Introduction[edit]

Testers only.

It is possible to install newer Tor versions from either:

Tor Project APT repositories; or
Tor Project source code.

Note that a later Tor version will not always be installed from The Tor Project APT repository -- in the recent past, the Debian buster repositories for packages.debian.org and deb.torproject.org had identical Tor versions. In general, as the Debian stable release ages, the likelihood of receiving a newer Tor version from deb.torproject.org increases.

The Tor Project APT Repository[edit]

If the latest Tor version from deb.torproject.org has not been fully tested by Whonix ™ developers at a specific point in time, then problems can emerge such as broken connectivity. ^[1] ^[2] Testers should always maintain a separate, working version of Whonix-Gateway ™ (sys-whonix) so future connectivity problems can be averted.

If you wish to proceed despite the risk, two steps are required:

The deb.torproject.org repository must be enabled.
The anon-shared-build-apt-sources-tpo ^[archive] package must be installed, since it enables The Tor Project's APT signing key and installs the apt source torproject.list ^[3]

1. In Whonix-Gateway ™ (whonix-gw-16), update the package lists.

sudo apt update

sudo apt update

2. Install anon-shared-build-apt-sources-tpo.

sudo apt install anon-shared-build-apt-sources-tpo

sudo apt install anon-shared-build-apt-sources-tpo

3. Optional: select an alternative Tor Project distribution for the Tor package.

Open file /etc/apt/sources.list.d/torproject.list in an editor with root rights.

This box uses sudoedit for better security ^[archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/apt/sources.list.d/torproject.list

sudoedit /etc/apt/sources.list.d/torproject.list

Comment out deb tor+https://deb.torproject.org/torproject.org ^[archive] bullseye main by adding a hash (#) in front of it. Comment in a different distribution ^[archive] by removing the hash in front of it or by adding a newer deb URI line.

Save the file.

4. Refresh the package lists. ^[4]

sudo apt update

sudo apt update

5. Install the (potentially) newer version of the tor package.

This step also installs the deb.torproject.org-keyring package which keeps the Tor Project repository apt key up-to-date.

sudo apt install tor deb.torproject.org-keyring

sudo apt install tor deb.torproject.org-keyring

Onionize Tor Project APT Repository[edit]

Only follow these instructions if Newer Tor versions from The Tor Project Repository was configured. Note that The Tor Project deb apt signing key must be added first (see the prior link), or error messages will appear when completing these steps.

Whonix[edit]

This procedure works in both Non-Qubes-Whonix and Qubes-Whonix.

Run the following commands in Whonix-Gateway ™.

1. Create a torproject.list file using an editor.

Open file /etc/apt/sources.list.d/torproject.list in an editor with root rights.

sudoedit /etc/apt/sources.list.d/torproject.list

sudoedit /etc/apt/sources.list.d/torproject.list

2. Cut and paste the following text and comment out (#) the corresponding http repository.

#Tor Project Mirror
#deb http://deb.torproject.org/torproject.org bullseye main
deb tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main

#Tor Project Mirror
#deb http://deb.torproject.org/torproject.org bullseye main
deb tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main

Save and exit.

Qubes Debian Templates[edit]

In Qubes R4.0 and above, Templates do not have network connections by default. This means any attempt to download the apt key in whonix-gw-16 will fail. ^[5]

As a workaround, the Tor apt singing key can be fetched from a (networked) anon-whonix App Qube, then copied over to whonix-gw-16 in a text file.

1. Download and verify the Tor Project deb apt signing key.

Perform the following procedure either in anon-whonix or even better in a Whonix-Workstation ™ Disposable. ^[6]

Note:

Examine the following key's fingerprint. Compare the fingerprint displayed in the terminal with the one listed at this link: Tor Project: Signing Keys ^[archive] (.onion ^[archive]).
Instead of downloading with scurl-download from https it is even safer to download using curl-download from Tor Project onion, assuming the user independently verified the onion really belongs to The Tor Project.
- ```
curl-download http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
```
  curl-download http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

Securely download the signing key.

scurl-download https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

scurl-download https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

Display the key's fingerprint.

gpg --keyid-format long --import --import-options show-only --with-fingerprint A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

gpg --keyid-format long --import --import-options show-only --with-fingerprint A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

Verify the fingerprint. It should show.

Key fingerprint = A3C4 F0F9 79CA A22C DBA8 F512 EE8C BC9E 886D DD89

The most important check is confirming the key fingerprint exactly matches the output below. ^[7]

Warning:

Do not continue if the fingerprint does not match! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity.

Add the signing key.

gpg --import A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

gpg --import A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

2. Copy the Tor signing key to whonix-gw-16.

In anon-whonix, copy the A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc text file over to whonix-gw-16.

qvm-copy A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc whonix-gw-16

qvm-copy A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc whonix-gw-16

If the following error appears, it can be safely ignored (hit "OK" when prompted).

 qfile-agent: Fatal error: stat whonix-gw-16-version (error type: No such file or directory)

3. Move the Tor signing key to the Template's home folder. ^[8]

Note: if using a Disposable the file path will be different.

mv ~/QubesIncoming/anon-whonix/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc ~/

mv ~/QubesIncoming/anon-whonix/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc ~/

4. Verify the Tor signing key again. ^[9]

The same verification command from step 1 can be used.

