├── .github └── FUNDING.yml ├── .gitignore ├── .gitlab-ci.yml ├── .gitmodules ├── .travis.yml ├── CONTRIBUTING.md ├── COPYING ├── GPLv3 ├── Makefile ├── Makefile.builder ├── README.mediawiki ├── apt-keys ├── bionic.asc └── xenial.asc ├── aptrepo_local └── conf │ ├── distributions │ └── options ├── aptrepo_remote └── conf │ ├── distributions │ └── options ├── build-steps.d ├── 1100_sanity-tests ├── 1120_prepare-build-machine ├── 1130_cowbuilder-setup ├── 1150_export-libvirt-xml ├── 1200_create-debian-packages ├── 1300_create-raw-image ├── 1700_install-packages ├── 1800_copy_vms_into_raw ├── 2300_run-chroot-scripts-post-d ├── 2350_zerofree-raw ├── 2375_build-arm64-fs ├── 2376_export-utm-packages ├── 2400_convert-raw-to-qcow2 ├── 2500_convert-raw-to-vdi ├── 2550_convert-raw-to-iso ├── 2600_create-vbox-vm ├── 2700_create-vm-text └── 2800_create-report ├── build_sources ├── debian_buster_backport_virtualbox_org.list ├── debian_sid_current_clearnet.list ├── debian_stable_current_clearnet.list ├── debian_stable_current_onion.list ├── debian_stable_frozen_clearnet.list ├── debian_stable_frozen_onion.list ├── debian_testing_current_clearnet.list ├── debian_testing_current_onion.list ├── debian_testing_frozen_clearnet.list ├── debian_testing_frozen_onion.list ├── oracle_vbox_2016.asc ├── torproject_stable_current_clearnet.list ├── torproject_stable_current_onion.list ├── torproject_testing_current_clearnet.list ├── torproject_testing_current_onion.list ├── ubuntu_bionic_clearnet.list └── ubuntu_xenial_clearnet.list ├── buildconfig.d ├── 30_apt_opts.conf ├── 30_apt_sources.conf ├── 30_custom_configs_help.conf ├── 30_debchange.conf ├── 30_dependencies.conf ├── 30_pkg_build_opts.conf ├── 30_pkg_list.conf ├── 30_skip_backup-raw-after-grml-debootstrap.conf ├── 30_skip_backup-raw-after-meta-package-install.conf ├── 30_skip_export-vbox-vm.conf ├── 30_skip_packages.conf ├── 30_skip_report.conf ├── 30_skip_sanity_checks.conf ├── 30_target_arch.conf ├── 30_upgrade_build_machine.conf └── 30_verifiable.conf ├── changelog.upstream ├── debian ├── changelog ├── compat ├── control ├── copyright ├── rules ├── source │ └── format ├── watch └── whonix.postinst ├── grml_packages ├── help-steps ├── analyze_image ├── chroot-raw ├── ci_git_clone_test ├── ci_package_build_test ├── ci_test ├── ci_test2 ├── ci_test3 ├── cleanup-files ├── colors ├── create-local-temp-apt-repo ├── delete-qcow ├── delete-vbox-vm ├── git_sanity_test ├── gpg_test_sign ├── mmdebstrap ├── mount-raw ├── package-sign-cmd ├── parse-cmd ├── pbuilder-chroot-script ├── pbuilder-debootstrap-command-filter ├── pbuilder-hooks │ └── G10sources_list_restore.bsh ├── policy-rc.d ├── pre ├── prevent-daemons-from-starting ├── remove-local-temp-apt-repo ├── repo_download_chroot_script ├── udevadm ├── umount_kill.sh ├── unchroot-raw ├── unmount-raw ├── unprevent-daemons-from-starting ├── variables └── vm-exists-test ├── iso ├── grub-embedded.cfg ├── grub.cfg └── isolinux.cfg ├── make-helper-overrides.bsh └── whonix_build /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | custom: https://www.whonix.org/wiki/Donate 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## No longer ignore temporary and backup files. 2 | ## It is better when git always lists them, so they never end up in in the 3 | ## source tarball. 4 | #*~ 5 | #*.kate-swp 6 | 7 | ## No longer adding .directory. Otherwise one would have a hard time adding 8 | ## whonix_workstation/home/user/.kde/share/apps/dolphin/view_properties/global/.directory 9 | ## to its custom build 10 | #.directory 11 | 12 | packages/.directory 13 | 14 | ## ignore kdevelop project files 15 | Whonix.kdev4 16 | .kdev4/ 17 | 18 | ## ignore temporary files for Debian package creation 19 | debian/files 20 | debian/tmp/ 21 | debian/*.debhelper* 22 | debian/*.substvars 23 | debian/*.init 24 | debian/*.default 25 | -------------------------------------------------------------------------------- /.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | stages: 2 | - build 3 | 4 | build-job: 5 | stage: build 6 | script: 7 | - ./help-steps/ci_git_clone_test 8 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "packages/anon-apps-config"] 2 | path = packages/anon-apps-config 3 | url = https://gitlab.com/whonix/anon-apps-config.git 4 | 5 | [submodule "packages/anon-apt-sources-list"] 6 | path = packages/anon-apt-sources-list 7 | url = https://gitlab.com/whonix/anon-apt-sources-list.git 8 | 9 | [submodule "packages/anon-connection-wizard"] 10 | path = packages/anon-connection-wizard 11 | url = https://gitlab.com/whonix/anon-connection-wizard.git 12 | 13 | [submodule "packages/anon-gw-anonymizer-config"] 14 | path = packages/anon-gw-anonymizer-config 15 | url = https://gitlab.com/whonix/anon-gw-anonymizer-config.git 16 | 17 | [submodule "packages/anon-gw-base-files"] 18 | path = packages/anon-gw-base-files 19 | url = https://gitlab.com/whonix/anon-gw-base-files.git 20 | 21 | [submodule "packages/anon-icon-pack"] 22 | path = packages/anon-icon-pack 23 | url = https://gitlab.com/whonix/anon-icon-pack.git 24 | 25 | [submodule "packages/anon-meta-packages"] 26 | path = packages/anon-meta-packages 27 | url = https://gitlab.com/whonix/anon-meta-packages.git 28 | 29 | [submodule "packages/anon-shared-build-apt-sources-tpo"] 30 | path = packages/anon-shared-build-apt-sources-tpo 31 | url = https://gitlab.com/whonix/anon-shared-build-apt-sources-tpo.git 32 | 33 | [submodule "packages/anon-ws-base-files"] 34 | path = packages/anon-ws-base-files 35 | url = https://gitlab.com/whonix/anon-ws-base-files.git 36 | 37 | [submodule "packages/anon-ws-disable-stacked-tor"] 38 | path = packages/anon-ws-disable-stacked-tor 39 | url = https://gitlab.com/whonix/anon-ws-disable-stacked-tor.git 40 | 41 | [submodule "packages/apparmor-profile-dist"] 42 | path = packages/apparmor-profile-dist 43 | url = https://gitlab.com/whonix/apparmor-profile-dist.git 44 | 45 | [submodule "packages/apparmor-profile-everything"] 46 | path = packages/apparmor-profile-everything 47 | url = https://gitlab.com/whonix/apparmor-profile-everything.git 48 | 49 | [submodule "packages/apparmor-profile-hexchat"] 50 | path = packages/apparmor-profile-hexchat 51 | url = https://gitlab.com/whonix/apparmor-profile-hexchat.git 52 | 53 | [submodule "packages/apparmor-profile-thunderbird"] 54 | path = packages/apparmor-profile-thunderbird 55 | url = https://gitlab.com/whonix/apparmor-profile-thunderbird.git 56 | 57 | [submodule "packages/apparmor-profile-torbrowser"] 58 | path = packages/apparmor-profile-torbrowser 59 | url = https://gitlab.com/whonix/apparmor-profile-torbrowser.git 60 | 61 | [submodule "packages/binaries-freedom"] 62 | path = packages/binaries-freedom 63 | url = https://gitlab.com/whonix/binaries-freedom.git 64 | 65 | [submodule "packages/bindp"] 66 | path = packages/bindp 67 | url = https://gitlab.com/whonix/bindp.git 68 | 69 | [submodule "packages/bootclockrandomization"] 70 | path = packages/bootclockrandomization 71 | url = https://gitlab.com/whonix/bootclockrandomization.git 72 | 73 | [submodule "packages/corridor"] 74 | path = packages/corridor 75 | url = https://gitlab.com/whonix/corridor.git 76 | 77 | [submodule "packages/damngpl"] 78 | path = packages/damngpl 79 | url = https://gitlab.com/whonix/damngpl.git 80 | 81 | [submodule "packages/debug-misc"] 82 | path = packages/debug-misc 83 | url = https://gitlab.com/whonix/debug-misc.git 84 | 85 | [submodule "packages/dist-base-files"] 86 | path = packages/dist-base-files 87 | url = https://gitlab.com/whonix/dist-base-files.git 88 | 89 | [submodule "packages/genmkfile"] 90 | path = packages/genmkfile 91 | url = https://gitlab.com/whonix/genmkfile.git 92 | 93 | [submodule "packages/gpg-bash-lib"] 94 | path = packages/gpg-bash-lib 95 | url = https://gitlab.com/whonix/gpg-bash-lib.git 96 | 97 | [submodule "packages/grub-live"] 98 | path = packages/grub-live 99 | url = https://gitlab.com/whonix/grub-live.git 100 | 101 | [submodule "packages/hardened-kernel"] 102 | path = packages/hardened-kernel 103 | url = https://gitlab.com/whonix/hardened-kernel.git 104 | 105 | [submodule "packages/hardened_malloc"] 106 | path = packages/hardened_malloc 107 | url = https://gitlab.com/whonix/hardened_malloc.git 108 | 109 | [submodule "packages/helper-scripts"] 110 | path = packages/helper-scripts 111 | url = https://gitlab.com/whonix/helper-scripts.git 112 | 113 | [submodule "packages/kicksecure-base-files"] 114 | path = packages/kicksecure-base-files 115 | url = https://gitlab.com/whonix/kicksecure-base-files.git 116 | 117 | [submodule "packages/kicksecure-meta-packages"] 118 | path = packages/kicksecure-meta-packages 119 | url = https://gitlab.com/whonix/kicksecure-meta-packages.git 120 | 121 | [submodule "packages/kicksecure-network-conf"] 122 | path = packages/kicksecure-network-conf 123 | url = https://gitlab.com/whonix/kicksecure-network-conf.git 124 | 125 | [submodule "packages/kloak"] 126 | path = packages/kloak 127 | url = https://gitlab.com/whonix/kloak.git 128 | 129 | [submodule "packages/live-config-dist"] 130 | path = packages/live-config-dist 131 | url = https://gitlab.com/whonix/live-config-dist.git 132 | 133 | [submodule "packages/lkrg"] 134 | path = packages/lkrg 135 | url = https://gitlab.com/whonix/lkrg.git 136 | 137 | [submodule "packages/monero-gui"] 138 | path = packages/monero-gui 139 | url = https://gitlab.com/whonix/monero-gui.git 140 | 141 | [submodule "packages/msgcollector"] 142 | path = packages/msgcollector 143 | url = https://gitlab.com/whonix/msgcollector.git 144 | 145 | [submodule "packages/onion-grater"] 146 | path = packages/onion-grater 147 | url = https://gitlab.com/whonix/onion-grater.git 148 | 149 | [submodule "packages/open-link-confirmation"] 150 | path = packages/open-link-confirmation 151 | url = https://gitlab.com/whonix/open-link-confirmation.git 152 | 153 | [submodule "packages/qubes-whonix"] 154 | path = packages/qubes-whonix 155 | url = https://gitlab.com/whonix/qubes-whonix.git 156 | 157 | [submodule "packages/rads"] 158 | path = packages/rads 159 | url = https://gitlab.com/whonix/rads.git 160 | 161 | [submodule "packages/repository-dist"] 162 | path = packages/repository-dist 163 | url = https://gitlab.com/whonix/repository-dist.git 164 | 165 | [submodule "packages/ro-mode-init"] 166 | path = packages/ro-mode-init 167 | url = https://gitlab.com/whonix/ro-mode-init.git 168 | 169 | [submodule "packages/sandbox-app-launcher"] 170 | path = packages/sandbox-app-launcher 171 | url = https://gitlab.com/whonix/sandbox-app-launcher.git 172 | 173 | [submodule "packages/sdwdate"] 174 | path = packages/sdwdate 175 | url = https://gitlab.com/whonix/sdwdate.git 176 | 177 | [submodule "packages/sdwdate-gui"] 178 | path = packages/sdwdate-gui 179 | url = https://gitlab.com/whonix/sdwdate-gui.git 180 | 181 | [submodule "packages/security-misc"] 182 | path = packages/security-misc 183 | url = https://gitlab.com/whonix/security-misc.git 184 | 185 | [submodule "packages/serial-console-enable"] 186 | path = packages/serial-console-enable 187 | url = https://gitlab.com/whonix/serial-console-enable.git 188 | 189 | [submodule "packages/setup-dist"] 190 | path = packages/setup-dist 191 | url = https://gitlab.com/whonix/setup-dist.git 192 | 193 | [submodule "packages/setup-wizard-dist"] 194 | path = packages/setup-wizard-dist 195 | url = https://gitlab.com/whonix/setup-wizard-dist.git 196 | 197 | [submodule "packages/swap-file-creator"] 198 | path = packages/swap-file-creator 199 | url = https://gitlab.com/whonix/swap-file-creator.git 200 | 201 | [submodule "packages/systemcheck"] 202 | path = packages/systemcheck 203 | url = https://gitlab.com/whonix/systemcheck.git 204 | 205 | [submodule "packages/tb-default-browser"] 206 | path = packages/tb-default-browser 207 | url = https://gitlab.com/whonix/tb-default-browser.git 208 | 209 | [submodule "packages/tb-starter"] 210 | path = packages/tb-starter 211 | url = https://gitlab.com/whonix/tb-starter.git 212 | 213 | [submodule "packages/tb-updater"] 214 | path = packages/tb-updater 215 | url = https://gitlab.com/whonix/tb-updater.git 216 | 217 | [submodule "packages/timesanitycheck"] 218 | path = packages/timesanitycheck 219 | url = https://gitlab.com/whonix/timesanitycheck.git 220 | 221 | [submodule "packages/tirdad"] 222 | path = packages/tirdad 223 | url = https://gitlab.com/whonix/tirdad.git 224 | 225 | [submodule "packages/tor-control-panel"] 226 | path = packages/tor-control-panel 227 | url = https://gitlab.com/whonix/tor-control-panel.git 228 | 229 | [submodule "packages/tor-ctrl"] 230 | path = packages/tor-ctrl 231 | url = https://gitlab.com/whonix/tor-ctrl.git 232 | 233 | [submodule "packages/usability-misc"] 234 | path = packages/usability-misc 235 | url = https://gitlab.com/whonix/usability-misc.git 236 | 237 | [submodule "packages/uwt"] 238 | path = packages/uwt 239 | url = https://gitlab.com/whonix/uwt.git 240 | 241 | [submodule "packages/vm-config-dist"] 242 | path = packages/vm-config-dist 243 | url = https://gitlab.com/whonix/vm-config-dist.git 244 | 245 | [submodule "packages/whonix-base-files"] 246 | path = packages/whonix-base-files 247 | url = https://gitlab.com/whonix/whonix-base-files.git 248 | 249 | [submodule "packages/whonix-developer-meta-files"] 250 | path = packages/whonix-developer-meta-files 251 | url = https://gitlab.com/whonix/whonix-developer-meta-files.git 252 | 253 | [submodule "packages/whonix-firewall"] 254 | path = packages/whonix-firewall 255 | url = https://gitlab.com/whonix/whonix-firewall.git 256 | 257 | [submodule "packages/whonix-gw-network-conf"] 258 | path = packages/whonix-gw-network-conf 259 | url = https://gitlab.com/whonix/whonix-gw-network-conf.git 260 | 261 | [submodule "packages/whonix-initializer"] 262 | path = packages/whonix-initializer 263 | url = https://gitlab.com/whonix/whonix-initializer.git 264 | 265 | [submodule "packages/whonix-legacy"] 266 | path = packages/whonix-legacy 267 | url = https://gitlab.com/whonix/whonix-legacy.git 268 | 269 | [submodule "packages/whonix-libvirt"] 270 | path = packages/whonix-libvirt 271 | url = https://gitlab.com/whonix/whonix-libvirt.git 272 | 273 | [submodule "packages/whonix-welcome-page"] 274 | path = packages/whonix-welcome-page 275 | url = https://gitlab.com/whonix/whonix-welcome-page.git 276 | 277 | [submodule "packages/whonix-ws-network-conf"] 278 | path = packages/whonix-ws-network-conf 279 | url = https://gitlab.com/whonix/whonix-ws-network-conf.git 280 | 281 | [submodule "packages/whonix-xfce-desktop-config"] 282 | path = packages/whonix-xfce-desktop-config 283 | url = https://gitlab.com/whonix/whonix-xfce-desktop-config.git 284 | 285 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | dist: bionic 2 | 3 | sudo: required 4 | language: generic 5 | 6 | git: 7 | depth: false 8 | 9 | before_install: 10 | - sudo apt-get -q update 11 | - sudo apt-get -y install apt-cacher-ng net-tools 12 | 13 | services: 14 | - docker 15 | 16 | jobs: 17 | include: 18 | - stage: stages test 19 | script: 20 | - /bin/true 21 | - stage: git clone test 22 | script: ./help-steps/ci_git_clone_test 23 | - stage: mmdebstrap based test with apt-cacher-ng 24 | script: ./help-steps/ci_test3 25 | - stage: Debian docker based package building test 26 | env: TRAVIS_DEBIAN_GIT_BUILDPACKAGE=./help-steps/ci_package_build_test 27 | script: wget -O- https://raw.githubusercontent.com/adrelanos/travis.debian.net/gh-pages/script.sh | sh - 28 | - stage: Debian docker based package installation test 29 | env: TRAVIS_DEBIAN_GIT_BUILDPACKAGE=./help-steps/ci_test 30 | script: wget -O- https://raw.githubusercontent.com/adrelanos/travis.debian.net/gh-pages/script.sh | sh - 31 | - stage: mmdebstrap based test without apt-cacher-ng 32 | script: ./help-steps/ci_test2 33 | 34 | if: 35 | tag IS blank 36 | 37 | env: 38 | global: 39 | - TRAVIS_DEBIAN_NO_BUILD=true 40 | - TRAVIS_DEBIAN_DISTRIBUTION=bullseye 41 | ## required for firmware-nonfreedom 42 | - TRAVIS_DEBIAN_COMPONENTS="main contrib non-free" 43 | - TRAVIS_DEBIAN_SECURITY_UPDATES=true 44 | ## no longer global 45 | #- TRAVIS_DEBIAN_GIT_BUILDPACKAGE=./help-steps/ci_test 46 | - TRAVIS_DEBIAN_GIT_BUILDPACKAGE_OPTIONS=" " 47 | #- TRAVIS_DEBIAN_AUTOPKGTEST=true 48 | - TRAVIS_DEBIAN_NETWORK_ENABLED=true 49 | - TRAVIS_DEBIAN_EXTRA_PACKAGES="lintian sudo" 50 | - TRAVIS_DEBIAN_BUILD_DIR=/home/travis/build-dir 51 | - TRAVIS_DEBIAN_TARGET_DIR=/home/travis/build-result 52 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Conditions for Contributions to Whonix 2 | 3 | By contributing to Whonix, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. 4 | 5 | https://www.whonix.org/wiki/Privacy_Policy 6 | 7 | https://www.whonix.org/wiki/Cookie_Policy 8 | 9 | https://www.whonix.org/wiki/Terms_of_Service 10 | 11 | https://www.whonix.org/wiki/E-Sign_Consent 12 | 13 | Conditions for Contributions to Whonix are not part of Whonix's license. 14 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | 3 | Files: * 4 | Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP 5 | License: GPL-3+-with-additional-terms-1 6 | This program is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | . 11 | This program is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | . 16 | You should have received a copy of the GNU General Public License 17 | along with this program. If not, see . 18 | . 19 | On Debian systems, the full text of the GNU General Public 20 | License version 3 can be found in the file 21 | `/usr/share/common-licenses/GPL-3'. 22 | . 23 | ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 24 | . 25 | 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its 26 | entirety and replaced with the following: 27 | . 28 | 15. Disclaimer of Warranty. 29 | . 30 | THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, 31 | INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR 32 | PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING 33 | DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR 34 | REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 35 | PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 36 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 37 | . 38 | 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its 39 | entirety and replaced with the following: 40 | . 41 | 16. LIMITATION OF LIABILITY. 42 | . 43 | UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY 44 | OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE 45 | LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY 46 | DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, 47 | INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN 48 | CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH 49 | THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED 50 | INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE 51 | PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER 52 | OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH 53 | DAMAGES COULD HAVE BEEN FORESEEN. 