.org/debian bullseye InRelease
Hit:4 http://deb.whonix.org bullseye InRelease
Hit:5 http://ftp.us.debian.org/debian bullseye Release
Err:7 tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye/updates InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6)
Err:8 tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6)
Reading package lists… Done
W: Failed to fetch tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/dists/bullseye/updates/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Failed to fetch tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Some index files failed to download. They have been ignored, or old ones used instead.

user@host:~$ sudo apt update
Hit:1 http://security.debian.org bullseye/updates InRelease
Hit:2 tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion bullseye InRelease
Ign:3 http://ftp.us.debian.org/debian bullseye InRelease
Hit:4 http://deb.whonix.org bullseye InRelease
Hit:5 http://ftp.us.debian.org/debian bullseye Release
Err:7 tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion bullseye/updates InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6)
Err:8 tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye InRelease
SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6)
Reading package lists… Done
W: Failed to fetch tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/dists/bullseye/updates/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Failed to fetch tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian/dists/bullseye/InRelease SOCKS proxy socks5h://localhost:9050 could not connect to 2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion (0.0.0.0:0) due to: Host unreachable (6)
W: Some index files failed to download. They have been ignored, or old ones used instead.

Until the onion service is re-established, complete the following steps in Whonix-Gateway ™ (whonix-gw-16) and Whonix-Workstation ™ (whonix-ws-16) to circumvent the issue. ^[8] ^[9]

1. Open Debian sources.list in an editor.

Open file /etc/apt/sources.list.d/debian.list in an editor with root rights.

This box uses sudoedit for better security ^[archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list.d/debian.list

sudoedit /etc/apt/sources.list.d/debian.list

2. Comment (#) the .onion address lines and uncomment the clearnet address lines.

The code blocks should look like this; only these entries require editing. ^[10]

deb tor+https://deb.debian.org/debian bullseye main contrib non-free
deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free
deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free

#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free
#deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

deb tor+https://deb.debian.org/debian bullseye main contrib non-free
deb tor+https://deb.debian.org/debian bullseye-updates main contrib non-free
deb tor+https://deb.debian.org/debian-security bullseye-security main contrib non-free
deb tor+https://deb.debian.org/debian bullseye-backports main contrib non-free
deb tor+https://fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free

#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free
#deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free
#deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free

Save and exit.

3. Confirm the clearnet repositories are functional.

sudo apt update

sudo apt update

4. Optional: Revert and update the package lists.

Consider reverting these changes later on because onion repositories have various security advantages. Afterwards, apply Updates to refresh the package lists.

Updating with Extra Care[edit]

See How-to: Install or Update with Utmost Caution.

Footnotes[edit]

↑ See: How to update ^[archive].
↑ Quote ^[archive] Andrew David Wong, Community Manager, @QubesOS. CCO, Invisible Things Lab ^[archive]:
3. Selecting a VM in the Qube Manager and pressing the "Update" button. [...]. (3) is a weird in-between method that is inferior to (2). For example, historically, not all of the Salt fixes applied by (2) have been applied by (3), which is a security problem.
↑ https://forums.whonix.org/t/cant-update-any-whonixvm-in-qubes-4-0-or-whonixcheck/6023 ^[archive]
↑ Steps 1 and 2 can be combined with: upgrade-nonroot.
↑ Rollback or indefinite freeze attacks as defined by The Update Framework (TUF) - Threat Model - Attacks and Weaknesses - https://github.com/theupdateframework/tuf/blob/develop/docs/SECURITY.md ^[archive] - http://www.webcitation.org/6F7Io2ncN ^[archive].
↑ Or Whonix ™ changes can be delayed, inspected, and then backported if the effort is worth it.
↑ Whonix ™ uses package config-package-dev ^[archive] which assumes ownership of configuration files coming from “other distributions” (mostly Debian, although third party repositories might be added by users). (Whonix ™ on config-package-dev)
↑ If similar issues occur with Whonix ™ or Qubes onion services then follow the same procedure and modify the derivative.list and qubes-r4.list files, respectively.
↑ https://forums.whonix.org/t/errors-updating-september-2018/6028 ^[archive]
↑ There is no Debian onion for fasttrack yet.