5. Add the Tor signing key to the list of trusted keys.

In whonix-gw-16, run.

sudo apt-key-install A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

sudo apt-key-install A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc

Onionize the Sources File[edit]

1. To onionize Tor Project updates, first create a torproject.list file using an editor.

Open file /etc/apt/sources.list.d/torproject.list in an editor with root rights.

sudoedit /etc/apt/sources.list.d/torproject.list

sudoedit /etc/apt/sources.list.d/torproject.list

2. Next, cut and paste the following text and comment out (#) the corresponding http repository.

#Tor Project Mirror
#deb http://deb.torproject.org/torproject.org bullseye main
deb tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main

#Tor Project Mirror
#deb http://deb.torproject.org/torproject.org bullseye main
deb tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main

Save and exit.

Install Tor from Source Code[edit]

All steps should be performed inside Whonix-Gateway ™ (sys-whonix).

1. Add the Debian bullseye source repository.

echo "deb-src tor+https://deb.debian.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/debian-source.list

echo "deb-src tor+https://deb.debian.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/debian-source.list

2. Update the package lists.

sudo apt update

sudo apt update

3. Install build dependencies for Tor.

sudo apt build-dep tor

sudo apt build-dep tor

4. Fetch the signing key. ^[10]

Warning:

The following command using gpg with --recv-keys is not recommended for security reasons and is often non-functional. ^[11] This is not a Whonix ™-specific issue. The OpenPGP public key should be downloaded from the web instead; see also Secure Downloads. This procedure is currently undocumented and can be resolved as per the Free Support Principle. Documentation contributions will be happily considered.

gpg --keyserver keys.openpgp.org --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601

gpg --keyserver keys.openpgp.org --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601

If the attempt fails, utilize the v3 onion service instead.

gpg --keyserver zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601

gpg --keyserver zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601

5. Download the Tor source code archive.

Note: Replace Tor version 0.4.6.5 with the actual Tor version to be downloaded. (Template:Tor upstream version)

scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz

scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz

6. Download and verify the Tor source code OpenPGP signature.

scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz.asc

scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz.asc

gpg --verify tor-0.4.6.5.tar.gz.asc

gpg --verify tor-0.4.6.5.tar.gz.asc

The output should look similar to the following.

gpg: assuming signed data in 'tor-0.4.6.5.tar.gz'
gpg: Signature made Mon 09 Dec 2019 06:21:51 PM UTC gpg: using RSA key 7A02B3521DC75C542BA015456AFEE6D49E92B601 gpg: Good signature from "Nick Mathewson <nickm@alum.mit.edu>" [unknown] gpg: aka "Nick Mathewson <nickm@wangafu.net>" [unknown] gpg: aka "Nick Mathewson <nickm@freehaven.net>" [unknown] gpg: aka "Nick Mathewson <nickm@torproject.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB
Subkey fingerprint: 7A02 B352 1DC7 5C54 2BA0 1545 6AFE E6D4 9E92 B601

7. Extract the Tor source code archive.

tar xvzf tor-0.4.6.5.tar.gz

tar xvzf tor-0.4.6.5.tar.gz

8. Navigate to the Tor source code folder.

cd tor-0.4.6.5/

cd tor-0.4.6.5/

9. Run configure and build the binary package.

./configure

./configure

make

make

The build should now be finished.

10. Check the version of the built binary.

./src/app/tor --version

./src/app/tor --version

The output should show.

Tor version 0.4.6.5.

11. Qubes-Whonix ™ only: copy the newly built binary to Whonix-Gateway ™ TemplateVM (whonix-gw-16).

qvm-copy ./src/app/tor

qvm-copy ./src/app/tor

12. Stop Tor.

sudo systemctl stop tor

sudo systemctl stop tor

13. Copy the newly build Tor binary to the system.

sudo cp ./src/app/tor /usr/sbin/tor

sudo cp ./src/app/tor /usr/sbin/tor

Copy the binary again. ^[12]

sudo cp ./src/app/tor /usr/bin/tor

sudo cp ./src/app/tor /usr/bin/tor

14. Restart Tor.

sudo systemctl start tor

sudo systemctl start tor

The process of installing Tor from source code is now complete.

Footnotes[edit]

↑ One example in the recent past was a Tor release that contained AppArmor changes which were incompatible with one of Whonix-Gateway ™ (whonix-gw-16)'s configuration files (anon-gw-anonymizer-config ^[archive]'s /etc/apparmor.d/local/system_tor.anondist ^[archive]) causing Tor's systemd unit to fail.
↑ Also, at the time of writing Tor v4.2.5 is non-functional in Whonix ™.
↑ Alternatively, The Tor Project's native instructions for Debian ^[archive] can be used, but the manual steps are more difficult and involved. The verification of The Tor Project APT signing key is also harder. Since you already trust Whonix ™, the logical choice is to trust another Whonix ™ package to install the right signing key.
↑ So the newly installed /etc/apt/sources.list.d/torproject.list takes effect.
↑ https://github.com/QubesOS/qubes-issues/issues/1854 ^[archive]
↑ This can also be performed in a non-Whonix ™ VM. However, then scurl-download and onion access will be unavailable unless the user sets that up, which is out of scope for this documentation.
↑ Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
↑ This step is optional, but provides better usability. Advanced users can skip this step and adjust the file path.
↑ That is because the Template is more trusted than anon-whonix and perhaps safer from malware. If using a Disposable, the added security might be negligible.
↑
↑ https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607 ^[archive]
↑ apt-file list tor shows both locations /usr/bin/tor and /usr/sbin/tor.