54 | . 55 | 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully 56 | all trademark, copyright and other proprietary and legal notices on any copies 57 | of the Program or any other required author attributions. This license does not 58 | grant you rights to use any copyright holder or any other party's name, logo, or 59 | trademarks. Neither the name of the copyright holder or its affiliates, or any 60 | other party who modifies and/or conveys the Program may be used to endorse or 61 | promote products derived from this software without specific prior written 62 | permission. The origin of the Program must not be misrepresented; you must not 63 | claim that you wrote the original Program. Altered source versions must be 64 | plainly marked as such, and must not be misrepresented as being the original 65 | Program. 66 | . 67 | 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT 68 | OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, 69 | YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND 70 | AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF 71 | ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE 72 | ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR 73 | IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. 74 | 75 | Files: help-steps/grml-debootstrap 76 | Upstream-Name: grml-debootstrap 77 | Upstream-Contact: Michael Prokop 78 | Source: http://git.grml.org/?p=grml-debootstrap.git;a=summary 79 | Copyright: 2006-2016, Michael Prokop 80 | 2014, 2015, Sebastian Pipping 81 | 2014, Patrick Schleizer 82 | 2013, 2014, Markus Rekkenbeil 83 | 2012, 2013, Evgeni Golov 84 | 2012, Darshaka Pathirana 85 | 2010, 2011, 2013, 2014, Christian Hofstaedtler 86 | 2009, 2010, 2011, Ulrich Dangel 87 | 2009, Michael Gebetsroither 88 | 2008, 2010, Tong Sun 89 | 2007, Alexander Wirt 90 | License: GPL-2+ 91 | This package is free software; you can redistribute it and/or modify 92 | it under the terms of the GNU General Public License as published by 93 | the Free Software Foundation; either version 2 of the License, or 94 | (at your option) any later version. 95 | . 96 | This package is distributed in the hope that it will be useful, 97 | but WITHOUT ANY WARRANTY; without even the implied warranty of 98 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 99 | GNU General Public License for more details. 100 | . 101 | You should have received a copy of the GNU General Public License 102 | along with this package; if not, write to the Free Software 103 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 104 | . 105 | On Debian systems, the complete text of the GNU General Public License, 106 | version 2 can be found in `/usr/share/common-licenses/GPL-2'. 107 | 108 | Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 109 | Upstream-Name: mmdebstrap 110 | Upstream-Contact: Johannes 'josch' Schauer 111 | Source: https://gitlab.mister-muffin.de/josch/mmdebstrap/ 112 | 113 | Files: help-steps/mmdebstrap 114 | Copyright: 2018, Johannes 'josch' Schauer 115 | License: Expat 116 | Permission is hereby granted, free of charge, to any person obtaining 117 | a copy of this software and associated documentation files (the 118 | "Software"), to deal in the Software without restriction, including 119 | without limitation the rights to use, copy, modify, merge, publish, 120 | distribute, sublicense, and/or sell copies of the Software, and to 121 | permit persons to whom the Software is furnished to do so, subject to 122 | the following conditions: 123 | . 124 | The above copyright notice and this permission notice shall be included 125 | in all copies or substantial portions of the Software. 126 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | ## genmkfile - Makefile - version 1.7 7 | 8 | ## This is a copy. 9 | ## master location: 10 | ## https://github.com/Whonix/genmkfile/blob/master/usr/share/genmkfile/Makefile 11 | 12 | .PHONY: about 13 | 14 | GENMKFILE_NAME ?= makefile-full 15 | GENMKFILE_BOOTSTRAP_ONE ?= ./packages/genmkfile/usr/share/genmkfile 16 | GENMKFILE_BOOTSTRAP_TWO ?= ./usr/share/genmkfile 17 | GENMKFILE_ROOT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) 18 | GENMKFILE_CURRENT := $(CURDIR)/$(word $(words $(MAKEFILE_LIST)),$(MAKEFILE_LIST)) 19 | 20 | ifndef GENMKFILE_INCLUDE_FILE_MAIN 21 | ifneq (,$(wildcard $(GENMKFILE_BOOTSTRAP_ONE))) 22 | GENMKFILE_PATH ?= $(GENMKFILE_BOOTSTRAP_ONE) 23 | GENMKFILE_INCLUDE_FILE_MAIN := $(GENMKFILE_BOOTSTRAP_ONE)/$(GENMKFILE_NAME) 24 | else ifneq (,$(wildcard $(GENMKFILE_BOOTSTRAP_TWO))) 25 | GENMKFILE_PATH ?= $(GENMKFILE_BOOTSTRAP_TWO) 26 | GENMKFILE_INCLUDE_FILE_MAIN := $(GENMKFILE_BOOTSTRAP_TWO)/$(GENMKFILE_NAME) 27 | else 28 | GENMKFILE_PATH ?= /usr/share/genmkfile 29 | GENMKFILE_INCLUDE_FILE_MAIN := $(GENMKFILE_PATH)/$(GENMKFILE_NAME) 30 | endif 31 | endif 32 | 33 | export GENMKFILE_NAME 34 | export GENMKFILE_PATH 35 | export GENMKFILE_ROOT_DIR 36 | export GENMKFILE_INCLUDE_FILE_MAIN 37 | export GENMKFILE_CURRENT 38 | 39 | about: 40 | @echo "GENMKFILE_CURRENT: $(GENMKFILE_CURRENT)" 41 | 42 | ifdef GENMKFILE_INCLUDE_FILE_PRE 43 | ifeq (,$(wildcard $(GENMKFILE_INCLUDE_FILE_PRE))) 44 | $(error GENMKFILE_INCLUDE_FILE_PRE $(GENMKFILE_INCLUDE_FILE_PRE) does not exist!) 45 | else 46 | include $(GENMKFILE_INCLUDE_FILE_PRE) 47 | endif 48 | endif 49 | 50 | ifneq ($(GENMKFILE_INCLUDE_FILE_MAIN),0) 51 | ifeq (,$(wildcard $(GENMKFILE_INCLUDE_FILE_MAIN))) 52 | $(error GENMKFILE_INCLUDE_FILE_MAIN $(GENMKFILE_INCLUDE_FILE_MAIN) does not exist! Is the build dependency genmkfile installed?) 53 | else 54 | include $(GENMKFILE_INCLUDE_FILE_MAIN) 55 | endif 56 | endif 57 | 58 | ifdef GENMKFILE_INCLUDE_FILE_POST 59 | ifeq (,$(wildcard $(GENMKFILE_INCLUDE_FILE_POST))) 60 | $(error GENMKFILE_INCLUDE_FILE_POST $(GENMKFILE_INCLUDE_FILE_POST) does not exist!) 61 | else 62 | include $(GENMKFILE_INCLUDE_FILE_POST) 63 | endif 64 | endif 65 | -------------------------------------------------------------------------------- /Makefile.builder: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | ## Empty Makefile.builder to prevent Qubes Builder from trying to build this 7 | ## and failing. 8 | ## https://phabricator.whonix.org/T404 9 | ## Using this workaround until Qubes Builder supports building Whonix packages. 10 | ## https://phabricator.whonix.org/T402 11 | -------------------------------------------------------------------------------- /README.mediawiki: -------------------------------------------------------------------------------- 1 | 5 | 9 | = About Whonix = 10 | Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP. 11 | 12 | Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible. 13 | 14 | To learn more about security and anonymity under Whonix, please continue to the [https://www.whonix.org/wiki/About About Whonix] page. 15 | 16 | '''[https://www.whonix.org/wiki/Download Download Whonix]''' 17 | 18 | = Build Whonix = 19 | Verbose build instructions and steps for redistribution can be found [https://www.whonix.org/wiki/Dev/Build_Documentation here]. 20 | 21 | = Contribute = 22 | Either work on any of the [https://github.com/Whonix/Whonix/issues open tickets] or suggest and implement any of your own ideas. See also our [https://www.whonix.org/wiki/Contribute contribute] page. Report issues you may find with Whonix or with the building process. Sign up for the [https://www.whonix.org/forum/ Whonix Development Forum] and say hi. For any questions/discussion, ask in the forums or github issues. Additionally, you may improve our online representation by contributing to [https://github.com/Whonix/EgoBits1.github.io this] project. 23 | 24 | = Build Status = 25 | 29 | 30 | * Status: loading... | ([[Dev/Continuous_Integration#Travis_CI|Travis CI]]) ([https://travis-ci.org/Whonix/Whonix/branches Log]) 31 | -------------------------------------------------------------------------------- /aptrepo_local/conf/distributions: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | Origin: whonix 5 | Label: Whonix 6 | Codename: local 7 | Architectures: amd64 arm64 armel armhf hurd-i386 hurd-amd64 i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc ppc64 ppc64el s390x sparc source 8 | Components: main contrib non-free 9 | Description: Whonix local APT Repository for building from source code 10 | #ValidFor: 1m 11 | -------------------------------------------------------------------------------- /aptrepo_local/conf/options: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | verbose 5 | ask-passphrase 6 | basedir . 7 | -------------------------------------------------------------------------------- /aptrepo_remote/conf/distributions: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | Origin: whonix 5 | Label: Whonix 6 | Codename: bullseye 7 | Architectures: amd64 arm64 armel armhf hurd-i386 hurd-amd64 i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc ppc64 ppc64el s390x sparc source 8 | Components: main contrib non-free 9 | Description: Whonix bullseye APT Repository 10 | SignWith: 0x8D66066A2EEACCDA 11 | ValidFor: 1m 12 | 13 | Origin: whonix 14 | Label: Whonix 15 | Codename: bullseye-proposed-updates 16 | Architectures: amd64 arm64 armel armhf hurd-i386 hurd-amd64 i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc ppc64 ppc64el s390x sparc source 17 | Components: main contrib non-free 18 | Description: Whonix stable fixes testing APT Repository 19 | SignWith: 0x8D66066A2EEACCDA 20 | ValidFor: 1m 21 | 22 | Origin: whonix 23 | Label: Whonix 24 | Codename: bullseye-testers 25 | Architectures: amd64 arm64 armel armhf hurd-i386 hurd-amd64 i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc ppc64 ppc64el s390x sparc source 26 | Components: main contrib non-free 27 | Description: Whonix bullseye Testers APT Repository 28 | SignWith: 0x8D66066A2EEACCDA 29 | ValidFor: 1m 30 | 31 | Origin: whonix 32 | Label: Whonix 33 | Codename: bullseye-developers 34 | Architectures: amd64 arm64 armel armhf hurd-i386 hurd-amd64 i386 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc ppc64 ppc64el s390x sparc source 35 | Components: main contrib non-free 36 | Description: Whonix Developers APT Repository 37 | SignWith: 0x8D66066A2EEACCDA 38 | ValidFor: 1m 39 | -------------------------------------------------------------------------------- /aptrepo_remote/conf/options: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | verbose 5 | ask-passphrase 6 | basedir . 7 | -------------------------------------------------------------------------------- /build-steps.d/1100_sanity-tests: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | ## TODO 18 | #VMNAME="internalrun" 19 | 20 | source pre 21 | source colors 22 | source variables 23 | 24 | cd "$MYDIR" 25 | cd .. 26 | 27 | 28 | check-source-folder-permissions() { 29 | ## Debugging. 30 | true "${bold}${cyan}INFO: PWD: $PWD ${reset}" 31 | 32 | ## Checking if Whonix's source folder has been obtained (git cloned) as user or root. 33 | 34 | stat_output_owner="$(stat -c %U "$BASH_SOURCE")" 35 | stat_output_group="$(stat -c %G "$BASH_SOURCE")" 36 | 37 | if [ "$stat_output_owner" = "root" ]; then 38 | error "${bold}${red}ERROR $BASH_SOURCE: Is owned by root user! Instructions say you should get Whonix's source code as user, not root! \ 39 | Please delete Whonix's source code folder and get it again as user, not root!${reset}" 40 | fi 41 | 42 | if [ "$stat_output_group" = "root" ]; then 43 | error "${bold}${red}ERROR $BASH_SOURCE: Is owned by root group! Instructions say you should get Whonix's source code as user, not root! \ 44 | Please delete Whonix's source code folder and get it again as user, not root!${reset}" 45 | fi 46 | } 47 | 48 | check-copy-vms-into-raw() { 49 | if [ "$WHONIX_BUILD_INTERNALRUN" = "1" ]; then 50 | return 0 51 | fi 52 | 53 | if [ "$WHONIX_BUILD_TYPE" = "kicksecure" ]; then 54 | true "INFO: kicksecure does not copy VM images into the build, ok." 55 | return 0 56 | fi 57 | 58 | if [ ! "$WHONIX_BUILD_ISO" = "true" ]; then 59 | return 0 60 | fi 61 | 62 | local help_text 63 | help_text="A much later build step would try to copy these into the raw image and fail. Therefore we test it already here and fail early. 64 | 65 | ########## 66 | If you want to do a debug build, perhaps create empty files? 67 | 68 | qemu-img create -f qcow2 $copy_vms_into_raw_file_one 1M 69 | qemu-img create -f qcow2 $copy_vms_into_raw_file_two 1M 70 | ########## 71 | If you want to do a debug build, manually set which files you like to copy into the raw image using build configuration variables? 72 | 73 | copy_vms_into_raw_file_one=$WHONIX_BINARY/Whonix-Gateway.qcow2 copy_vms_into_raw_file_two=$WHONIX_BINARY/Whonix-Workstation.qcow2 74 | ##########" 75 | 76 | if [ ! -f "$copy_vms_into_raw_file_one" ]; then 77 | error "Whonix VMs need to be build first before Whonix host can be build. 78 | 79 | copy_vms_into_raw_file_one '$copy_vms_into_raw_file_one' does not exist! 80 | 81 | $help_text" 82 | fi 83 | if [ ! -f "$copy_vms_into_raw_file_two" ]; then 84 | error "Whonix VMs need to be build first before Whonix host can be build 85 | 86 | copy_vms_into_raw_file_two '$copy_vms_into_raw_file_two' does not exist! 87 | 88 | $help_text" 89 | fi 90 | } 91 | 92 | check-virtualbox-vm-exists() { 93 | if [ "$WHONIX_BUILD_INTERNALRUN" = "1" ]; then 94 | return 0 95 | fi 96 | if [ ! "$WHONIX_BUILD_VIRTUALBOX" = "true" ]; then 97 | return 0 98 | fi 99 | 100 | ## VirtualBox might not be installed at this point. 101 | ## Trying anyway, in case this script has already been run and installed 102 | ## VirtualBox beforehand. 103 | 104 | local command_v_exit_code="0" 105 | command -v VBoxManage >/dev/null || { command_v_exit_code="$?" ; true; } 106 | 107 | if [ ! "$command_v_exit_code" = "0" ]; then 108 | true "${cyan}INFO: VBoxManage command not yet available, ok.${reset}" 109 | return 0 110 | fi 111 | 112 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/vm-exists-test" 113 | 114 | true 115 | } 116 | 117 | check_required_packages_installed() { 118 | local required_packages_list required_package_item 119 | local required_packages_list="git time curl apt-cacher-ng lsb-release fakeroot fasttrack-archive-keyring" 120 | 121 | for required_package_item in $required_packages_list ; do 122 | if ! dpkg-query --show --showformat='${Version}' "$required_package_item" ; then 123 | error "${bold}${red}ERROR $BASH_SOURCE: Required package '$required_package_item' missing. Run: 124 | 125 | sudo apt-get update 126 | 127 | sudo apt-get install $required_packages_list${reset}" 128 | fi 129 | done 130 | } 131 | 132 | main() { 133 | root_check "$@" 134 | check-source-folder-permissions "$@" 135 | check-copy-vms-into-raw "$@" 136 | check-virtualbox-vm-exists "$@" 137 | check_required_packages_installed "$@" 138 | 139 | ## provided by help-steps/pre 140 | signing_key "$@" 141 | 142 | source "$WHONIX_SOURCE_HELP_STEPS_FOLDER/git_sanity_test" 143 | 144 | git_sanity_test_main "$@" 145 | } 146 | 147 | main "$@" 148 | -------------------------------------------------------------------------------- /build-steps.d/1120_prepare-build-machine: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | ## TODO 18 | #VMNAME="internalrun" 19 | 20 | source pre 21 | source colors 22 | source variables 23 | 24 | cd "$MYDIR" 25 | cd .. 26 | 27 | build_machine_setup() { 28 | if [ "$WHONIX_BUILD_FAST1" = "1" ]; then 29 | true "${bold}${cyan}INFO: run with '--fast 1' switch, skipping $BASH_SOURCE. ${reset}" 30 | exit 0 31 | fi 32 | 33 | ## {{ users and groups 34 | 35 | ## Check if user "$user_name" already exist. 36 | local id_exit_code 37 | id_exit_code="0" 38 | id "$user_name" || { id_exit_code="$?" ; true; }; 39 | if [ "$id_exit_code" = "1" ]; then 40 | true 'INFO: Creating user "$user_name" with password "changeme", because some things have to be run as "$user_name".' 41 | if command -v qubesdb-read >/dev/null 2>&1 ; then 42 | password="" 43 | else 44 | ## setting password of user clearnet to changeme 45 | ## 46 | ## How this password was created: 47 | ## sudo apt-get install whois 48 | ## mkpasswd 49 | ## changeme 50 | ## Resulted in: aTayYxVyw5kDo 51 | password="aTayYxVyw5kDo" 52 | fi 53 | useradd --password "$password" --user-group --create-home --shell /bin/bash "$user_name" 54 | elif [ "$id_exit_code" = "0" ]; then 55 | true "${cyan}INFO: Not creating user \"$user_name\" with password \"changeme\", because it already exists.${reset}" 56 | else 57 | true "${red}${bold}ERROR: id_exit_code was neither 1 or 0, it was: ${id_exit_code}${reset}" 58 | error "See above!" 59 | fi 60 | 61 | ## Add user to sudo group. 62 | addgroup "$user_name" sudo 63 | 64 | ## }} 65 | 66 | if [ ! "$WHONIX_BUILD_UNATTENDED_PKG_INSTALL" = "1" ]; then 67 | ## Always keep old configuration file. Do not prompt to install new config files. 68 | local apt_unattended_opts="--option Dpkg::Options=--force-confold" 69 | fi 70 | 71 | ## Debugging. 72 | true 'INFO: Benchmarking "sudo $SUDO_OPTS echo "This is a test echo." using "time"...' 73 | time sudo $SUDO_OPTS echo "This is a test echo." 74 | 75 | true "INFO: Updating git sub modules..." 76 | 77 | sudo $SUDO_OPTS git submodule sync --recursive 78 | sudo $SUDO_OPTS git submodule update --init --recursive --jobs=200 79 | 80 | true "INFO: Updated git sub modules." 81 | 82 | apt-get \ 83 | ${APTGETOPT[@]} \ 84 | -o Dir::Etc::sourcelist="$whonix_build_sources_list_primary" \ 85 | -o Dir::Etc::sourceparts="-" \ 86 | update 87 | 88 | if [ ! "$WHONIX_BUILD_UPGRADE_BUILD_MACHINE" = "0" ]; then 89 | ## Update package lists and upgrade. 90 | apt-get \ 91 | ${APTGETOPT[@]} \ 92 | -o Dir::Etc::sourcelist="$whonix_build_sources_list_primary" \ 93 | -o Dir::Etc::sourceparts="-" \ 94 | $apt_unattended_opts \ 95 | --no-install-recommends \ 96 | --yes \ 97 | dist-upgrade 98 | fi 99 | 100 | ############################################### 101 | ## Build Dependencies for Whonix Build Script # 102 | ############################################### 103 | local packages_to_be_installed 104 | packages_to_be_installed+=" $whonix_build_script_build_dependency " 105 | 106 | if [ "$eatmydata_install" = "true" ]; then 107 | true "INFO: Installing eatmydata, because using '--unsafe-io true'." 108 | packages_to_be_installed+=" $eatmydata " 109 | else 110 | true "INFO: Not installing eatmydata, because not using '--unsafe-io true'." 111 | fi 112 | 113 | if [ "$ANON_BUILD_INSTALL_TO_ROOT" = "1" ]; then 114 | ########################################### 115 | ## Build Dependency for Bare Metal Builds # 116 | ########################################### 117 | local bare_metal_basic_package_list 118 | bare_metal_basic_package_list="$(grep -vE "^\s*#" "$WHONIX_SOURCE_FOLDER/grml_packages" | tr "\n" " ")" 119 | packages_to_be_installed+=" $bare_metal_basic_package_list " 120 | else 121 | if [ "$WHONIX_BUILD_VIRTUALBOX" = "true" ]; then 122 | ####################################################################### 123 | ## Build Dependencies for creating VirtualBox Images (.vdi and .ova) # 124 | ####################################################################### 125 | ## uname -r returns on Qubes: 126 | ## 4.4.31-11.pvops.qubes.x86_64 127 | local linux_headers 128 | if command -v qubesdb-read >/dev/null 2>&1 ; then 129 | linux_headers="linux-headers-amd64" 130 | else 131 | linux_headers="linux-headers-${host_architecture}" 132 | fi 133 | packages_to_be_installed+=" $linux_headers " 134 | 135 | true "INFO: Checking if VirtualBox is already installed..." 136 | if virtualbox_version_installed="$(dpkg-query --show --showformat='${Version}' "virtualbox")" ; then 137 | true "INFO: virtualbox is already installed." 138 | elif virtualbox_version_installed="$(dpkg-query --show --showformat='${Version}' "virtualbox-6.1")" ; then 139 | true "INFO: virtualbox-6.1 is already installed." 140 | else 141 | true "${red}${bold}ERROR: Neither package virtualbox nor package virtualbox-6.1 is installed. Please install as per build documentation.${reset}" 142 | error "See above!" 143 | fi 144 | 145 | fi 146 | 147 | if [ "$WHONIX_BUILD_ISO" = "true" ]; then 148 | ## xorriso 149 | packages_to_be_installed+=" xorriso " 150 | ## mksquashfs 151 | packages_to_be_installed+=" squashfs-tools " 152 | ## grub-mkimage 153 | packages_to_be_installed+=" grub-common " 154 | ## /usr/lib/ISOLINUX/isolinux.bin 155 | packages_to_be_installed+=" isolinux " 156 | ## /usr/lib/syslinux/modules/bios/ 157 | packages_to_be_installed+=" syslinux " 158 | ## /boot/memtest86+.bin 159 | packages_to_be_installed+=" memtest86+ " 160 | ## grub-mkimage: error: cannot open `/usr/lib/grub/x86_64-efi/moddep.lst': No such file or directory. 161 | packages_to_be_installed+=" grub-efi-amd64-bin " 162 | fi 163 | fi 164 | 165 | apt-get \ 166 | ${APTGETOPT[@]} \ 167 | -o Dir::Etc::sourcelist="$whonix_build_sources_list_primary" \ 168 | -o Dir::Etc::sourceparts="-" \ 169 | $apt_unattended_opts \ 170 | --no-install-recommends \ 171 | --yes \ 172 | install \ 173 | $packages_to_be_installed 174 | 175 | if [ "$WHONIX_BUILD_INTERNALRUN" = "1" ]; then 176 | true 177 | else 178 | if [ "$WHONIX_BUILD_VIRTUALBOX" = "true" ]; then 179 | ## VirtualBox will be be installed at this point. 180 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/vm-exists-test" 181 | fi 182 | fi 183 | 184 | ## Debugging. 185 | cat /usr/sbin/policy-rc.d || true 186 | 187 | ## Debugging. 188 | #cat /proc/devices 189 | } 190 | 191 | repo_proxy_test() { 192 | if [ "$REPO_PROXY" = "" ]; then 193 | return 0 194 | fi 195 | if [ "$REPO_PROXY" = "none" ]; then 196 | return 0 197 | fi 198 | 199 | true "INFO: Testing REPO_PROXY $REPO_PROXY (most likely apt-cacher-ng, since default)..." 200 | local curl_exit_code=0 201 | curl --fail --silent "$REPO_PROXY" || { curl_exit_code="$?" ; true; }; 202 | if [ "$curl_exit_code" = "22" ]; then 203 | true "INFO: apt-cacher-ng functional..." 204 | return 0 205 | fi 206 | 207 | true "${red}${bold}ERROR: REPO_PROXY curl curl_exit_code: $curl_exit_code. REPO_PROXY $REPO_PROXY unreachable! Does a local firewall blcok connections to REPO_PROXY?${reset}" 208 | error "See above!" 209 | } 210 | 211 | main() { 212 | root_check "$@" 213 | build_machine_setup "$@" 214 | repo_proxy_test "$@" 215 | } 216 | 217 | main "$@" 218 | -------------------------------------------------------------------------------- /build-steps.d/1130_cowbuilder-setup: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | ## example usage: 7 | 8 | #sudo -E make_cross_build_platform_list="armel armhf i386 amd64 arm64" ./build-steps.d/1130_cowbuilder-setup --build --allow-untagged true --allow-uncommitted true --internalrun --target root 9 | 10 | set -x 11 | set -e 12 | 13 | true "INFO: Currently running script: $BASH_SOURCE $@" 14 | 15 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 16 | 17 | cd "$MYDIR" 18 | cd .. 19 | cd help-steps 20 | 21 | ## TODO 22 | #VMNAME="internalrun" 23 | 24 | source pre 25 | source colors 26 | source variables 27 | 28 | cd "$MYDIR" 29 | cd .. 30 | 31 | cowbuilder_setup() { 32 | if cowbuilder_setup_do ; then 33 | true "$FUNCNAME: success" 34 | else 35 | true "$FUNCNAME: try again" 36 | cowbuilder_setup_do 37 | fi 38 | } 39 | 40 | cowbuilder_setup_do() { 41 | true "${bold}${green}INFO${reset}: Setting up cowbuilder..." 42 | 43 | whonix_build_sources_list_primary_contents="$(cat "$whonix_build_sources_list_primary")" 44 | export whonix_build_sources_list_primary_contents 45 | 46 | if [ "$whonix_build_unsafe_io" = "true" ]; then 47 | eatmydata_maybe_install="eatmydata" 48 | fi 49 | 50 | if ! test -f /etc/hostname ; then 51 | ## mmdebstrap requires /etc/hostname to exist. 52 | touch /etc/hostname 53 | fi 54 | 55 | if [ "$whonix_build_unsafe_io" = "true" ]; then 56 | if mount | grep /var/cache/pbuilder | grep tmpfs ; then 57 | true "INFO: /var/cache/pbuilder already tmpfs." 58 | else 59 | mount -t tmpfs -o size=2G none /var/cache/pbuilder 60 | fi 61 | fi 62 | 63 | ## Debugging. 64 | cat "$whonix_build_pbuilder_config_file" 65 | 66 | for whonix_build_multiarch_package_item in $make_cross_build_platform_list ; do 67 | export whonix_build_multiarch_package_item 68 | 69 | ## TODO: change that folder 70 | cow_folder="/var/cache/pbuilder/cow.cow_${whonix_build_multiarch_package_item}" 71 | base_folder="/var/cache/pbuilder/base.cow_${whonix_build_multiarch_package_item}" 72 | 73 | if [ -d "$base_folder" ]; then 74 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/umount_kill.sh" "$base_folder/" 75 | rm --recursive --force "$base_folder" 76 | fi 77 | 78 | local cowbuilder_exit_code 79 | cowbuilder_exit_code=0 80 | 81 | ## '--mirror "$whonix_build_apt_sources_mirror"' should be only cosmetic, 82 | ## because of pbuilder-debootstrap-command-filter and hooks. 83 | ## 84 | ## Duplicate --extrapackages to prevent removal by pbuilder. 85 | $COWBUILDER_PREFIX \ 86 | SOURCE_DATE_EPOCH="$SOURCE_DATE_EPOCH" \ 87 | cowbuilder \ 88 | --architecture "$whonix_build_multiarch_package_item" \ 89 | --configfile "$whonix_build_pbuilder_config_file" \ 90 | --create \ 91 | --basepath "$base_folder" \ 92 | --buildplace "$cow_folder" \ 93 | --distribution "$whonix_build_apt_stable_release" \ 94 | --mirror "$whonix_build_apt_sources_mirror" \ 95 | --debootstrap "$WHONIX_SOURCE_HELP_STEPS_FOLDER/pbuilder-debootstrap-command-filter" \ 96 | --hookdir "$WHONIX_SOURCE_HELP_STEPS_FOLDER/pbuilder-hooks" \ 97 | --extrapackages "sudo devscripts debhelper strip-nondeterminism fakeroot apt-transport-tor eatmydata aptitude cowdancer fasttrack-archive-keyring" \ 98 | || { cowbuilder_exit_code="$?" ; true; }; 99 | 100 | if [ -d "$base_folder" ]; then 101 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/umount_kill.sh" "$base_folder/" 102 | fi 103 | 104 | if [ ! "$cowbuilder_exit_code" = "0" ]; then 105 | return "$cowbuilder_exit_code" 106 | fi 107 | 108 | ## help-steps/pbuilder-hooks/G10sources_list_restore.bsh should have restored it already. 109 | ## `pbuilder` component `/usr/lib/pbuilder/pbuilder-createbuildenv` 110 | ## unfortunately runs function `installaptlines` after `${DEBOOTSTRAP}`, 111 | ## which uses a different sources list. This pbuilder hook script restores 112 | ## Whonix build APT sources list. 113 | true "Sanity test. Security critical. Comparing Whonix build sources list with chroot sources list." 114 | diff "$whonix_build_sources_list_primary" "$base_folder/etc/apt/sources.list" 115 | 116 | cp "$whonix_build_sources_list_primary" "$base_folder/etc/apt/sources.list" 117 | mkdir -p "$base_folder/home/$user_name" 118 | cp "$whonix_build_pbuilder_config_file" "$base_folder/home/$user_name/pbuilder_config_file" 119 | 120 | # mkdir -p "$base_folder/home/$user_name" 121 | # if [ "$base_folder/home/$user_name/genmkfile" = "/home/$user_name/genmkfile" ]; then 122 | # error "Bug! base_folder variable is probably empty!" 123 | # else 124 | # rm -r -f "$base_folder/home/$user_name/genmkfile" 125 | # fi 126 | # cp -r "$WHONIX_SOURCE_FOLDER/packages/genmkfile" "$base_folder/home/$user_name/genmkfile" 127 | # chown --recursive $user_name:$user_name "$base_folder/home/$user_name" 128 | 129 | cowbuilder_exit_code=0 130 | $COWBUILDER_PREFIX \ 131 | SOURCE_DATE_EPOCH="$SOURCE_DATE_EPOCH" \ 132 | cowbuilder \ 133 | --architecture "$whonix_build_multiarch_package_item" \ 134 | --configfile "$whonix_build_pbuilder_config_file" \ 135 | --execute "$whonix_build_pbuilder_chroot_script" \ 136 | --basepath "$base_folder" \ 137 | --buildplace "$cow_folder" \ 138 | --save-after-login \ 139 | || { cowbuilder_exit_code="$?" ; true; }; 140 | 141 | if [ -d "$base_folder" ]; then 142 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/umount_kill.sh" "$base_folder/" 143 | fi 144 | 145 | if [ ! "$cowbuilder_exit_code" = "0" ]; then 146 | return "$cowbuilder_exit_code" 147 | fi 148 | done 149 | 150 | true "${bold}${green}INFO${reset}: cowbuilder setup done." 151 | } 152 | 153 | main() { 154 | if [ "$build_remote_derivative_pkgs" = "true" ]; then 155 | true "${cyan}INFO: build_remote_derivative_pkgs is set to $build_remote_derivative_pkgs, skipping cowbuilder setup.${reset}" 156 | return 0 157 | fi 158 | root_check "$@" 159 | cowbuilder_setup "$@" 160 | } 161 | 162 | main "$@" 163 | -------------------------------------------------------------------------------- /build-steps.d/1150_export-libvirt-xml: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | export-libvirt-xml() { 22 | sudo $SUDO_OPTS mkdir --parents "$WHONIX_BINARY" 23 | 24 | sudo $SUDO_OPTS cp "$libvirt_source_kvm_file" "$libvirt_target_kvm_file" 25 | 26 | if [ "$WHONIX_BUILD_TYPE" = "kicksecure" ]; then 27 | true 28 | else 29 | sudo $SUDO_OPTS cp "$libvirt_source_network_file_external" "$libvirt_target_network_file_external" 30 | sudo $SUDO_OPTS cp "$libvirt_source_network_file_internal" "$libvirt_target_network_file_internal" 31 | fi 32 | } 33 | 34 | main() { 35 | root_check 36 | if [ "$WHONIX_BUILD_TYPE" = "whonix-host" ]; then 37 | ## There is no such file: 38 | ## /home/user/Whonix/packages/whonix-libvirt/usr/share/whonix-libvirt/xml/Whonix-Host.xml 39 | true "${green}INFO: Skipping $BASH_SOURCE, because WHONIX_BUILD_TYPE is '$WHONIX_BUILD_TYPE'.${reset}" 40 | elif [ "$WHONIX_BUILD_RAW" = "true" ]; then 41 | ## Required for Linux libvirt KVM raw image builds. 42 | ## Interest to maintain arm64 Linux libvirt KVM raw images has been 43 | ## indicated by HulaHoop until qcow2 image builds are fixed. 44 | ## XXX: Superfluous for non-libvirt raw image builds. 45 | export-libvirt-xml "$@" 46 | elif [ "$WHONIX_BUILD_QCOW2" = "true" ]; then 47 | export-libvirt-xml "$@" 48 | else 49 | true "${green}INFO: Skipping $BASH_SOURCE, because WHONIX_BUILD_QCOW2 is not set to 'true'.${reset}" 50 | fi 51 | } 52 | 53 | main "$@" 54 | -------------------------------------------------------------------------------- /build-steps.d/1300_create-raw-image: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | create-debian-raw-image() { 22 | sudo $SUDO_OPTS mkdir --parents "$WHONIX_BINARY/" 23 | 24 | if [ ! "$cached_binary_image_raw" = "" ]; then 25 | true "${cyan}$BASH_SOURCE INFO: copy and use cached_binary_image_raw '$cached_binary_image_raw'...${reset}" 26 | cp "$cached_binary_image_raw" "$binary_image_raw" 27 | true "${cyan}$BASH_SOURCE INFO: copying cached_binary_image_raw done.${reset}" 28 | return 0 29 | fi 30 | 31 | ARCH="$(uname --machine)" 32 | true "${cyan}$BASH_SOURCE INFO: Architecture $ARCH detected.${reset}" 33 | true "${cyan}INFO: BUILD_TARGET_ARCH set to: $BUILD_TARGET_ARCH${reset}" 34 | 35 | mkdir --parents "/etc/debootstrap/etc/apt/" 36 | cp "$whonix_build_sources_list_primary" "/etc/debootstrap/etc/apt/sources.list" 37 | 38 | ## Info. 39 | true "${cyan}INFO: Using the following /etc/apt/sources.list for grml-debootstrap: ${reset}" 40 | cat "/etc/debootstrap/etc/apt/sources.list" 41 | 42 | ## TODO 43 | ## /etc/resolv.conf of host leaks into image. 44 | ## https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet 45 | ## configure_chroot_dns_servers 46 | 47 | ## {{ grml-debootstrap environment variables 48 | 49 | ## grml-debootstrap variables are documented in /etc/debootstrap/config and 50 | ## https://github.com/grml/grml-debootstrap/blob/master/config 51 | 52 | ## Using export, so grml-debootstrap can read it. 53 | 54 | [ -n "$DEBUG" ] || export DEBUG="true" 55 | 56 | ## https://github.com/grml/grml-debootstrap/issues/22 57 | ## https://github.com/grml/grml-debootstrap/pull/31 58 | [ -n "$REPORT_TRAP_ERR" ] || export REPORT_TRAP_ERR="yes" 59 | [ -n "$FAIL_TRAP_ERR" ] || export FAIL_TRAP_ERR="yes" 60 | 61 | [ -n "$DPKG_OPTIONS" ] || export DPKG_OPTIONS=${APTGETOPT[@]} 62 | 63 | ## Not using grml-debootstrap to install a kernel. 64 | [ -n "$KERNEL" ] || export KERNEL="none" 65 | 66 | ## Do not install non-Free software. 67 | [ -n "$COMPONENTS" ] || export COMPONENTS='main' 68 | 69 | ## Integrity test. 70 | [ -n "$FSCK" ] || export FSCK='yes' 71 | 72 | ## Set time zone to UTC. Not that important, we will install our own 73 | ## /etc/timezone file later anyway. Just in case. 74 | [ -n "$TIMEZONE" ] || export TIMEZONE='UTC' 75 | 76 | ## Do not clean APT cache after installation is finished to safe time. 77 | [ -n "$RM_APTCACHE" ] || export RM_APTCACHE='no' 78 | 79 | ## We do not need to upgrade the image, because when we create an image, 80 | ## we end up with the most current versions from the repository we are using 81 | ## anyway. We also do not install any other packages or use any other 82 | ## repositories, just use grml-debootstrap to create a minimal image. 83 | ## Would be also no good idea to rely on grml-debootstrap's upgrade 84 | ## function, because grml-debootstrap does not honor our apt options. (For 85 | ## higher network timeouts, ignore valid-until, since we are building from 86 | ## the frozen snapshot.debian.org repository. See also 87 | ## buildconfig-d/30_apt.conf.) https://github.com/grml/grml-debootstrap/issues/8 88 | ## Even if we wanted to upgrade the system, we'd be better off using our own 89 | ## build-step for that. 90 | [ -n "$UPGRADE_SYSTEM" ] || export UPGRADE_SYSTEM='no' 91 | 92 | ## Use fixed disk identifier. For verifiable builds. 93 | ## grml-debootstrap sets it to: 94 | ## 26ada0c0-1165-4098-884d-aafd2220c2c6 95 | [ -n "$FIXED_DISK_IDENTIFIERS" ] || export FIXED_DISK_IDENTIFIERS='yes' 96 | 97 | ## We later install a kernel ourselves. 98 | [ -n "$NOKERNEL" ] || export NOKERNEL="true" 99 | 100 | ## Do not use /etc/network/interfaces by grml-debootstrap. 101 | [ -n "$NOINTERFACES" ] || export NOINTERFACES="true" 102 | 103 | mmdebstrap_wrapper="$WHONIX_SOURCE_FOLDER/help-steps/pbuilder-debootstrap-command-filter" 104 | 105 | if [ "$WHONIX_BUILD_FLAVOR" = "whonix-gateway-rpi" ] || [ "$BUILD_TARGET_ARCH" = "arm64" ]; then 106 | [ -n "$GRUB_INSTALL" ] || export GRUB_INSTALL='no' 107 | fi 108 | 109 | ## Currently not required. 110 | #[ -n "$DEBOOTSTRAP" ] || export DEBOOTSTRAP='qemu-debootstrap' 111 | 112 | [ -n "$DEBOOTSTRAP" ] || export DEBOOTSTRAP="$mmdebstrap_wrapper" 113 | 114 | if [ "$DEBOOTSTRAP" = "$mmdebstrap_wrapper" ]; then 115 | ## Using a sources.list probably only with mmdebstrap. 116 | [ -n "$MIRROR" ] || export MIRROR="$whonix_build_sources_list_primary" 117 | else 118 | ## qemu-debootstrap: 119 | ## - cannot be combined with mmdebstrap. 120 | ## - cannot bootstrap from multiple (regular and security) repositories 121 | ## at the same time. 122 | ## - does not support apt sources in a sources.list file such as for example 123 | ## build_sources/debian_stable_current_clearnet.list 124 | ## (variable: whonix_build_sources_list_primary) 125 | ## but requires a apt URI such as for example. 126 | ## http://HTTPS///deb.debian.org/debian 127 | ## (variable: whonix_build_apt_sources_mirror) 128 | [ -n "$MIRROR" ] || export MIRROR="$whonix_build_apt_sources_mirror" 129 | fi 130 | 131 | ## See also /etc/debootstrap/config or 132 | ## https://github.com/grml/grml-debootstrap/blob/master/config to learn 133 | ## about other grml-debootstrap options and defaults. 134 | 135 | ## Using '--packages "$WHONIX_SOURCE_FOLDER/grml_packages"' even though 136 | ## these packages are already passed by '--depopt "--include=,[...]" to 137 | ## avoid grml-debootstrap apt-get installing its default package selection. 138 | ## (Which contains grml distribution default packages that we don't need in 139 | ## Whonix.) 140 | 141 | ## whonix_build_multiarch_package_item is read by pbuilder-debootstrap-command-filter. 142 | 143 | $DEBOOTSTRAP_PREFIX \ 144 | SOURCE_DATE_EPOCH="$SOURCE_DATE_EPOCH" \ 145 | whonix_build_multiarch_package_item="$BUILD_TARGET_ARCH" \ 146 | bash -x \ 147 | "$whonix_build_grml_bin" \ 148 | --debopt "$whonix_build_debopt" \ 149 | --arch "$BUILD_TARGET_ARCH" \ 150 | --filesystem "$whonix_build_file_system" \ 151 | --force \ 152 | --hostname "$whonix_build_hostname" \ 153 | --nopassword \ 154 | --release "$whonix_build_apt_stable_release" \ 155 | --keep_src_list \ 156 | --verbose \ 157 | --vmfile \ 158 | --vmsize "$VMSIZE" \ 159 | --packages "$WHONIX_SOURCE_FOLDER/grml_packages" \ 160 | --target "$binary_image_raw" 161 | } 162 | 163 | create-empty-raw-image() { 164 | qemu-img create -f raw "$binary_image_raw" "$VMSIZE" 165 | } 166 | 167 | permission-fix-raw-image() { 168 | chown "$user_name:$user_name" "$binary_image_raw" 169 | } 170 | 171 | main() { 172 | root_check 173 | 174 | if [ "$ANON_BUILD_INSTALL_TO_ROOT" = "1" ]; then 175 | true "${green}INFO: Skipping $BASH_SOURCE, because ANON_BUILD_INSTALL_TO_ROOT is set to 1.${reset}" 176 | return 0 177 | fi 178 | 179 | if [ "$WHONIX_BUILD_TYPE" = "custom-workstation" ]; then 180 | create-empty-raw-image 181 | elif [ "$WHONIX_BUILD_TYPE" = "gateway" ]; then 182 | create-debian-raw-image 183 | elif [ "$WHONIX_BUILD_TYPE" = "workstation" ]; then 184 | create-debian-raw-image 185 | elif [ "$WHONIX_BUILD_TYPE" = "whonix-host" ]; then 186 | create-debian-raw-image 187 | elif [ "$WHONIX_BUILD_TYPE" = "kicksecure" ]; then 188 | create-debian-raw-image 189 | else 190 | error "ERROR: Invalid WHONIX_BUILD_FLAVOR $WHONIX_BUILD_FLAVOR (WHONIX_BUILD_TYPE: $WHONIX_BUILD_TYPE). Please report this bug!" 191 | fi 192 | 193 | permission-fix-raw-image 194 | } 195 | 196 | main "$@" 197 | -------------------------------------------------------------------------------- /build-steps.d/1800_copy_vms_into_raw: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | copy-vm-files(){ 22 | errorhandlersetup "errorhandlerunchrootunpreventunmount" ERR INT TERM 23 | 24 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/mount-raw" 25 | 26 | ## here we copy the Gateway and Workstation .qcow2 files into the host VM 27 | ## previously I ran qemu-img convert -f qcow2 -O qcow2 on the host to reduce their size 28 | ## a final, clean build step should also take care of building/extracting/shrinking these files automatically 29 | ## of course it would also use variables instead of version numbers 30 | ## we also apply correct file permissions 31 | 32 | ## 'cp --sparse=always' did not work. 33 | ## https://forums.whonix.org/t/whonix-host-operating-system/3931/202 34 | #cp --sparse=always "$copy_vms_into_raw_file_one" "$CHROOT_FOLDER/var/lib/libvirt/images/Whonix-Gateway.qcow2" 35 | #cp --sparse=always "$copy_vms_into_raw_file_two" "$CHROOT_FOLDER/var/lib/libvirt/images/Whonix-Workstation.qcow2" 36 | 37 | ## Therefore using qemu-img. 38 | qemu-img convert -f qcow2 -O qcow2 "$copy_vms_into_raw_file_one" "$CHROOT_FOLDER/var/lib/libvirt/images/Whonix-Gateway.qcow2" 39 | qemu-img convert -f qcow2 -O qcow2 "$copy_vms_into_raw_file_two" "$CHROOT_FOLDER/var/lib/libvirt/images/Whonix-Workstation.qcow2" 40 | 41 | ## TODO: qemu-img parameters? 42 | # qemu-img \ 43 | # convert \ 44 | # -p \ 45 | # -O qcow2 \ 46 | # -o extended_l2=on \ 47 | # -o cluster_size=128k \ 48 | # -o preallocation=metadata \ 49 | # "$binary_image_raw" \ 50 | # "$binary_image_qcow2" 51 | 52 | ## Debugging. 53 | qemu-img info "$CHROOT_FOLDER/var/lib/libvirt/images/Whonix-Gateway.qcow2" 54 | qemu-img info "$CHROOT_FOLDER/var/lib/libvirt/images/Whonix-Workstation.qcow2" 55 | 56 | ## https://forums.whonix.org/t/whonix-host-operating-system/3931/180 57 | $CHROOT chmod --verbose --recursive o-r "/var/lib/libvirt/images/Whonix-Gateway.qcow2" 58 | $CHROOT chmod --verbose --recursive o-r "/var/lib/libvirt/images/Whonix-Workstation.qcow2" 59 | $CHROOT chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Gateway.qcow2" 60 | $CHROOT chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Workstation.qcow2" 61 | 62 | $CHROOT chown --verbose --recursive libvirt-qemu:libvirt-qemu "/var/lib/libvirt/images/Whonix-Gateway.qcow2" 63 | $CHROOT chown --verbose --recursive libvirt-qemu:libvirt-qemu "/var/lib/libvirt/images/Whonix-Workstation.qcow2" 64 | 65 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/unmount-raw" 66 | 67 | true 68 | } 69 | 70 | main() { 71 | errorhandlersetup "errorhandlerunchrootunpreventunmount" ERR INT TERM 72 | 73 | if [ "$WHONIX_BUILD_TYPE" = "kicksecure" ]; then 74 | true "INFO: kicksecure does not copy VM images into the build, ok." 75 | return 0 76 | fi 77 | 78 | if [ "$WHONIX_BUILD_ISO" = "true" ]; then 79 | true 80 | else 81 | true "${green}INFO: Skipping $BASH_SOURCE, because WHONIX_BUILD_ISO is not set to 'true'.${reset}" 82 | exit 0 83 | fi 84 | 85 | copy-vm-files 86 | } 87 | 88 | main "$@" 89 | -------------------------------------------------------------------------------- /build-steps.d/2300_run-chroot-scripts-post-d: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | run-chroot-scripts-post-d() { 22 | errorhandlersetup "errorhandlerunchrootunpreventunmount" ERR INT TERM 23 | 24 | sync 25 | 26 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/mount-raw 27 | 28 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/prevent-daemons-from-starting 29 | 30 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/chroot-raw 31 | 32 | sync 33 | 34 | ## Sanity tests. 35 | $CHROOT dir 36 | $CHROOT mount 37 | $CHROOT sync 38 | 39 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/create-local-temp-apt-repo 40 | 41 | sync 42 | 43 | if [ -d "$CHROOT_FOLDER/usr/libexec/initializer-dist/chroot-scripts-post.d" ]; then 44 | ## Check which chroot scripts we got. 45 | $CHROOT run-parts --verbose --test "/usr/libexec/initializer-dist/chroot-scripts-post.d/" 46 | 47 | ## Run the chroot scripts. 48 | $CHROOT run-parts --verbose --exit-on-error "/usr/libexec/initializer-dist/chroot-scripts-post.d/" 49 | 50 | sync 51 | else 52 | true "${green}${bold}INFO: Folder /usr/libexec/initializer-dist/chroot-scripts-post.d does not exist in chroot.} 53 | Not running any chroot scripts.${reset}" 54 | fi 55 | 56 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/remove-local-temp-apt-repo 57 | 58 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/unchroot-raw 59 | 60 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/unprevent-daemons-from-starting 61 | 62 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/unmount-raw 63 | 64 | sync 65 | } 66 | 67 | main() { 68 | if [ "$WHONIX_BUILD_FAST2" = "2" ]; then 69 | echo "${bold}${cyan}INFO: run with '--fast 2' switch, skipping $BASH_SOURCE. ${reset}" 70 | exit 0 71 | fi 72 | 73 | root_check 74 | if [ "$WHONIX_BUILD_TYPE" = "gateway" ]; then 75 | run-chroot-scripts-post-d 76 | elif [ "$WHONIX_BUILD_TYPE" = "workstation" ]; then 77 | run-chroot-scripts-post-d 78 | elif [ "$WHONIX_BUILD_TYPE" = "custom-workstation" ]; then 79 | true "${cyan}INFO: Skipping running chroot-post.d scripts for $VMNAME.${reset}" 80 | elif [ "$WHONIX_BUILD_TYPE" = "whonix-host" ]; then 81 | run-chroot-scripts-post-d 82 | elif [ "$WHONIX_BUILD_TYPE" = "kicksecure" ]; then 83 | run-chroot-scripts-post-d 84 | else 85 | error "ERROR: Invalid WHONIX_BUILD_FLAVOR $WHONIX_BUILD_FLAVOR. Please report this bug!" 86 | fi 87 | } 88 | 89 | main "$@" 90 | -------------------------------------------------------------------------------- /build-steps.d/2350_zerofree-raw: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | zerofree_raw() { 22 | ## Used by "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/mount-raw and "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/unmount-raw. 23 | export kpartx_only=true 24 | 25 | source "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/mount-raw 26 | ## provides: dev_mapper_device 27 | mount_raw 28 | 29 | zerofree -v "$dev_mapper_device" 30 | 31 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/unmount-raw 32 | } 33 | 34 | main() { 35 | root_check 36 | if [ "$ANON_BUILD_INSTALL_TO_ROOT" = "1" ]; then 37 | true "${green}INFO: Skipping $BASH_SOURCE, because ANON_BUILD_INSTALL_TO_ROOT is set to 1.${reset}" 38 | elif [ "$WHONIX_BUILD_TYPE" = "custom-workstation" ]; then 39 | true "${green}INFO: Skipping $BASH_SOURCE, because WHONIX_BUILD_TYPE is set to $WHONIX_BUILD_TYPE.${reset}" 40 | else 41 | zerofree_raw 42 | fi 43 | } 44 | 45 | main "$@" 46 | -------------------------------------------------------------------------------- /build-steps.d/2375_build-arm64-fs: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## Copyright (C) 2021 Gavin Pacini 5 | ## See the file COPYING for copying conditions. 6 | 7 | set -x 8 | set -e 9 | 10 | true "INFO: Currently running script: $BASH_SOURCE $@" 11 | 12 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 13 | 14 | cd "$MYDIR" 15 | cd .. 16 | cd help-steps 17 | 18 | source pre 19 | source colors 20 | source variables 21 | 22 | build_arm64_fs() { 23 | source "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/mount-raw 24 | 25 | ## create a copy of the raw output, 26 | ## such that we can make a new one with grub on an EFI partition 27 | ## along with mount points 28 | orig_img="${binary_image_raw}.orig" 29 | mpoint_os="${binary_image_raw}_mpoint_os" 30 | mpoint_efi="${mpoint_os}/boot/efi" 31 | cp "$binary_image_raw" "$orig_img" 32 | 33 | ## provides: dev_mapper_device 34 | export WHONIX_BUILD_MOUNT_RAW_FILE="$orig_img" 35 | mount_raw 36 | 37 | ## creating the image 38 | sudo $SUDO_OPTS truncate -s "$VMSIZE" "$binary_image_raw" 39 | sudo $SUDO_OPTS mkdir --parents "$mpoint_os" 40 | 41 | ## partitioning 42 | dev=$(losetup -f) 43 | losetup "$dev" "$binary_image_raw" 44 | parted -s "$dev" mklabel gpt 45 | parted -s "$dev" mkpart EFI fat32 1MiB 10MiB 46 | parted -s "$dev" set 1 boot on 47 | parted -s "$dev" mkpart LINUX ext4 10MiB 100% 48 | mkfs.vfat -n EFI "${dev}p1" 49 | mkfs.ext4 -F -L LINUX "${dev}p2" 50 | parted -s "$dev" print 51 | 52 | ## copying OS files 53 | mount "${dev}p2" "${mpoint_os}" 54 | cp -a "$CHROOT_FOLDER"/* "${mpoint_os}" 55 | sync 56 | 57 | ## setup arm64 grub on EFI partition 58 | mkdir --parents "$mpoint_efi" 59 | mount "${dev}p1" "${mpoint_efi}" 60 | 61 | mount -t devtmpfs udev "${mpoint_os}/dev" 62 | mount -t devpts devpts "${mpoint_os}/dev/pts" 63 | mount -t proc proc "${mpoint_os}/proc" 64 | mount -t sysfs sysfs "${mpoint_os}/sys" 65 | mount -t tmpfs tmpfs "${mpoint_os}/tmp" 66 | 67 | chroot "$mpoint_os" grub-install --target=arm64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck --no-nvram --removable 68 | chroot "$mpoint_os" update-grub 69 | chroot "$mpoint_os" sync 70 | sync 71 | sleep 2 72 | 73 | ## unmount all the things 74 | umount "${mpoint_os}/dev/pts" 75 | umount "${mpoint_os}/dev" 76 | umount "${mpoint_os}/proc" 77 | umount "${mpoint_os}/sys" 78 | umount "${mpoint_os}/tmp" 79 | umount "${mpoint_efi}" 80 | umount "${mpoint_os}" 81 | 82 | losetup -d "$dev" 83 | 84 | rmdir "${mpoint_os}" 85 | 86 | export WHONIX_BUILD_MOUNT_RAW_FILE="$orig_img" 87 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER"/unmount-raw 88 | 89 | ## remove the original image which did not have GRUB nor EFI partitions 90 | rm "$orig_img" 91 | } 92 | 93 | main() { 94 | root_check 95 | if [ "$WHONIX_BUILD_FLAVOR" != "whonix-gateway-rpi" ] && [ "$BUILD_TARGET_ARCH" = "arm64" ]; then 96 | build_arm64_fs 97 | else 98 | true "${green}INFO: Skipping $BASH_SOURCE, because not building standard arm64.${reset}" 99 | fi 100 | } 101 | 102 | main "$@" 103 | -------------------------------------------------------------------------------- /build-steps.d/2376_export-utm-packages: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## Copyright (C) 2021 Gavin Pacini 5 | ## See the file COPYING for copying conditions. 6 | 7 | set -x 8 | set -e 9 | 10 | true "INFO: Currently running script: $BASH_SOURCE $@" 11 | 12 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 13 | 14 | cd "$MYDIR" 15 | cd .. 16 | cd help-steps 17 | 18 | source pre 19 | source colors 20 | source variables 21 | 22 | export_utm_packages() { 23 | ## create folder structure for UTM 24 | ## move image file 25 | ## copy configs 26 | utmfolder="${dist_binary_build_folder}/${VMNAME}.utm" 27 | sudo $SUDO_OPTS mkdir --parents "${utmfolder}/Images" 28 | mv "$binary_image_raw" "${utmfolder}/Images/${VMNAME}.raw" 29 | cp "$source_utm_file" "${utmfolder}/config.plist" 30 | 31 | tar -zcvSf "${dist_binary_build_folder}/${VMNAME}.utm.tar.gz" "$utmfolder" 32 | } 33 | 34 | main() { 35 | root_check 36 | if [ "$WHONIX_BUILD_UTM" = "true" ] && [ "$BUILD_TARGET_ARCH" = "arm64" ]; then 37 | export_utm_packages 38 | else 39 | true "${green}INFO: Skipping $BASH_SOURCE, because not building standard arm64.${reset}" 40 | fi 41 | } 42 | 43 | main "$@" 44 | -------------------------------------------------------------------------------- /build-steps.d/2400_convert-raw-to-qcow2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | convert_raw_to_qcow2() { 22 | if [ ! "$WHONIX_BUILD_QCOW2" = "true" ]; then 23 | true "${green}INFO: Skipping $BASH_SOURCE, because WHONIX_BUILD_QCOW2 is not set to true.${reset}" 24 | return 0 25 | fi 26 | 27 | sudo $SUDO_OPTS mkdir --parents "${dist_binary_build_folder}" 28 | 29 | ## Debugging. 30 | sudo $SUDO_OPTS \ 31 | qemu-img \ 32 | info \ 33 | "$binary_image_raw" 34 | 35 | ## Create qcow2 image form raw image. 36 | ## VMSIZE defaults to 100G as per help-steps/variables. 37 | sudo $SUDO_OPTS \ 38 | qemu-img \ 39 | convert \ 40 | -p \ 41 | -O qcow2 \ 42 | -o cluster_size=2M \ 43 | -o preallocation=metadata \ 44 | "$binary_image_raw" \ 45 | "$binary_image_qcow2" 46 | 47 | ## Debugging. 48 | sudo $SUDO_OPTS \ 49 | qemu-img \ 50 | info \ 51 | "$binary_image_qcow2" 52 | } 53 | 54 | main() { 55 | root_check 56 | if [ "$WHONIX_BUILD_QCOW2" = "true" ]; then 57 | convert_raw_to_qcow2 58 | else 59 | true "${green}INFO: Skipping $BASH_SOURCE, because WHONIX_BUILD_QCOW2 is not set to 'true'.${reset}" 60 | fi 61 | } 62 | 63 | main "$@" 64 | -------------------------------------------------------------------------------- /build-steps.d/2500_convert-raw-to-vdi: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | convert_raw_to_vdi() { 22 | sudo $SUDO_OPTS \ 23 | mkdir --parents "$HOMEVAR/VirtualBox VMs/$VMNAME" 24 | 25 | ## Debugging. 26 | sudo $SUDO_OPTS \ 27 | qemu-img \ 28 | info \ 29 | "$binary_image_raw" 30 | 31 | sudo $SUDO_OPTS \ 32 | VBoxManage convertfromraw "$binary_image_raw" "$HOMEVAR/VirtualBox VMs/$VMNAME/$VMNAME.vdi" 33 | 34 | ## Debugging. 35 | sudo $SUDO_OPTS \ 36 | qemu-img \ 37 | info \ 38 | "$HOMEVAR/VirtualBox VMs/$VMNAME/$VMNAME.vdi" 39 | 40 | if [ "$WHONIX_BUILD_FAST1" = "1" ]; then 41 | echo "${bold}${cyan}INFO: run with '--fast 1' switch, skipping compacting vdi. ${reset}" 42 | exit 0 43 | else 44 | sudo $SUDO_OPTS \ 45 | VBoxManage modifymedium --compact "$HOMEVAR/VirtualBox VMs/$VMNAME/$VMNAME.vdi" 46 | fi 47 | 48 | ## Debugging. 49 | sudo $SUDO_OPTS \ 50 | qemu-img \ 51 | info \ 52 | "$HOMEVAR/VirtualBox VMs/$VMNAME/$VMNAME.vdi" 53 | } 54 | 55 | main() { 56 | root_check 57 | if [ "$WHONIX_BUILD_VIRTUALBOX" = "true" ]; then 58 | convert_raw_to_vdi 59 | else 60 | true "${green}INFO: Skipping $BASH_SOURCE, because WHONIX_BUILD_VIRTUALBOX is not set to 'true'.${reset}" 61 | fi 62 | } 63 | 64 | main "$@" 65 | -------------------------------------------------------------------------------- /build-steps.d/2550_convert-raw-to-iso: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | create_environment(){ 22 | errorhandlersetup "errorhandlerunchrootunpreventunmount" ERR INT TERM 23 | 24 | rm --recursive --force "$WHONIX_BINARY/image" 25 | 26 | mkdir -p "$WHONIX_BINARY/image/"{live,isolinux} 27 | mkdir -p "$WHONIX_BINARY/image/"{boot/isolinux,EFI/boot} 28 | mkdir -p "$WHONIX_BINARY/image/boot/grub" 29 | 30 | cp /usr/lib/ISOLINUX/isolinux.bin "$WHONIX_BINARY/image/boot/isolinux/" 31 | cp /usr/lib/syslinux/modules/bios/* "$WHONIX_BINARY/image/boot/isolinux/" 32 | } 33 | 34 | create_squashfs_ok(){ 35 | errorhandlersetup "errorhandlerunchrootunpreventunmount" ERR INT TERM 36 | 37 | cd "$WHONIX_BINARY" 38 | sudo mksquashfs \ 39 | "$CHROOT_FOLDER" \ 40 | image/live/filesystem.squashfs \ 41 | -comp xz 42 | } 43 | 44 | copy_files(){ 45 | errorhandlersetup "errorhandlerunchrootunpreventunmount" ERR INT TERM 46 | 47 | ## we copy the kernel and the initrd 48 | ## better to use variables than '*'! 49 | 50 | cp "$CHROOT_FOLDER"/boot/vmlinuz-* "$WHONIX_BINARY/image/live/vmlinuz" 51 | cp "$CHROOT_FOLDER"/boot/initrd.img-* "$WHONIX_BINARY/image/live/initrd" 52 | 53 | cp /usr/lib/ISOLINUX/isolinux.bin "$WHONIX_BINARY/image/isolinux/" 54 | cp /usr/lib/syslinux/modules/bios/menu.c32 "$WHONIX_BINARY/image/isolinux/" 55 | cp /usr/lib/syslinux/modules/bios/hdt.c32 "$WHONIX_BINARY/image/isolinux/" 56 | cp /usr/lib/syslinux/modules/bios/ldlinux.c32 "$WHONIX_BINARY/image/isolinux/" 57 | cp /usr/lib/syslinux/modules/bios/libutil.c32 "$WHONIX_BINARY/image/isolinux/" 58 | cp /usr/lib/syslinux/modules/bios/libmenu.c32 "$WHONIX_BINARY/image/isolinux/" 59 | cp /usr/lib/syslinux/modules/bios/libcom32.c32 "$WHONIX_BINARY/image/isolinux/" 60 | cp /usr/lib/syslinux/modules/bios/libgpl.c32 "$WHONIX_BINARY/image/isolinux/" 61 | cp /usr/share/misc/pci.ids "$WHONIX_BINARY/image/isolinux/" 62 | cp /boot/memtest86+.bin "$WHONIX_BINARY/image/live/memtest" 63 | 64 | cp "$WHONIX_SOURCE_FOLDER/iso/grub-embedded.cfg" "$WHONIX_BINARY/image/grub-embedded.cfg" 65 | 66 | cd /usr/lib/grub 67 | grub-mkimage \ 68 | --config "$WHONIX_BINARY/image/grub-embedded.cfg" \ 69 | --format=x86_64-efi \ 70 | --prefix "" \ 71 | --output="$WHONIX_BINARY/image/EFI/boot/bootx64.efi" \ 72 | --compression=xz \ 73 | linux \ 74 | normal \ 75 | iso9660 \ 76 | efi_uga \ 77 | efi_gop \ 78 | fat \ 79 | chain \ 80 | disk \ 81 | exfat \ 82 | usb \ 83 | multiboot \ 84 | msdospart \ 85 | part_msdos \ 86 | part_gpt \ 87 | search \ 88 | part_gpt \ 89 | configfile \ 90 | ext2 \ 91 | boot 92 | 93 | cd "$WHONIX_BINARY/image/EFI" 94 | dd if=/dev/zero of="$WHONIX_BINARY/image/EFI/efiboot.img" bs=1M count=100 95 | mkfs.vfat "$WHONIX_BINARY/image/EFI/efiboot.img" 96 | mmd -i "$WHONIX_BINARY/image/EFI/efiboot.img" efi efi/boot efi/boot/grub 97 | mcopy -i "$WHONIX_BINARY/image/EFI/efiboot.img" boot/bootx64.efi ::efi/boot/ 98 | 99 | ## isolinux bootloader configuration 100 | ## here I append live-config.user-default-groups=libvirt,kvm to the boot parameter so that the Debian Live User is only a member of libvirt and kvm groups 101 | ## (default is: audio cdrom dip floppy video plugdev netdev powerdev scanner bluetooth) 102 | ## in a previous version I also appended other boot parameters used in the default hardened debian VM live-mode, except 'plainboot' 103 | ## parameter which prevented from mounting the filesystem (slab_nomerge slab_debug=FZP page_poison=1 mce=0 boot=live 104 | ## union=overlay ip=frommedia noeject nopersistence). I have removed them for the time being since at least one of them 105 | ## prevented the install target to be bootable. Needs more testing. 106 | 107 | cp "$WHONIX_SOURCE_FOLDER/iso/isolinux.cfg" "$WHONIX_BINARY/image/boot/isolinux/isolinux.cfg" 108 | cp "$WHONIX_SOURCE_FOLDER/iso/grub.cfg" "$WHONIX_BINARY/image/boot/grub/grub.cfg" 109 | } 110 | 111 | create_iso(){ 112 | errorhandlersetup "errorhandlerunchrootunpreventunmount" ERR INT TERM 113 | 114 | xorriso \ 115 | -as mkisofs \ 116 | -iso-level 3 \ 117 | -full-iso9660-filenames \ 118 | -volid "Whonix Desktop Live" \ 119 | -isohybrid-mbr /usr/lib/ISOLINUX/isohdpfx.bin \ 120 | -eltorito-boot \ 121 | boot/isolinux/isolinux.bin \ 122 | -no-emul-boot -boot-load-size 4 -boot-info-table \ 123 | --eltorito-catalog boot/isolinux/isolinux.cat \ 124 | -eltorito-alt-boot \ 125 | -e EFI/efiboot.img \ 126 | -no-emul-boot -isohybrid-gpt-basdat \ 127 | -output "$binary_image_iso" \ 128 | "$WHONIX_BINARY/image" 129 | } 130 | 131 | main() { 132 | errorhandlersetup "errorhandlerunchrootunpreventunmount" ERR INT TERM 133 | 134 | if [ "$WHONIX_BUILD_ISO" = "true" ]; then 135 | true 136 | else 137 | true "${green}INFO: Skipping $BASH_SOURCE, because WHONIX_BUILD_ISO is not set to 'true'.${reset}" 138 | exit 0 139 | fi 140 | 141 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/mount-raw" 142 | create_environment 143 | create_squashfs_ok 144 | copy_files 145 | create_iso 146 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/unmount-raw" 147 | } 148 | 149 | main "$@" 150 | -------------------------------------------------------------------------------- /build-steps.d/2700_create-vm-text: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | msg_graphical_gateway_low_ram="\ 22 | ######################## 23 | ## GATEWAY - LOW RAM? ## 24 | ######################## 25 | 26 | If your computer has 2GB or less RAM, set the RAM for Whonix-Gateway to 256MB to automatically boot into a command-line environment. The Gateway will work normally, and you can configure it via the command-line. If you need a graphical environment, temporarily increase RAM to 512MB to boot to a desktop." 27 | 28 | msg_whonix_security_advice="\ 29 | ##################### 30 | ## SECURITY ADVICE ## 31 | ##################### 32 | 33 | Whonix with its default settings may provide better protection than Tor alone. You can make it even more secure. It is recommended to read our documentation: 34 | https://www.whonix.org/wiki/Documentation" 35 | 36 | msg_whonix_disclaimer="\ 37 | ################ 38 | ## DISCLAIMER ## 39 | ################ 40 | 41 | There is no magic pill for anonymity. The more you learn about Whonix, Tor, and threats to your privacy, the safer you can become. 42 | 43 | Whonix is produced independently from the Tor (R) anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else. 44 | 45 | Whonix is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc. 46 | 47 | Whonix is a research project." 48 | 49 | msg_whonix_workstation_requires_whonix_gateway="\ 50 | # For internet access, Whonix-Workstation requires that Whonix-Gateway be running. #" 51 | 52 | msg_whonix_workstation_low_ram="\ 53 | ########################## 54 | ## WORKSTATION LOW RAM? ## 55 | ########################## 56 | 57 | If your computer has less than 2GB RAM, you can lower the RAM for Whonix-Workstation to 512MB. Performance will suffer, but an advanced user can install a lighter desktop environment. Setting RAM to less than 512MB will boot to a command-line environment." 58 | 59 | create-vm-text() { 60 | if [ "$WHONIX_BUILD_FLAVOR" = "whonix-gateway-cli" ]; then 61 | local TEXT="\ 62 | $msg_whonix_security_advice 63 | 64 | $msg_whonix_disclaimer" 65 | elif [ "$WHONIX_BUILD_FLAVOR" = "whonix-workstation-cli" ]; then 66 | local TEXT="\ 67 | $msg_whonix_workstation_requires_whonix_gateway 68 | 69 | $msg_whonix_security_advice 70 | 71 | $msg_whonix_disclaimer" 72 | elif [ "$WHONIX_BUILD_TYPE" = "gateway" ]; then 73 | local TEXT="\ 74 | $msg_graphical_gateway_low_ram 75 | 76 | $msg_whonix_security_advice 77 | 78 | $msg_whonix_disclaimer" 79 | elif [ "$WHONIX_BUILD_TYPE" = "workstation" ]; then 80 | local TEXT="\ 81 | $msg_whonix_workstation_requires_whonix_gateway 82 | 83 | $msg_whonix_workstation_low_ram 84 | 85 | $msg_whonix_security_advice 86 | 87 | $msg_whonix_disclaimer" 88 | elif [ "$WHONIX_BUILD_TYPE" = "custom-workstation" ]; then 89 | local TEXT="\ 90 | $msg_whonix_workstation_requires_whonix_gateway 91 | 92 | $msg_whonix_security_advice 93 | 94 | $msg_whonix_disclaimer" 95 | elif [ "$WHONIX_BUILD_TYPE" = "whonix-host" ]; then 96 | local TEXT="TODO" 97 | elif [ "$WHONIX_BUILD_TYPE" = "kicksecure" ]; then 98 | local TEXT="TODO" 99 | else 100 | local MSG="${bold}${red}$BASH_SOURCE ERROR: VMNAME is neither Whonix-Gateway nor Whonix-Workstation. Please report this bug! ${reset}" 101 | error "$MSG" 102 | fi 103 | 104 | echo "$TEXT" | sudo $SUDO_OPTS tee "$binary_image_text" >/dev/null 105 | } 106 | 107 | main() { 108 | root_check 109 | if [ "$WHONIX_BUILD_VIRTUALBOX" = "true" ]; then 110 | create-vm-text 111 | else 112 | true "${green}INFO: Skipping $BASH_SOURCE, because WHONIX_BUILD_VIRTUALBOX is not set to 'true'.${reset}" 113 | fi 114 | } 115 | 116 | true "${bold}${under}INFO: Currently running script: $0 "$@"${reset}" 117 | main "$@" 118 | -------------------------------------------------------------------------------- /build-steps.d/2800_create-report: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | analyze_target() { 22 | local target image_to_analyze 23 | target="$1" 24 | image_to_analyze="$2" 25 | 26 | local topcomment 27 | topcomment="\ 28 | INFO: This is an auto-generated file. 29 | See https://www.whonix.org/wiki/Verifiable_Builds 30 | and https://www.whonix.org/wiki/Trust 31 | to learn what this is about. 32 | whonix_build_current_git_head: $whonix_build_current_git_head 33 | whonix_build_new_changelog_version: $whonix_build_new_changelog_version 34 | dist_build_version: $dist_build_version 35 | ANON_BUILD_INSTALL_TO_ROOT: $ANON_BUILD_INSTALL_TO_ROOT" 36 | 37 | local endcomment 38 | endcomment="INFO: End." 39 | 40 | local errorcomment 41 | errorcomment="ERROR: Unfinished report! Error detected!" 42 | 43 | true "${cyan}INFO: analyzing $target... ${reset}" 44 | 45 | report_file="$WHONIX_BINARY/$VMNAME-$dist_build_version.$target.report" 46 | report_tempfolder="$WHONIX_BINARY/$VMNAME-${dist_build_version}_report_${target}_tempfolder" 47 | 48 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/analyze_image" \ 49 | $minimal_report_maybe \ 50 | --topcomment "$topcomment" \ 51 | --endcomment "$endcomment" \ 52 | --errorcomment "$errorcomment" \ 53 | --report "$report_file" \ 54 | --tempfolder "$report_tempfolder" \ 55 | "--$target" "$image_to_analyze" 56 | 57 | true "${cyan}INFO: Done, analyzed $target. ${reset}" 58 | } 59 | 60 | main() { 61 | root_check 62 | 63 | if [ "$WHONIX_BUILD_FAST2" = "1" ]; then 64 | echo "${bold}${cyan}INFO: run with '--fast 2' switch, skipping $BASH_SOURCE. ${reset}" 65 | exit 0 66 | fi 67 | 68 | if [ ! "$whonix_build_script_create_report" = "true" ]; then 69 | true "${bold}${cyan}INFO: run without --report true, skipping, ok. ${reset}" 70 | exit 0 71 | fi 72 | 73 | local report_file report_tempfolder 74 | 75 | if [ "$ANON_BUILD_INSTALL_TO_ROOT" = "1" ]; then 76 | analyze_target "root" "/" 77 | fi 78 | 79 | if [ "$WHONIX_BUILD_RAW" = "true" ]; then 80 | analyze_target "raw" "$binary_image_raw" 81 | fi 82 | 83 | if [ "$WHONIX_BUILD_VIRTUALBOX" = "true" ]; then 84 | analyze_target "ova" "$binary_image_ova" 85 | fi 86 | 87 | if [ "$WHONIX_BUILD_QCOW2" = "true" ]; then 88 | analyze_target "qcow2" "$binary_image_qcow2" 89 | fi 90 | 91 | if [ "$WHONIX_BUILD_ISO" = "true" ]; then 92 | error "Not implemented!" 93 | fi 94 | } 95 | 96 | main "$@" 97 | -------------------------------------------------------------------------------- /build_sources/debian_buster_backport_virtualbox_org.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2020 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## https://www.virtualbox.org/wiki/Linux_Downloads 5 | ## https://www.whonix.org/wiki/VirtualBox/Other_Versions#Install_from_Oracle_Repository 6 | ## https://forums.whonix.org/t/missing-dependencies-on-buster-for-virtualbox-6-1-6/9634 7 | 8 | ## There is no buster repository yet. Upstream bug report: 9 | ## add Debian 11 / bullseye to Linux Downloads / APT repository 10 | ## https://www.virtualbox.org/ticket/20475 11 | 12 | deb http://HTTPS///download.virtualbox.org/virtualbox/debian buster contrib 13 | -------------------------------------------------------------------------------- /build_sources/debian_sid_current_clearnet.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Using specific codenames (for example: "bullseye") rather than generic code 5 | ## names (for example: "stable") because grml-debootstrap did not support 6 | ## generic code names for --release. See also: 7 | ## github.com/grml/grml-debootstrap/issues/37 8 | 9 | ## Using contrib, because it contains virtualbox-guest-x11. 10 | 11 | ## Added deb-src so source package can also be downloaded. 12 | 13 | deb http://HTTPS///deb.debian.org/debian sid main contrib non-free 14 | deb-src http://HTTPS///deb.debian.org/debian sid main contrib non-free 15 | -------------------------------------------------------------------------------- /build_sources/debian_stable_current_clearnet.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Using specific codenames (for example: "bullseye") rather than generic code 5 | ## names (for example: "stable") because grml-debootstrap did not support 6 | ## generic code names for --release. See also: 7 | ## github.com/grml/grml-debootstrap/issues/37 8 | 9 | ## Using contrib, because it contains virtualbox-guest-x11. 10 | 11 | ## Added deb-src so source package can also be downloaded. 12 | 13 | deb http://HTTPS///deb.debian.org/debian-security bullseye-security main contrib non-free 14 | deb-src http://HTTPS///deb.debian.org/debian-security bullseye-security main contrib non-free 15 | 16 | deb http://HTTPS///deb.debian.org/debian bullseye-updates main contrib non-free 17 | deb-src http://HTTPS///deb.debian.org/debian bullseye-updates main contrib non-free 18 | 19 | deb http://HTTPS///deb.debian.org/debian bullseye-backports main contrib non-free 20 | deb-src http://HTTPS///deb.debian.org/debian bullseye-backports main contrib non-free 21 | 22 | deb http://HTTPS///fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free 23 | deb-src http://HTTPS///fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free 24 | 25 | deb http://HTTPS///deb.debian.org/debian bullseye main contrib non-free 26 | deb-src http://HTTPS///deb.debian.org/debian bullseye main contrib non-free 27 | 28 | ## Last entry must be a "good" one since whonix_build_apt_stable_release is set 29 | ## from last line starting with 'deb'. Should be "bullseye" (stable) and not 30 | ## backports or something else. 31 | -------------------------------------------------------------------------------- /build_sources/debian_stable_current_onion.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Using specific codenames (for example: "bullseye") rather than generic code 5 | ## names (for example: "stable") because grml-debootstrap did not support 6 | ## generic code names for --release. See also: 7 | ## github.com/grml/grml-debootstrap/issues/37 8 | 9 | ## Using contrib, because it contains virtualbox-guest-x11. 10 | 11 | ## Added deb-src so source package can also be downloaded. 12 | 13 | deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free 14 | deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free 15 | 16 | deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free 17 | deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-updates main contrib non-free 18 | 19 | deb http://HTTPS///deb.debian.org/debian bullseye-backports main contrib non-free 20 | deb-src http://HTTPS///deb.debian.org/debian bullseye-backports main contrib non-free 21 | 22 | deb http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free 23 | deb-src http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye-backports main contrib non-free 24 | 25 | ## No onion for fasttrack yet: 26 | ## https://salsa.debian.org/fasttrack-team/support/-/issues/27 27 | #deb http://HTTPS///fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free 28 | #deb-src http://HTTPS///fasttrack.debian.net/debian bullseye-fasttrack main contrib non-free 29 | 30 | deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free 31 | deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye main contrib non-free 32 | 33 | ## Last entry must be a "good" one since whonix_build_apt_stable_release is set 34 | ## from last line starting with 'deb'. Should be "bullseye" (stable) and not 35 | ## backports or something else. 36 | -------------------------------------------------------------------------------- /build_sources/debian_stable_frozen_clearnet.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Using specific codenames (for example: "bullseye") rather than generic code 5 | ## names (for example: "stable") because grml-debootstrap did not support 6 | ## generic code names for --release. See also: 7 | ## github.com/grml/grml-debootstrap/issues/37 8 | 9 | ## Using contrib, because it contains virtualbox-guest-x11. 10 | 11 | ## Using http://snapshot.debian.org/ to create verifiable builds. 12 | ## 13 | ## 1. Go to for example: 14 | ## - http://snapshot.debian.org/archive/debian-security/ 15 | ## - http://snapshot.debian.org/archive/debian/ 16 | ## 2. Then for example click on 2013 09 17 | ## - http://snapshot.debian.org/archive/debian-security/?year=2013&month=10 18 | ## - http://snapshot.debian.org/archive/debian/?year=2013&month=10 19 | ## 3. Scroll down and for example click on 2013-09-19 21:48:59 20 | ## - http://snapshot.debian.org/archive/debian-security/20130919T215514Z/ 21 | ## - http://snapshot.debian.org/archive/debian/20130919T214859Z/ 22 | ## 4. See note above! 23 | ## - See note above! 24 | ## - See note above! 25 | deb http://snapshot.debian.org/archive/debian-security/20150609T203313Z/ bullseye-security main contrib non-free 26 | deb http://snapshot.debian.org/archive/debian/20150610T104057Z/ bullseye main contrib non-free 27 | 28 | ## We currently do not need any source packages for building Whonix. 29 | -------------------------------------------------------------------------------- /build_sources/debian_stable_frozen_onion.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Using specific codenames (for example: "bullseye") rather than generic code 5 | ## names (for example: "stable") because grml-debootstrap did not support 6 | ## generic code names for --release. See also: 7 | ## github.com/grml/grml-debootstrap/issues/37 8 | 9 | ## Using contrib, because it contains virtualbox-guest-x11. 10 | 11 | ## Using http://snapshot.debian.org/ to create verifiable builds. 12 | ## 13 | ## 1. Go to for example: 14 | ## - http://snapshot.debian.org/archive/debian-security/ 15 | ## - http://snapshot.debian.org/archive/debian/ 16 | ## 2. Then for example click on 2013 09 17 | ## - http://snapshot.debian.org/archive/debian-security/?year=2013&month=10 18 | ## - http://snapshot.debian.org/archive/debian/?year=2013&month=10 19 | ## 3. Scroll down and for example click on 2013-09-19 21:48:59 20 | ## - http://snapshot.debian.org/archive/debian-security/20130919T215514Z/ 21 | ## - http://snapshot.debian.org/archive/debian/20130919T214859Z/ 22 | ## 4. See note above! 23 | ## - See note above! 24 | ## - See note above! 25 | 26 | ## TODO 27 | #deb http://snapshot.debian.org/archive/debian-security/20150609T203313Z/ bullseye-security main contrib 28 | #deb http://snapshot.debian.org/archive/debian/20150610T104057Z/ bullseye main contrib 29 | 30 | ## We currently do not need any source packages for building Whonix. 31 | -------------------------------------------------------------------------------- /build_sources/debian_testing_current_clearnet.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Using specific codenames (for example: "bullseye") rather than generic code 5 | ## names (for example: "stable") because grml-debootstrap did not support 6 | ## generic code names for --release. See also: 7 | ## github.com/grml/grml-debootstrap/issues/37 8 | 9 | ## Using contrib, because it contains virtualbox-guest-x11. 10 | 11 | ## Added deb-src so source package can also be downloaded. 12 | 13 | deb http://HTTPS///deb.debian.org/debian-security/ bullseye-security main contrib non-free 14 | deb-src http://HTTPS///deb.debian.org/debian-security/ bullseye-security main contrib non-free 15 | 16 | deb http://HTTPS///deb.debian.org/debian bullseye main contrib non-free 17 | deb-src http://HTTPS///deb.debian.org/debian bullseye main contrib non-free 18 | -------------------------------------------------------------------------------- /build_sources/debian_testing_current_onion.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Using specific codenames (for example: "bullseye") rather than generic code 5 | ## names (for example: "stable") because grml-debootstrap did not support 6 | ## generic code names for --release. See also: 7 | ## github.com/grml/grml-debootstrap/issues/37 8 | 9 | ## Using contrib, because it contains virtualbox-guest-x11. 10 | 11 | ## Added deb-src so source package can also be downloaded. 12 | 13 | deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye/updates main contrib non-free 14 | deb-src tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bullseye/updates main contrib non-free 15 | 16 | deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free 17 | deb-src tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bullseye-security main contrib non-free 18 | -------------------------------------------------------------------------------- /build_sources/debian_testing_frozen_clearnet.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Using specific codenames (for example: "bullseye") rather than generic code 5 | ## names (for example: "stable") because grml-debootstrap did not support 6 | ## generic code names for --release. See also: 7 | ## github.com/grml/grml-debootstrap/issues/37 8 | 9 | ## Using contrib, because it contains virtualbox-guest-x11. 10 | 11 | ## Using http://snapshot.debian.org/ to create verifiable builds. 12 | ## 13 | ## 1. Go to for example: 14 | ## - http://snapshot.debian.org/archive/debian-security/ 15 | ## - http://snapshot.debian.org/archive/debian/ 16 | ## 2. Then for example click on 2013 09 17 | ## - http://snapshot.debian.org/archive/debian-security/?year=2013&month=10 18 | ## - http://snapshot.debian.org/archive/debian/?year=2013&month=10 19 | ## 3. Scroll down and for example click on 2013-09-19 21:48:59 20 | ## - http://snapshot.debian.org/archive/debian-security/20130919T215514Z/ 21 | ## - http://snapshot.debian.org/archive/debian/20130919T214859Z/ 22 | ## 4. See note above! 23 | ## - See note above! 24 | ## - See note above! 25 | deb http://snapshot.debian.org/archive/debian-security/20150609T203313Z/ bullseye-security main contrib non-free 26 | deb http://snapshot.debian.org/archive/debian/20150610T104057Z/ bullseye main contrib non-free 27 | 28 | ## We currently do not need any source packages for building Whonix. 29 | -------------------------------------------------------------------------------- /build_sources/debian_testing_frozen_onion.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Using specific codenames (for example: "bullseye") rather than generic code 5 | ## names (for example: "stable") because grml-debootstrap did not support 6 | ## generic code names for --release. See also: 7 | ## github.com/grml/grml-debootstrap/issues/37 8 | 9 | ## Using contrib, because it contains virtualbox-guest-x11. 10 | 11 | ## Using http://snapshot.debian.org/ to create verifiable builds. 12 | ## 13 | ## 1. Go to for example: 14 | ## - http://snapshot.debian.org/archive/debian-security/ 15 | ## - http://snapshot.debian.org/archive/debian/ 16 | ## 2. Then for example click on 2013 09 17 | ## - http://snapshot.debian.org/archive/debian-security/?year=2013&month=10 18 | ## - http://snapshot.debian.org/archive/debian/?year=2013&month=10 19 | ## 3. Scroll down and for example click on 2013-09-19 21:48:59 20 | ## - http://snapshot.debian.org/archive/debian-security/20130919T215514Z/ 21 | ## - http://snapshot.debian.org/archive/debian/20130919T214859Z/ 22 | ## 4. See note above! 23 | ## - See note above! 24 | ## - See note above! 25 | 26 | ## TODO 27 | #deb http://snapshot.debian.org/archive/debian-security/20150609T203313Z/ bullseye-security main contrib 28 | #deb http://snapshot.debian.org/archive/debian/20150610T104057Z/ bullseye main contrib 29 | 30 | ## We currently do not need any source packages for building Whonix. 31 | -------------------------------------------------------------------------------- /build_sources/oracle_vbox_2016.asc: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | Version: GnuPG v1.4.12 (GNU/Linux) 3 | 4 | mQINBFcZ9OEBEACSvycoAEIKJnyyIpZ9cZLCWa+rHjXJzPymndnPOwZr9lksZVYs 5 | 12YnsEy7Uj48rTB6mipbIuDDH9VBybJzpu3YjY7PFTkYAeW6WAPeJ8RcSGXsDvc0 6 | fQ8c+7/2V1bpNofc9vDSdvcM/U8ULQcNeEa6DI4/wgy2sWLXpi1DYhuUOSU10I97 7 | KHPwmpWQPsLtLHEeodeOTvnmSvLX1RRl32TPFLpLdjTpkEGS7XrOEXelqzMBQXau 8 | VUwanUzQ2VkzKnh4WecmKFT7iekOFVHiW0355ErL2RZvEDfjMjeIOOa/lPmW7y4F 9 | fHMU3a3sT3EzpD9ST/JGhrmaZ+r5yQD4s4hn1FheYFUtUN0dqHe9KgPDecUGgh4w 10 | rGnm0nUQsmQLKGSFXskqt26IiERdRt1eXpR9C5yufCVZfYpSsoG/mIHAt9opXFqi 11 | ryJqzx5pfQkOLTz9WErThHK1399jyXJwYGKLyddHFQEdy3u3ELM8Kfp7SZD/ERVq 12 | t2oA8jsr24IOyL16cydzfSP2kAV1r30bsF/1Q4qq6ii/KfDLaI0KEliBLQuB9jrA 13 | 6XQ69VLtkNPgiWzVMclg+qW1pA8ptXqXLMxi4h5EmE5GOhsihuwkwhhBmFqGT1RJ 14 | EGlc/uiHWQskOW3nhQ3Epd6xhCUImy8Eu83YRxS6QriH6K8z5LgRSdg9nwARAQAB 15 | tElPcmFjbGUgQ29ycG9yYXRpb24gKFZpcnR1YWxCb3ggYXJjaGl2ZSBzaWduaW5n 16 | IGtleSkgPGluZm9AdmlydHVhbGJveC5vcmc+iQI3BBMBCgAhBQJXGfThAhsDBQsJ 17 | CAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJEKL2g8UpgK7P49QP/39dH+lFqlD9ruCV 18 | apBKVPmWTiwWbqmjxAV35PzG9reO7zHeZHil7vQ6UCb6FGMgZaYzcj4Sl9xVxfbH 19 | Zk7lMgyLDuNMTTG4c6WUxQV9UH4i75E1IBm9lOJw64bpbpfEezUF/60PAFIiFBvD 20 | 34qUAoVKe49PbvuTy98er5Kw6Kea880emWxU6I1Q1ZA80+o2dFEEtQc+KCgfWFgd 21 | O757WrqbTj6gjQjBAD5B4z5SwBYMg1/TiAYF0oa+a32LNhQIza/5H3Y+ufMfO3tY 22 | B/z1jLj8ee5lhjrv0jWvvfUUeIlq5pNoOmtNYFS+TdkO0rsqEC6AD0JRTKsRHOBu 23 | eSj7SLt8gmqy7eEzRCMlYIvoQEzt0/JuTQNJjHCuxH1scV13Q3bK6SmxqlY46tf5 24 | Ljni9Z4lLJ7MB1BF2MkHuwQ7OcaEgUQBZSudzPkpRnY0AktiQYYP4Q1uDp+vfvFp 25 | GTkY1pqz3z2XD66fLz0ea5WIBBb3X/uq9zdHu8BTwDCiZlWLaDR5eQoZWWe+u+5J 26 | NUx1wcBpC1Hr2AnmuXBCRq+bzd8iaB8qxWfpCAFZBksSIW2aGhigSeYdx1jpjOob 27 | xog4qbuo5w1IUh8YLHwQ6uM12CqwC1nZadLxG0Fj4KoYbvp0T5ryBM3XD+TVGjKB 28 | m/QHLqabxZBbuJT0Cw2dRtW/ty5ZuQINBFcZ9OEBEADEY+YveerQjzzy5nA1FjQG 29 | XSaPcjy4JlloRxrUyqlATA0AIuK7cwc7PVrpstV8mR9qb38fdeIoY1z1dD3wnQzJ 30 | lbDfZhS5nGMzk9AANd6eJ2KcWI3qLeB//4fr2pPS0piOG4qyW4IhY4KeuCwusE6d 31 | IyDBg2XEdpG1IesSDaqNsvLZjPFEBNiCIkqrC7XSmoPNwHkKGj5LeD1wAE914cn2 32 | a04IlbXiT46V9jjJFnNem/Co0u+2e2J3oReNmHvbb62OC57rqeBxqBplXg9tvJk/ 33 | w0A3bXxUrfz83tY6vDYoFdwJDudaJJWQjvqpYnySXMJYT6KoE4Xgl5fNcbNIVUpU 34 | k74BcWD9PZVadSMN7FWZzMfVsbTMmUA22tuDKD6hrF6ysCelex4YO44kSH7dhXu5 35 | ANtZ2BFfRZvdjTQoblOI8C9cy/iX74vvG8OZarFG+u/kon3+xcAgY5KceUVbostO 36 | 0n3V8iK0gMQWH8sR8vXH+oV4GqHUEQURax2XM2Tt7Ra5XGcQaYDIkNPKSVVVtTk5 37 | 3OU/bNoBofAbwd4eOZOf9ag5ZVIIaoubMOEiveGYde4AEVE7krSNcYh/C48iCVKr 38 | eOyS26AVA15dAvnKTAqxJqICUSQ9zjGfTp1obhXCkMAy0m+AxNVEfSzFznQLHtWK 39 | zEGr+zCsvj1R8/qlMpHBXQARAQABiQIfBBgBCgAJBQJXGfThAhsMAAoJEKL2g8Up 40 | gK7PKpQP+wY9zLgnJeqrvNowmd70afd8SVge9BvhLh60cdG+piM5ZuEV5ZmfTFoX 41 | XPHzOo2dgt6VYTE9JO72Jv7MyzJj3zw3G/IcJQ6VuQwzfKkFTD+IeOiXX2I2lX1y 42 | nFv24rs1MTZ4Px1NJai7fdyXLiCl3ToYBmLafFpfbsVEwJ8U9bCDrHE4KTVc9IXO 43 | KQ5/86JaIPN+JJLHJoO2EBQC08Cw3oxTDFVcWZ/IWvEFeqyqRSyoFMoDkjLYsqHS 44 | we1kEoMmM2qN20otpKYq8R+bIEI5KKuJvAts/1xKE2cHeRvwl5kcFw/S3QQjKj+b 45 | LCVTSRZ6EgcDDmsAPKt7o01wmu+P3IjDoiyMZJQZpZIA2pYDxruY+OLXpcmw78Gq 46 | lTXb4Q9Vf47sAE8HmHfkh/wrdDeEiY9TQErzCBCufYbQj7sgttGoxAt12N+pUepM 47 | MBceAsnqkF6aEa4n8dUTdS2/nijnyUZ2rDVzikmKc0JlrZEKaw8orDzg8fXzfHIc 48 | pTrXCmFLX5BzNQ4ezAlw0NZG/qvhSBCuAkFiibfQUal8KLYwswvGJFghuQHsVTkf 49 | gF8Op7Br7loTNnp3yiI0jo2D+7DBFqtiSHCq1fIgktmKQoVLCfd3wlBJ/o9cguT4 50 | Y3B83Y34PxuSIq2kokIGo8JhqfqPB/ohtTLHg/o9RhP8xmfvALRD 51 | =Rv7/ 52 | -----END PGP PUBLIC KEY BLOCK----- 53 | -------------------------------------------------------------------------------- /build_sources/torproject_stable_current_clearnet.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Added deb-src so source package can also be downloaded. 5 | 6 | deb http://HTTPS///deb.torproject.org/torproject.org bullseye main 7 | deb-src http://HTTPS///deb.torproject.org/torproject.org bullseye main 8 | -------------------------------------------------------------------------------- /build_sources/torproject_stable_current_onion.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Added deb-src so source package can also be downloaded. 5 | 6 | deb tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main 7 | deb-src tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main 8 | -------------------------------------------------------------------------------- /build_sources/torproject_testing_current_clearnet.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Added deb-src so source package can also be downloaded. 5 | 6 | deb http://HTTPS///deb.torproject.org/torproject.org bullseye main 7 | deb-src http://HTTPS///deb.torproject.org/torproject.org bullseye main 8 | -------------------------------------------------------------------------------- /build_sources/torproject_testing_current_onion.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Added deb-src so source package can also be downloaded. 5 | 6 | deb tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main 7 | deb-src tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main 8 | -------------------------------------------------------------------------------- /build_sources/ubuntu_bionic_clearnet.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe 5 | deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-security main universe 6 | 7 | deb http://us.archive.ubuntu.com/ubuntu/ bionic main universe 8 | deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main universe 9 | -------------------------------------------------------------------------------- /build_sources/ubuntu_xenial_clearnet.list: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main universe 5 | deb-src http://us.archive.ubuntu.com/ubuntu/ xenial-security main universe 6 | 7 | deb http://us.archive.ubuntu.com/ubuntu/ xenial main universe 8 | deb-src http://us.archive.ubuntu.com/ubuntu/ xenial main universe 9 | -------------------------------------------------------------------------------- /buildconfig.d/30_apt_opts.conf: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | ## https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068 7 | ## apt-get --error-on=any install 8 | ## E: Command line option --error-on=any is not understood in combination with the other options 9 | aptgetopt_add "-o APT::Update::Error-Mode=any" 10 | aptgetopt_conf_add "APT::Update::Error-Mode any;" 11 | 12 | ## {{ apt_sourcelist_empty apt_sourceparts 13 | 14 | ## Using short option -o instead of long option --option, because aptitude does 15 | ## (used by grml-debootstrap) not support that. 16 | 17 | ## The EMPTY_DIR variable is provided by the help-steps/variables script. 18 | ## export, so chroot-scripts-post.d can read it. It defaults to /tmp/empty. 19 | ## You can leave it as is. 20 | if [ "$apt_sourcelist_empty" = "" ]; then 21 | export apt_sourcelist_empty=" -o Dir::Etc::sourcelist=$EMPTY_DIR " 22 | fi 23 | 24 | ## The WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER variable is provided by the help-steps/variables script. 25 | ## You can leave it as is. 26 | if [ "$apt_sourceparts" = "" ]; then 27 | export apt_sourceparts=" -o Dir::Etc::sourceparts=$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER " 28 | fi 29 | 30 | ## }} 31 | 32 | ## {{ apt performance opts 33 | 34 | ## Don't fetch Translation and Contents file. 35 | ## We don't need them and we will throw them away later anyway. 36 | aptgetopt_add "-o Acquire::Languages=none" 37 | aptgetopt_conf_add "Acquire::Languages none;" 38 | 39 | aptgetopt_add "-o Acquire::IndexTargets::deb::Contents-deb::DefaultEnabled=false" 40 | aptgetopt_conf_add "Acquire::IndexTargets::deb::Contents-deb::DefaultEnabled false;" 41 | 42 | ## }} 43 | 44 | ## {{ apt essential configuration 45 | 46 | ## --no-install-recommends 47 | aptgetopt_add "-o Apt::Install-Recommends=false" 48 | aptgetopt_conf_add "Apt::Install-Recommends false;" 49 | 50 | ## }} 51 | 52 | ## {{ apt_timeout_opts 53 | 54 | aptgetopt_add "-o Acquire::Retries=3" 55 | aptgetopt_conf_add "Acquire::Retries 3;" 56 | 57 | ## }} 58 | 59 | ## {{ unattended options 60 | 61 | [ -n "$DEBIAN_FRONTEND" ] || DEBIAN_FRONTEND="noninteractive" 62 | [ -n "$DEBIAN_PRIORITY" ] || DEBIAN_PRIORITY="critical" 63 | [ -n "$DEBCONF_NOWARNINGS" ] || DEBCONF_NOWARNINGS="yes" 64 | [ -n "$APT_LISTCHANGES_FRONTEND" ] || APT_LISTCHANGES_FRONTEND="text" 65 | export DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND 66 | 67 | aptgetopt_add "-o Dpkg::Options::=--force-confnew" 68 | ## forgetting "--" can break aptitude 69 | ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=95043 70 | aptgetopt_conf_add "Dpkg::Options --force-confnew;" 71 | 72 | ## }} 73 | -------------------------------------------------------------------------------- /buildconfig.d/30_apt_sources.conf: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | true "whonix_build_on_operating_system: $whonix_build_on_operating_system" 7 | 8 | if [ "$whonix_build_sources_list_newer" = "" ]; then 9 | if [ "$whonix_build_sources_clearnet_or_onion" = "clearnet" ]; then 10 | whonix_build_sources_list_newer="$WHONIX_SOURCE_FOLDER/build_sources/debian_testing_current_clearnet.list" 11 | else 12 | whonix_build_sources_list_newer="$WHONIX_SOURCE_FOLDER/build_sources/debian_testing_current_onion.list" 13 | fi 14 | fi 15 | if [ "$whonix_build_sources_list_primary" = "" ]; then 16 | if [ "$BUILD_RELEASE" = "xenial" ]; then 17 | if [ "$whonix_build_sources_clearnet_or_onion" = "clearnet" ]; then 18 | whonix_build_sources_list_primary="$WHONIX_SOURCE_FOLDER/build_sources/ubuntu_xenial_clearnet.list" 19 | else 20 | error "unsupported for this --release BUILD_RELEASE" 21 | fi 22 | elif [ "$BUILD_RELEASE" = "bionic" ]; then 23 | if [ "$whonix_build_sources_clearnet_or_onion" = "clearnet" ]; then 24 | whonix_build_sources_list_primary="$WHONIX_SOURCE_FOLDER/build_sources/ubuntu_bionic_clearnet.list" 25 | else 26 | error "unsupported for this --release BUILD_RELEASE" 27 | fi 28 | else 29 | if [ "$whonix_build_sources_clearnet_or_onion" = "clearnet" ]; then 30 | whonix_build_sources_list_primary="$WHONIX_SOURCE_FOLDER/build_sources/debian_stable_current_clearnet.list" 31 | else 32 | whonix_build_sources_list_primary="$WHONIX_SOURCE_FOLDER/build_sources/debian_stable_current_onion.list" 33 | fi 34 | fi 35 | fi 36 | 37 | true "whonix_build_sources_list_primary : $whonix_build_sources_list_primary" 38 | true "whonix_build_sources_list_newer : $whonix_build_sources_list_newer" 39 | 40 | if [ "$whonix_build_apt_stable_release" = "" ]; then 41 | temp_="$(grep --invert-match "#" "$whonix_build_sources_list_primary")" 42 | temp_="$(echo "$temp_" | grep "deb")" 43 | temp_="$(echo "$temp_" | timeout 3 tail -1)" 44 | read deb_ uri_ distri_ component_ _ <<< "$temp_" 45 | whonix_build_apt_stable_release="$distri_" 46 | ## example whonix_build_apt_stable_release 47 | ## bullseye 48 | fi 49 | 50 | true "whonix_build_apt_stable_release : $whonix_build_apt_stable_release" 51 | 52 | if [ "$whonix_build_apt_sources_mirror" = "" ]; then 53 | temp_="$(grep --invert-match "#" "$whonix_build_sources_list_primary")" 54 | temp_="$(echo "$temp_" | grep "deb")" 55 | temp_="$(echo "$temp_" | timeout 3 tail -1)" 56 | read deb_ uri_ distri_ component_ _ <<< "$temp_" 57 | ## Used for: 58 | ## cowbuilder (debootstrap) 59 | ## grml-debootstrap (debootstrap) (VM builds only) 60 | ## debootstrap does not work with 'tor+', therefore removed. 61 | whonix_build_apt_sources_mirror="$(echo "$uri_" | sed "s|tor+||g")" 62 | ## examples whonix_build_apt_sources_mirror: 63 | ## http://ftp.us.debian.org/debian 64 | ## http://HTTPS///deb.debian.org/debian 65 | ## http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian 66 | fi 67 | 68 | ## export so it can be read by genmkfile. 69 | export whonix_build_apt_sources_mirror 70 | 71 | true "whonix_build_apt_sources_mirror : $whonix_build_apt_sources_mirror" 72 | 73 | ## export so it can be read by genmkfile. 74 | make_cowbuilder_mirror="$whonix_build_apt_sources_mirror" 75 | export make_cowbuilder_mirror 76 | 77 | if [ "$whonix_build_apt_newer_release_codename" = "" ]; then 78 | temp_="$(grep --invert-match "#" "$whonix_build_sources_list_newer")" 79 | temp_="$(echo "$temp_" | grep "deb")" 80 | temp_="$(echo "$temp_" | timeout 3 tail -1)" 81 | read deb_ uri_ distri_ component_ _ <<< "$temp_" 82 | whonix_build_apt_newer_release_codename="$distri_" 83 | ## example whonix_build_apt_newer_release_codename: 84 | ## sid 85 | fi 86 | 87 | true "whonix_build_apt_newer_release_codename: $whonix_build_apt_newer_release_codename" 88 | 89 | ## Example temp_: 90 | ## deb http://snapshot.debian.org/archive/debian/20140727T221338Z/ stable main 91 | ## Example deb_: 92 | ## deb 93 | ## Example uri_: 94 | ## http://snapshot.debian.org/archive/debian/20140727T221338Z/ 95 | ## Example distri_: 96 | ## stable 97 | ## Example component_: 98 | ## main 99 | 100 | if [ "$whonix_build_sources_list_torproject" = "" ]; then 101 | if [ "$whonix_build_sources_clearnet_or_onion" = "clearnet" ]; then 102 | whonix_build_sources_list_torproject="$WHONIX_SOURCE_FOLDER/build_sources/torproject_stable_current_clearnet.list" 103 | else 104 | whonix_build_sources_list_torproject="$WHONIX_SOURCE_FOLDER/build_sources/torproject_stable_current_onion.list" 105 | fi 106 | fi 107 | 108 | if [ "$whonix_build_sources_list_debian_sid" = "" ]; then 109 | if [ "$whonix_build_sources_clearnet_or_onion" = "clearnet" ]; then 110 | whonix_build_sources_list_debian_sid="$WHONIX_SOURCE_FOLDER/build_sources/debian_sid_current_clearnet.list" 111 | else 112 | whonix_build_sources_list_debian_sid="$WHONIX_SOURCE_FOLDER/build_sources/debian_sid_current_onion.list" 113 | fi 114 | fi 115 | 116 | if [ "$build_remote_repo_enable" = "true" ]; then 117 | DERIVATIVE_APT_REPOSITORY_OPTS="--enable --codename $whonix_build_apt_stable_release" 118 | export DERIVATIVE_APT_REPOSITORY_OPTS 119 | fi 120 | 121 | if [ "$build_remote_derivative_pkgs" = "true" ]; then 122 | if [ "$apt_target_key_derivative" = "" ]; then 123 | apt_target_key_derivative="/etc/apt/trusted.gpg.d/derivative-temp.asc" 124 | fi 125 | 126 | if [ "$sources_list_target_build_remote_derivative" = "" ]; then 127 | sources_list_target_build_remote_derivative="$WHONIX_SOURCES_LIST_TEMP_BUILD_FILE" 128 | fi 129 | 130 | if [ "$codename_build_remote_derivative" = "" ]; then 131 | codename_build_remote_derivative="${whonix_build_apt_stable_release}-developers" 132 | fi 133 | 134 | if [ "$sources_list_build_remote_derivative" = "" ]; then 135 | if [ "$whonix_build_sources_clearnet_or_onion" = "clearnet" ]; then 136 | sources_list_build_remote_derivative="deb http://HTTPS///deb.whonix.org $codename_build_remote_derivative main contrib non-free" 137 | else 138 | sources_list_build_remote_derivative="deb tor+http://deb.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion $codename_build_remote_derivative main contrib non-free" 139 | fi 140 | fi 141 | fi 142 | 143 | ## Whonix/packages/usability-misc/usr/bin/repo-add-dist parses this. 144 | export apt_target_key_derivative 145 | export sources_list_build_remote_derivative 146 | export sources_list_target_build_remote_derivative 147 | -------------------------------------------------------------------------------- /buildconfig.d/30_custom_configs_help.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## You can drop your custom build config files in: 5 | ## ../buildconfig.d 6 | ## Files need to have the '.conf' file extension. 7 | ## 8 | ## For example, when /home/user/Whonix is your Whonix source code folder, you 9 | ## can drop custom build config files in /home/user/buildconfig.d/. This is 10 | ## easier than dropping these files in /home/user/Whonix/buildconfig.d, because 11 | ## you do not have to commit them using git. 12 | -------------------------------------------------------------------------------- /buildconfig.d/30_debchange.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## DEBFULLNAME 5 | ## see: man debchange 6 | ## defaults to "Whonix auto generated local APT signing key" 7 | #export DEBFULLNAME="maintainer full name" 8 | 9 | ## DEBEMAIL 10 | ## see: - man debchange 11 | ## defaults to "whonix@local-signing.key" 12 | #export DEBEMAIL="maintainer@mail.host" 13 | 14 | ## DEBSIGN_KEYID 15 | ## defaults to: unset 16 | #DEBSIGN_KEYID 17 | 18 | ## DEBUILD_LINTIAN_OPTS 19 | ## see: http://www.debian.org/doc/manuals/maint-guide/build.en.html 20 | ## see: man debuild 21 | ## defaults to "--info --display-info --fail-on-warnings" 22 | #export DEBUILD_LINTIAN_OPTS="--pedantic --info --display-info --fail-on-warnings" 23 | 24 | ## WHONIX_LOCAL_SIGNING_KEY_FOLDER 25 | ## defaults to: unset 26 | #export WHONIX_LOCAL_SIGNING_KEY_FOLDER="/home/user/.gnupg" 27 | 28 | ## WHONIX_BUILD_APT_CODENAME 29 | ## defaults to "local" 30 | ## interesting values: local, stable, testers, developers 31 | ## it's the name of the suite which will be used for reprepro 32 | ## For explanation, Debian, a different project, uses stable, testing, sid. 33 | #export WHONIX_BUILD_APT_CODENAME="local" 34 | -------------------------------------------------------------------------------- /buildconfig.d/30_dependencies.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ############################################### 5 | ## Build Dependencies for Whonix Build Script # 6 | ############################################### 7 | 8 | ## required for sudo -u user 9 | whonix_build_script_build_dependency+=" sudo " 10 | 11 | ## for creating valid man pages in roff format from man folder (ronn format) 12 | whonix_build_script_build_dependency+=" ronn " 13 | 14 | ## required for build step "verify files" 15 | whonix_build_script_build_dependency+=" diffutils " 16 | 17 | ## required for creating .deb packages 18 | whonix_build_script_build_dependency+=" debhelper " 19 | 20 | ## required for some dialog based upstream (Debian) postinst scripts 21 | whonix_build_script_build_dependency+=" dialog " 22 | 23 | ## faster creation of local OpenPGP APT repository signing key 24 | ## and better entropy during build 25 | whonix_build_script_build_dependency+=" haveged " 26 | 27 | ## required for creating .deb packages, contains debchange (dch), 28 | ## used for automatically bumping the version number in debian/changelog 29 | ## required for building python setup.py packages 30 | whonix_build_script_build_dependency+=" devscripts " 31 | 32 | ## required for creating an upstream tarball (git archive) and for 33 | ## creating a version number (git describe) 34 | whonix_build_script_build_dependency+=" git " 35 | 36 | ## required for creating (local) APT repository 37 | whonix_build_script_build_dependency+=" reprepro " 38 | 39 | ## required to silence dpkg-gencontrol: 40 | ## warning: File::FcntlLock not available; using flock which is not NFS-safe 41 | ## http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677865 42 | whonix_build_script_build_dependency+=" libfile-fcntllock-perl " 43 | 44 | ## required for modifying configuration files owned by other .deb packages 45 | whonix_build_script_build_dependency+=" config-package-dev " 46 | 47 | ## required for creating .deb packages 48 | whonix_build_script_build_dependency+=" dh-apparmor " 49 | 50 | ## required for creating .deb packages 51 | whonix_build_script_build_dependency+=" dh-python " 52 | 53 | ## required for creating .deb packages 54 | whonix_build_script_build_dependency+=" build-essential " 55 | 56 | ## required for creating .deb packages 57 | whonix_build_script_build_dependency+=" lintian " 58 | 59 | ## required for "make clean" 60 | whonix_build_script_build_dependency+=" gawk " 61 | 62 | ## bash-completion 63 | whonix_build_script_build_dependency+=" bash-completion " 64 | 65 | ## grep 66 | whonix_build_script_build_dependency+=" grep " 67 | 68 | ## Debian APT repository archive keyring. 69 | whonix_build_script_build_dependency+=" debian-archive-keyring " 70 | 71 | ## manual verification of reproducible builds 72 | whonix_build_script_build_dependency+=" vbindiff " 73 | 74 | ## contains lsb_release, required for detecting host operating system (Ubuntu (CI) or Debian) 75 | whonix_build_script_build_dependency+=" lsb-release " 76 | 77 | ## used progress meter for console (currently only for qcow2 78 | ## compression in whonix-developer-meta-files) 79 | whonix_build_script_build_dependency+=" pv " 80 | 81 | ## verifiable builds 82 | #whonix_build_script_build_dependency+=" sleuthkit " 83 | 84 | ## for building python setup.py packages 85 | whonix_build_script_build_dependency+=" python3-all-dev " 86 | whonix_build_script_build_dependency+=" python3-stdeb " 87 | 88 | ## required for sanity tests 89 | whonix_build_script_build_dependency+=" time " 90 | 91 | ## clean package builds and reproducible builds 92 | whonix_build_script_build_dependency+=" cowbuilder " 93 | whonix_build_script_build_dependency+=" strip-nondeterminism " 94 | 95 | ## torrent file creation 96 | whonix_build_script_build_dependency+=" mktorrent " 97 | 98 | ## required for onion build_sources 99 | whonix_build_script_build_dependency+=" apt-transport-tor " 100 | 101 | ## required for apt-get-wrapper 102 | whonix_build_script_build_dependency+=" python3 " 103 | 104 | ## gpg2 required by build-steps.d/1200_create-debian-packages 105 | whonix_build_script_build_dependency+=" gnupg2 " 106 | 107 | ## required for --connection clearnet 108 | ## for build_sources apt-cacher-ng http://HTTPS/// 109 | whonix_build_script_build_dependency+=" apt-cacher-ng " 110 | 111 | ## required by genmkfile 112 | whonix_build_script_build_dependency+=" fakeroot " 113 | 114 | ## required by build-steps.d/1300_create-raw-image 115 | whonix_build_script_build_dependency+=" mmdebstrap " 116 | 117 | ## https://gitlab.mister-muffin.de/josch/mmdebstrap/issues/5 118 | ## 'Recommends:' of mmdebstrap 119 | whonix_build_script_build_dependency+=" arch-test fakechroot fakeroot gpg libdistro-info-perl mount uidmap " 120 | ## 'Suggests:' of mmdebstrap 121 | whonix_build_script_build_dependency+=" apt-transport-https apt-transport-tor apt-utils binfmt-support ca-certificates debootstrap distro-info-data dpkg-dev perl-doc proot qemu-user qemu-user-static squashfs-tools-ng " 122 | 123 | ## Build Dependencies for creating Virtual Machine Images (.raw) 124 | ## for grml-debootstrap 125 | whonix_build_script_build_dependency+=" grml-debootstrap kpartx mksh parted qemu-utils " 126 | ## for converting images (qemu-img): qemu-utils 127 | ## for shrinking images 128 | whonix_build_script_build_dependency+=" zerofree " 129 | 130 | ## required for cross platform package builds such as when building on amd64 131 | ## and using build config variable: 132 | ## make_cross_build_platform_list="i386 amd64" 133 | #whonix_build_script_build_dependency+=" binfmt-support " ## duplicate 134 | whonix_build_script_build_dependency+=" qemu " 135 | #whonix_build_script_build_dependency+=" qemu-user-static " ## duplicate 136 | 137 | ## required by ~/Whonix/packages/whonix-developer-meta-files/release/prepare_release 138 | whonix_build_script_build_dependency+=" signify-openbsd " 139 | whonix_build_script_build_dependency+=" codecrypt " 140 | 141 | ## REPO_PROXY test 142 | whonix_build_script_build_dependency+=" curl " 143 | 144 | ## build dependency for isutf8 145 | whonix_build_script_build_dependency+=" moreutils " 146 | 147 | ## for canary update script 148 | whonix_build_script_build_dependency+=" rsstail " 149 | 150 | ## for upload scripts 151 | whonix_build_script_build_dependency+=" rsync " 152 | whonix_build_script_build_dependency+=" stunnel " 153 | whonix_build_script_build_dependency+=" socat " 154 | 155 | ## download of VirtualBox from Debian fasttrack repository 156 | whonix_build_script_build_dependency+=" fasttrack-archive-keyring " 157 | -------------------------------------------------------------------------------- /buildconfig.d/30_pkg_build_opts.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | [ -n "$make_use_lintian" ] || make_use_lintian="true" 5 | [ -n "$genmkfile_make_cmd" ] || genmkfile_make_cmd="deb-pkg" 6 | [ -n "$make_use_cowbuilder" ] || make_use_cowbuilder="true" 7 | -------------------------------------------------------------------------------- /buildconfig.d/30_pkg_list.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## by default build all packages 5 | [ -n "$pkg_list" ] || pkg_list="$(ls "$WHONIX_SOURCE_FOLDER/packages/")" 6 | 7 | ## to build only specific packages and overwrite the default list uncomment the following line and add them to the list 8 | #pkg_list="" 9 | 10 | ## example list for minimal rpi gateway 11 | #pkg_list="apparmor-profile-anondist gpl-sources-download tor-ctrl uwt usability-misc sdwdate timesanitycheck timezone-utc security-misc anon-gw-base-files ipv4-forward-disable ipv6-disable whonixsetup onion-grater open-link-confirmation whonix-base-files anon-apt-sources-list whonix-firewall whonix-initializer whonix-repository anon-connection-wizard whonix-gw-network-conf dist-base-files anon-gw-anonymizer-config rpi-patches anon-meta-packages scurl helper-scripts damngpl bindp tor-control-panel" 12 | -------------------------------------------------------------------------------- /buildconfig.d/30_skip_backup-raw-after-grml-debootstrap.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## skip build step 1400_backup-raw-after-grml-debootstrap 5 | export SKIP_SCRIPTS+=" 1400_backup-raw-after-grml-debootstrap " 6 | -------------------------------------------------------------------------------- /buildconfig.d/30_skip_backup-raw-after-meta-package-install.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## skip build step 1800_backup-raw-after-package-install 5 | export SKIP_SCRIPTS+=" 1800_backup-raw-after-package-install " 6 | -------------------------------------------------------------------------------- /buildconfig.d/30_skip_export-vbox-vm.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## skip build step 2600_export-vbox-vm 5 | #export SKIP_SCRIPTS+=" 2600_export-vbox-vm " 6 | -------------------------------------------------------------------------------- /buildconfig.d/30_skip_packages.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Search build-step.d/1700_install-packages for pkg-install-maybe to see which 5 | ## packages are skippable. 6 | ## grep --recursive --color --exclude-dir=.git " pkg-add-to-install-list" 7 | ## The variable whonix_build_script_skip_package_install 8 | ## affects function pkg-install-maybe. 9 | 10 | #whonix_build_script_skip_package_install+=" virtualbox-guest-additions-iso " 11 | #whonix_build_script_skip_package_install+=" grub2-common " 12 | #whonix_build_script_skip_package_install+=" grub-efi-arm64 " 13 | #whonix_build_script_skip_package_install+=" virtualbox-guest-additions-iso " 14 | #whonix_build_script_skip_package_install+=" spice-vdagent " 15 | #whonix_build_script_skip_package_install+=" serial-console-enable " 16 | #whonix_build_script_skip_package_install+=" calamares " 17 | #whonix_build_script_skip_package_install+=" calamares-settings-debian " 18 | #whonix_build_script_skip_package_install+=" live-config-dist " 19 | #whonix_build_script_skip_package_install+=" live-boot " 20 | #whonix_build_script_skip_package_install+=" rsync " 21 | #whonix_build_script_skip_package_install+=" squashfs-tools " 22 | -------------------------------------------------------------------------------- /buildconfig.d/30_skip_report.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## minimal report 5 | ## defaults to: normal report 6 | ## 1: minimal report 7 | ## 0 or unset: normal report 8 | #whonix_build_script_create_report="true" 9 | -------------------------------------------------------------------------------- /buildconfig.d/30_skip_sanity_checks.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## skip sanity checks chroot script 5 | #export SKIP_SCRIPTS+=" 20_sanity_checks " 6 | -------------------------------------------------------------------------------- /buildconfig.d/30_target_arch.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## configures: 5 | ## - 1300_create-debian-raw 6 | ## - 1700_install-packages (help-steps/parse-cmd) 7 | 8 | ## BUILD_TARGET_ARCH 9 | ## defaults to: amd64 10 | #BUILD_TARGET_ARCH="i386" 11 | 12 | ## BUILD_KERNEL_PKGS 13 | ## defaults to: linux-image-amd64 linux-headers-amd64 14 | #BUILD_KERNEL_PKGS="linux-image-586 linux-headers-586" 15 | #BUILD_KERNEL_PKGS="linux-image-686-pae linux-headers-686-pae" 16 | #BUILD_KERNEL_PKGS="linux-image-amd64 linux-headers-amd64" 17 | -------------------------------------------------------------------------------- /buildconfig.d/30_upgrade_build_machine.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Build Script Upgrade Build Machine 5 | ## defaults to: upgrade build machine 6 | ## When not turned off below, it will run apt-get update and 7 | ## apt-get dist-upgrade before in build step "prepare build machine". 8 | ## as well. 9 | if [ "$WHONIX_BUILD_UPGRADE_BUILD_MACHINE" = "" ]; then 10 | export WHONIX_BUILD_UPGRADE_BUILD_MACHINE="0" 11 | fi 12 | 13 | ## Build Script Unattended Package Install 14 | ## default to: do not install packages unattended 15 | ## Sets dpkg option --force-confold while upgrading. 16 | ## When not turned off below, it will not install packages without configuration 17 | ## questions. 18 | ## Debian frontend is set to noninteractive while running the upgrade 19 | ## as well. 20 | if [ "$WHONIX_BUILD_UNATTENDED_PKG_INSTALL" = "" ]; then 21 | export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" 22 | fi 23 | -------------------------------------------------------------------------------- /buildconfig.d/30_verifiable.conf: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | ## Verifiable Builds 5 | ## Skip deletion of non-determinstic files in the cleanup chroot script. 6 | ## (These files are later automatically re-created by First Run Initializer.) 7 | ## Default: skip 8 | ## true: do 9 | ## false or unset: skip 10 | #export whonix_build_script_verifiable="true" 11 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | whonix (3:14.0.1.1.3) unstable; urgency=low 2 | 3 | * New upstream version (local package). 4 | 5 | -- Patrick Schleizer Fri, 25 Jan 2019 00:00:00 +0000 6 | 7 | whonix (3:10.0.0.1.9-1) unstable; urgency=low 8 | 9 | * New upstream version. 10 | 11 | -- Patrick Schleizer Sun, 17 Aug 2014 20:45:22 +0000 12 | 13 | whonix (3:0.1-2) unstable; urgency=low 14 | 15 | * Initial release. 16 | 17 | -- Patrick Schleizer Sun, 17 Aug 2014 17:56:52 +0000 18 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 9 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | Source: whonix 5 | Section: misc 6 | Priority: optional 7 | Maintainer: Patrick Schleizer 8 | Build-Depends: debhelper (>= 9), ruby-ronn 9 | Homepage: https://github.com/Whonix/whonix 10 | Vcs-Browser: https://github.com/Whonix/whonix 11 | Vcs-Git: https://github.com/Whonix/whonix.git 12 | Standards-Version: 3.9.4 13 | 14 | Package: whonix-gateway 15 | Architecture: all 16 | Depends: ${misc:Depends} 17 | Description: TODO 18 | TODO 19 | . 20 | TODO 21 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | 3 | Files: * 4 | Copyright: 2012 - 2021 ENCRYPTED SUPPORT LP 5 | License: GPL-3+-with-additional-terms-1 6 | This program is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | . 11 | This program is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | . 16 | You should have received a copy of the GNU General Public License 17 | along with this program. If not, see . 18 | . 19 | On Debian systems, the full text of the GNU General Public 20 | License version 3 can be found in the file 21 | `/usr/share/common-licenses/GPL-3'. 22 | . 23 | ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 24 | . 25 | 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its 26 | entirety and replaced with the following: 27 | . 28 | 15. Disclaimer of Warranty. 29 | . 30 | THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, 31 | INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR 32 | PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING 33 | DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR 34 | REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 35 | PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 36 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 37 | . 38 | 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its 39 | entirety and replaced with the following: 40 | . 41 | 16. LIMITATION OF LIABILITY. 42 | . 43 | UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY 44 | OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE 45 | LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY 46 | DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, 47 | INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN 48 | CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH 49 | THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED 50 | INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE 51 | PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER 52 | OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH 53 | DAMAGES COULD HAVE BEEN FORESEEN. 54 | . 55 | 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully 56 | all trademark, copyright and other proprietary and legal notices on any copies 57 | of the Program or any other required author attributions. This license does not 58 | grant you rights to use any copyright holder or any other party's name, logo, or 59 | trademarks. Neither the name of the copyright holder or its affiliates, or any 60 | other party who modifies and/or conveys the Program may be used to endorse or 61 | promote products derived from this software without specific prior written 62 | permission. The origin of the Program must not be misrepresented; you must not 63 | claim that you wrote the original Program. Altered source versions must be 64 | plainly marked as such, and must not be misrepresented as being the original 65 | Program. 66 | . 67 | 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT 68 | OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, 69 | YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND 70 | AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF 71 | ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE 72 | ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR 73 | IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. 74 | 75 | Files: help-steps/grml-debootstrap 76 | Upstream-Name: grml-debootstrap 77 | Upstream-Contact: Michael Prokop 78 | Source: http://git.grml.org/?p=grml-debootstrap.git;a=summary 79 | Copyright: 2006-2016, Michael Prokop 80 | 2014, 2015, Sebastian Pipping 81 | 2014, Patrick Schleizer 82 | 2013, 2014, Markus Rekkenbeil 83 | 2012, 2013, Evgeni Golov 84 | 2012, Darshaka Pathirana 85 | 2010, 2011, 2013, 2014, Christian Hofstaedtler 86 | 2009, 2010, 2011, Ulrich Dangel 87 | 2009, Michael Gebetsroither 88 | 2008, 2010, Tong Sun 89 | 2007, Alexander Wirt 90 | License: GPL-2+ 91 | This package is free software; you can redistribute it and/or modify 92 | it under the terms of the GNU General Public License as published by 93 | the Free Software Foundation; either version 2 of the License, or 94 | (at your option) any later version. 95 | . 96 | This package is distributed in the hope that it will be useful, 97 | but WITHOUT ANY WARRANTY; without even the implied warranty of 98 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 99 | GNU General Public License for more details. 100 | . 101 | You should have received a copy of the GNU General Public License 102 | along with this package; if not, write to the Free Software 103 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 104 | . 105 | On Debian systems, the complete text of the GNU General Public License, 106 | version 2 can be found in `/usr/share/common-licenses/GPL-2'. 107 | 108 | Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 109 | Upstream-Name: mmdebstrap 110 | Upstream-Contact: Johannes 'josch' Schauer 111 | Source: https://gitlab.mister-muffin.de/josch/mmdebstrap/ 112 | 113 | Files: help-steps/mmdebstrap 114 | Copyright: 2018, Johannes 'josch' Schauer 115 | License: Expat 116 | Permission is hereby granted, free of charge, to any person obtaining 117 | a copy of this software and associated documentation files (the 118 | "Software"), to deal in the Software without restriction, including 119 | without limitation the rights to use, copy, modify, merge, publish, 120 | distribute, sublicense, and/or sell copies of the Software, and to 121 | permit persons to whom the Software is furnished to do so, subject to 122 | the following conditions: 123 | . 124 | The above copyright notice and this permission notice shall be included 125 | in all copies or substantial portions of the Software. 126 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | #export DH_VERBOSE=1 7 | 8 | %: 9 | dh $@ 10 | 11 | override_dh_install: 12 | sudo -u user sudo ./whonix_build --all -- --build --target virtualbox --target qcow2 13 | -------------------------------------------------------------------------------- /debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /debian/watch: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | version=3 5 | opts=filenamemangle=s/.+\/v?(.*)\.tar\.gz/-$1.tar.gz/ \ 6 | https://github.com/Whonix/Whonix/tags .*/v?(\d[\d\.]+)\.tar\.gz 7 | -------------------------------------------------------------------------------- /debian/whonix.postinst: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then 7 | source /usr/libexec/helper-scripts/pre.bsh 8 | fi 9 | 10 | set -e 11 | 12 | true " 13 | #################################################################### 14 | ## INFO: Begin $DPKG_MAINTSCRIPT_NAME script $DPKG_MAINTSCRIPT_PACKAGE... 15 | #################################################################### 16 | " 17 | 18 | case "$1" in 19 | configure) 20 | ## Not using --no-create-home, so sdwdate can write into /home/sdwdate. 21 | true 22 | ;; 23 | 24 | abort-upgrade|abort-remove|abort-deconfigure) 25 | ;; 26 | 27 | *) 28 | echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2 29 | exit 1 30 | ;; 31 | esac 32 | 33 | true "INFO: debhelper beginning here." 34 | 35 | #DEBHELPER# 36 | 37 | true "INFO: Done with debhelper." 38 | 39 | true " 40 | #################################################################### 41 | ## INFO: $DPKG_MAINTSCRIPT_NAME script $DPKG_MAINTSCRIPT_PACKAGE no error detected. 42 | #################################################################### 43 | " 44 | 45 | ## Explicitly "exit 0", so eventually trapped errors can be ignored. 46 | exit 0 47 | -------------------------------------------------------------------------------- /grml_packages: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | locales 5 | eatmydata 6 | apt-transport-tor 7 | gpg 8 | gpg-agent 9 | fasttrack-archive-keyring 10 | -------------------------------------------------------------------------------- /help-steps/ci_git_clone_test: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | 8 | set -e 9 | 10 | true "$0: start" 11 | 12 | ## Debugging. 13 | true "$0: $(whoami)" || true 14 | ls -la || true 15 | env || true 16 | 17 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | ## travis.debian.net does not pass the CI environment variable to docker. 20 | ## build script reads CI variable. 21 | if echo "$PWD" | grep -q travis ; then 22 | true "INFO: travis detected, ok." 23 | sudo_maybe="sudo --non-interactive" 24 | elif [ ! "$CI" = "true" ]; then 25 | true "ERROR: You probably do not want to run this outside of a CI." 26 | exit 1 27 | fi 28 | 29 | $sudo_maybe apt-get update 30 | 31 | $sudo_maybe apt-get --yes --no-install-recommends install git time tor torsocks 32 | 33 | $sudo_maybe service tor start || true 34 | $sudo_maybe service tor@default start || true 35 | 36 | $sudo_maybe service tor status || true 37 | $sudo_maybe service tor@default status || true 38 | 39 | git fetch --tags 40 | 41 | git_tag_nearest="$(git describe --always --abbrev=0)" 42 | 43 | pushd /tmp 44 | 45 | ## Test if git cloning from gitlab over Tor (using torsocks) is functional. 46 | ## Useful to have this test fail in case there are generally gitlab 47 | ## connectivity issues or blocking of Tor users. 48 | 49 | ## --branch 15.0.1.7.2-stable 50 | ## Can be any tag. 51 | 52 | ## --shallow-submodules 53 | ## Speed up download. Save traffic. Repositories binaries-freedom and 54 | ## monero-gui is too large which lead to failed git clone. 55 | 56 | # time \ 57 | # torsocks \ 58 | # git \ 59 | # clone \ 60 | # --depth=1 \ 61 | # --branch "$git_tag_nearest" \ 62 | # --jobs=100 \ 63 | # --recurse-submodules \ 64 | # --shallow-submodules \ 65 | # https://gitlab.com/whonix/Whonix.git 66 | 67 | time \ 68 | torsocks \ 69 | git \ 70 | clone \ 71 | --depth=1 \ 72 | --branch "$git_tag_nearest" \ 73 | https://gitlab.com/whonix/Whonix.git 74 | 75 | pushd Whonix 76 | 77 | git_submodule_fetch_command="\ 78 | time \ 79 | torsocks \ 80 | git \ 81 | submodule \ 82 | update \ 83 | --init \ 84 | --recursive \ 85 | --progress \ 86 | --jobs=4" 87 | 88 | counter=0 89 | while true ; do 90 | if $git_submodule_fetch_command ; then 91 | success=true 92 | break 93 | fi 94 | counter=$(( counter + 1 )) 95 | if [ "$counter" -gt "3" ]; then 96 | success=false 97 | break 98 | fi 99 | done 100 | 101 | if [ "$success" = "false" ]; then 102 | true "$0 ERROR: downloading git submodules failed." 103 | exit 1 104 | fi 105 | 106 | ## Sanity test. 107 | git status 108 | 109 | true "$0 INFO: OK. End." 110 | -------------------------------------------------------------------------------- /help-steps/ci_package_build_test: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | 8 | set -e 9 | 10 | true "$0: start" 11 | 12 | ## Debugging. 13 | true "$0: $(whoami)" || true 14 | true "$0: $(pwd)" || true 15 | ls -la || true 16 | 17 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 18 | 19 | ## travis.debian.net does not pass the CI environment variable to docker. 20 | ## build script reads CI variable. 21 | if echo "$PWD" | grep -q travis ; then 22 | true "INFO: travis detected, ok." 23 | elif [ ! "$CI" = "true" ]; then 24 | true "ERROR: You probably do not want to run this outside of a CI \ 25 | environment, because it uses virsh to undefine virtual machines." 26 | exit 1 27 | fi 28 | 29 | export CI=true 30 | 31 | apt-get update 32 | 33 | ### XXX: duplicated from apt-get-noninteractive 34 | ## XXX: not using POLICYRCD 35 | ## because apt-cacher-ng needs to be started 36 | #[ -n "$POLICYRCD" ] || POLICYRCD="/usr/share/usability-misc/policy-rc.d" 37 | [ -n "$DEBIAN_FRONTEND" ] || DEBIAN_FRONTEND="noninteractive" 38 | [ -n "$DEBIAN_PRIORITY" ] || DEBIAN_PRIORITY="critical" 39 | [ -n "$DEBCONF_NOWARNINGS" ] || DEBCONF_NOWARNINGS="yes" 40 | [ -n "$APT_LISTCHANGES_FRONTEND" ] || APT_LISTCHANGES_FRONTEND="text" 41 | #export POLICYRCD 42 | export DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND 43 | 44 | ## Sanity tests. 45 | apt-get --yes dist-upgrade 46 | dpkg --configure -a 47 | 48 | ## apt-cacher-ng in .travis.yml 49 | apt-get --yes --no-install-recommends install sudo git time curl lsb-release fakeroot dpkg-dev debsums net-tools apt-cacher-ng 50 | 51 | ## hardened-kernel 52 | ## Unknown isssue. 53 | ## 54 | # Reading package lists... 55 | # Building dependency tree... 56 | # Reading state information... 57 | # Package flex is not available, but is referred to by another package. 58 | # This may mean that the package is missing, has been obsoleted, or 59 | # is only available from another source 60 | # 61 | # Package bison is not available, but is referred to by another package. 62 | # This may mean that the package is missing, has been obsoleted, or 63 | # is only available from another source 64 | # 65 | # E: Unable to locate package libssl-dev 66 | # E: Unable to locate package libncurses-dev 67 | # E: Unable to locate package libelf-dev 68 | # E: Package 'bison' has no installation candidate 69 | # E: Package 'flex' has no installation candidate 70 | # E: Unable to locate package gcc-8-plugin-dev 71 | # E: Unable to locate package bc 72 | ## apt-get --yes --no-install-recommends install debhelper libssl-dev libncurses-dev fakeroot libelf-dev bison flex gcc-8-plugin-dev curl bc kmod cpio 73 | 74 | ## Debugging. 75 | debsums -ce 76 | netstat -tulpen 77 | 78 | #service apt-cacher-ng restart 79 | #service apt-cacher-ng status 80 | 81 | user_name=user 82 | user_to_be_created=user 83 | 84 | adduser --disabled-login --gecos "" "$user_to_be_created" 85 | 86 | addgroup --system console 87 | 88 | adduser "$user_name" sudo 89 | adduser "$user_name" console 90 | 91 | ## https://unix.stackexchange.com/questions/18796/how-to-apply-changes-of-newly-added-user-groups-without-needing-to-reboot 92 | gpasswd -a "$user_name" sudo 93 | gpasswd -a "$user_name" console 94 | 95 | ## Debugging. 96 | id "$user_name" 97 | 98 | ## https://askubuntu.com/questions/250720/is-it-necessary-to-reboot-after-changing-group-membership 99 | su --login "$user_name" 100 | 101 | ## Debugging. 102 | id "$user_name" 103 | 104 | echo " 105 | Defaults !requiretty 106 | user ALL=(ALL) NOPASSWD: ALL 107 | " > /etc/sudoers.d/allow-all-sudo-on-ci 108 | 109 | cat /etc/sudoers.d/allow-all-sudo-on-ci 110 | 111 | echo '#!/bin/bash 112 | 113 | set -x 114 | set -e 115 | 116 | ## This script runs inside a docker container. 117 | ## Access apt-cacher-ng on the docker host. 118 | export REPO_PROXY="http://172.17.0.1:3142" 119 | 120 | ## Since already running inside docker it is not easy to use cowbuilder. 121 | export make_use_cowbuilder="false" 122 | 123 | sudo --non-interactive -E ./build-steps.d/1100_sanity-tests --internalrun --build --target root --allow-untagged true --allow-uncommitted true 124 | true "exit code: $?" 125 | 126 | sudo --non-interactive -E ./build-steps.d/1120_prepare-build-machine --internalrun --build --target root 127 | true "exit code: $?" 128 | 129 | ## Broken. 130 | ## mount: /var/cache/pbuilder/base.cow_amd64/dev/pts: permission denied. 131 | ## umount: /var/cache/pbuilder/base.cow_amd64/./dev/pts/: must be superuser to unmount. 132 | ## umount ./dev/pts/ failed: 8192 at mmdebstrap line 900. 133 | ## E: run_chroot failed: E: mount ./dev/pts/ failed: 8192 at ## mmdebstrap line 152. 134 | #sudo --non-interactive -E ./build-steps.d/1130_cowbuilder-setup --internalrun --build --target root 135 | #true "exit code: $?" 136 | 137 | sudo --non-interactive -E ./build-steps.d/1200_create-debian-packages --internalrun --build --target root 138 | true "exit code: $?" 139 | 140 | ' \ | tee /home/travis/ci_script 141 | 142 | chmod +x /home/travis/ci_script 143 | realpath /home/travis/ci_script 144 | 145 | cat /home/travis/ci_script 146 | 147 | chown --recursive "$user_name:$user_name" /home/travis 148 | 149 | sudo --non-interactive -u "$user_name" /home/travis/ci_script 150 | 151 | ## XXX 152 | #make_cross_build_platform_list="armel armhf i386 amd64 arm64" 153 | 154 | true "$0 INFO: OK. End." 155 | -------------------------------------------------------------------------------- /help-steps/ci_test: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | 8 | set -e 9 | 10 | true "$0: start" 11 | 12 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 13 | 14 | ## travis.debian.net does not pass the CI environment variable to docker. 15 | ## build script reads CI variable. 16 | if echo "$PWD" | grep -q travis ; then 17 | true "INFO: travis detected, ok." 18 | elif [ ! "$CI" = "true" ]; then 19 | true "ERROR: You probably do not want to run this outside of a CI \ 20 | environment, because it uses virsh to undefine virtual machines." 21 | exit 1 22 | fi 23 | 24 | export CI=true 25 | export DEBDEBUG=1 26 | 27 | apt-get update 28 | 29 | ## Sanity tests. 30 | apt-get --yes dist-upgrade 31 | dpkg --configure -a 32 | 33 | apt-get --yes install sudo virt-what lintian mmdebstrap 34 | 35 | ## Debugging. 36 | pwd 37 | ls 38 | ls ./packages/ 39 | ls ./packages/usability-misc/ 40 | ls ./packages/usability-misc/usr/bin/ 41 | ls ./packages/usability-misc/usr/bin/repo-add-dist 42 | 43 | codename="bullseye-developers" \ 44 | ./packages/usability-misc/usr/bin/repo-add-dist 45 | 46 | user_name=user 47 | user_to_be_created=user 48 | 49 | adduser --no-create-home --disabled-login --gecos "" "$user_to_be_created" 50 | 51 | addgroup --system console 52 | 53 | adduser "$user_name" sudo 54 | adduser "$user_name" console 55 | 56 | apt-get update 57 | 58 | ## Sanity tests. 59 | apt-get --yes dist-upgrade 60 | dpkg --configure -a 61 | 62 | ## whonix-legacy: Prevent debconf questions by firmware packages. 63 | ## usability-misc: apt-get-noninteractive 64 | apt-get --yes install whonix-legacy usability-misc 65 | 66 | apt-get-noninteractive --yes install whonix-host-xfce-kvm-nonfreedom 67 | 68 | ## The environment variables are not set here. 69 | #true "$0: TRAVIS_DEBIAN_BUILD_DIR: $TRAVIS_DEBIAN_BUILD_DIR" 70 | #true "$0: TRAVIS_DEBIAN_TARGET_DIR: $TRAVIS_DEBIAN_TARGET_DIR" 71 | 72 | true "$0 INFO: OK. End." 73 | -------------------------------------------------------------------------------- /help-steps/ci_test2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | 8 | set -e 9 | 10 | true "$0: start" 11 | 12 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 13 | 14 | ## travis.debian.net does not pass the CI environment variable to docker. 15 | ## build script reads CI variable. 16 | if echo "$PWD" | grep -q travis ; then 17 | true "INFO: travis detected, ok." 18 | elif [ ! "$CI" = "true" ]; then 19 | true "ERROR: You probably do not want to run this outside of a CI \ 20 | environment, because it uses virsh to undefine virtual machines." 21 | exit 1 22 | fi 23 | 24 | sudo --non-interactive apt-get update 25 | 26 | ## Sanity tests. 27 | sudo --non-interactive dpkg --configure -a 28 | 29 | ## Highest Ubuntu version offered by Travis CI is Ubuntu "bionic" but 30 | ## mmdebstrap is only available since Ubuntu "disco". 31 | 32 | ## mmdebstrap dependencies: perl perl-doc 33 | 34 | sudo --non-interactive apt-get --yes install perl perl-doc apt-cacher-ng apt-transport-https apt-transport-tor ca-certificates tor 35 | 36 | systemctl status tor || true 37 | systemctl status tor@default || true 38 | 39 | wget http://mirrors.kernel.org/ubuntu/pool/universe/m/mmdebstrap/mmdebstrap_0.4.1-6_all.deb 40 | sudo --non-interactive dpkg -i mmdebstrap_0.4.1-6_all.deb 41 | 42 | sudo --non-interactive apt-get --yes install mmdebstrap 43 | 44 | ## debian-archive-keyring: required so mmdebstrap gets key for packages.debian.org. 45 | wget http://http.us.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2019.1+deb10u1_all.deb 46 | sudo --non-interactive dpkg -i debian-archive-keyring_2019.1+deb10u1_all.deb 47 | 48 | sudo --non-interactive \ 49 | codename="bullseye-developers" \ 50 | ./packages/usability-misc/usr/bin/repo-add-dist 51 | 52 | mmdebstrap_wrapper=./help-steps/mmdebstrap 53 | 54 | test -f "$mmdebstrap_wrapper" 55 | test -x "$mmdebstrap_wrapper" 56 | 57 | mkdir -p ~/chroot 58 | 59 | #### 60 | 61 | repo=bullseye-developers 62 | path_to_temp_sources_list=~/temp-sources.list 63 | 64 | #### 65 | 66 | echo " 67 | deb https://deb.debian.org/debian-security bullseye-security main contrib non-free 68 | deb https://deb.debian.org/debian bullseye main contrib non-free 69 | deb https://deb.whonix.org $repo main contrib non-free 70 | " > "$path_to_temp_sources_list" 71 | 72 | #### one test without apt-cacher-ng 73 | 74 | path_to_chroot=~/chroot/kicksecure-cli 75 | 76 | sudo --non-interactive \ 77 | DEBDEBUG=1 \ 78 | SECURITY_MISC_INSTALL=force \ 79 | DERIVATIVE_APT_REPOSITORY_OPTS="--enable --codename $repo" \ 80 | "$mmdebstrap_wrapper" \ 81 | --verbose \ 82 | --variant=required \ 83 | --include kicksecure-cli \ 84 | bullseye \ 85 | "$path_to_chroot" \ 86 | "$path_to_temp_sources_list" 87 | 88 | ls "$path_to_chroot" 89 | ls "$path_to_chroot/home" 90 | 91 | true "$0 INFO: OK. End." 92 | -------------------------------------------------------------------------------- /help-steps/ci_test3: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | 8 | set -e 9 | 10 | true "$0: start" 11 | 12 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 13 | 14 | ## travis.debian.net does not pass the CI environment variable to docker. 15 | ## build script reads CI variable. 16 | if echo "$PWD" | grep -q travis ; then 17 | true "INFO: travis detected, ok." 18 | elif [ ! "$CI" = "true" ]; then 19 | true "ERROR: You probably do not want to run this outside of a CI \ 20 | environment, because it uses virsh to undefine virtual machines." 21 | exit 1 22 | fi 23 | 24 | export CI=true 25 | 26 | sudo --non-interactive apt-get update 27 | 28 | ## Sanity tests. 29 | sudo --non-interactive dpkg --configure -a 30 | 31 | ## Highest Ubuntu version offered by Travis CI is Ubuntu "bionic" but 32 | ## mmdebstrap is only available since Ubuntu "disco". 33 | 34 | ## mmdebstrap dependencies: perl perl-doc 35 | 36 | sudo --non-interactive apt-get --yes install perl perl-doc apt-cacher-ng apt-transport-https apt-transport-tor ca-certificates tor 37 | 38 | echo 'PassThroughPattern: .*' | sudo --non-interactive tee /etc/apt-cacher-ng/zz_debconf.conf >/dev/null 39 | cat /etc/apt-cacher-ng/zz_debconf.conf 40 | sudo --non-interactive systemctl restart apt-cacher-ng || true 41 | sudo --non-interactive systemctl status apt-cacher-ng || true 42 | 43 | sudo --non-interactive systemctl status tor || true 44 | sudo --non-interactive systemctl status tor@default || true 45 | 46 | wget http://mirrors.kernel.org/ubuntu/pool/universe/m/mmdebstrap/mmdebstrap_0.4.1-6_all.deb 47 | sudo --non-interactive dpkg -i mmdebstrap_0.4.1-6_all.deb 48 | 49 | sudo --non-interactive apt-get --yes install mmdebstrap 50 | 51 | ## debian-archive-keyring: required so mmdebstrap gets key for packages.debian.org. 52 | wget http://http.us.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2019.1+deb10u1_all.deb 53 | sudo --non-interactive dpkg -i debian-archive-keyring_2019.1+deb10u1_all.deb 54 | 55 | sudo --non-interactive \ 56 | codename="bullseye-developers" \ 57 | ./packages/usability-misc/usr/bin/repo-add-dist 58 | 59 | mmdebstrap_wrapper=./help-steps/mmdebstrap 60 | 61 | test -f "$mmdebstrap_wrapper" 62 | test -x "$mmdebstrap_wrapper" 63 | 64 | mkdir -p ~/chroot 65 | 66 | #### 67 | 68 | repo=bullseye-developers 69 | path_to_temp_sources_list=~/temp-sources.list 70 | 71 | #### 72 | 73 | echo " 74 | deb http://HTTPS///deb.debian.org/debian-security bullseye-security main contrib non-free 75 | deb http://HTTPS///deb.debian.org/debian bullseye main contrib non-free 76 | deb http://HTTPS///deb.whonix.org $repo main contrib non-free 77 | " > "$path_to_temp_sources_list" 78 | 79 | #### many tests with apt-cacher-ng Non-Qubes-Whonix 80 | 81 | pkg_to_test_list=" 82 | whonix-host-xfce-kvm-nonfreedom 83 | 84 | kicksecure-cli-vm 85 | kicksecure-xfce 86 | kicksecure-xfce-vm 87 | 88 | non-qubes-whonix-gateway-xfce 89 | non-qubes-whonix-workstation-xfce 90 | " 91 | 92 | ## TODO: investigate tb-updater failure 93 | ## anon_shared_inst_tb=open 94 | 95 | ## https://git-tails.immerda.ch/tails/tree/config/chroot_local-preseed/firmware 96 | 97 | for pkg_to_test_item in $pkg_to_test_list ; do 98 | path_to_chroot=~/"chroot/${pkg_to_test_item}" 99 | 100 | sudo --non-interactive \ 101 | DEBDEBUG=1 \ 102 | SOURCE_DATE_EPOCH="1548374400" \ 103 | SECURITY_MISC_INSTALL=force \ 104 | DERIVATIVE_APT_REPOSITORY_OPTS="--enable --codename $repo" \ 105 | anon_shared_inst_tb=open \ 106 | "$mmdebstrap_wrapper" \ 107 | --verbose \ 108 | --variant=required \ 109 | --aptopt='Acquire::http { Proxy "http://127.0.0.1:3142"; }' \ 110 | --aptopt='Acquire::https { Proxy "http://127.0.0.1:3142"; }' \ 111 | --aptopt='Acquire::tor { Proxy "http://127.0.0.1:3142"; }' \ 112 | --essential-hook='echo b43-fwcutter b43-fwcutter/cut_firmware boolean true | chroot "$1" debconf-set-selections' \ 113 | --essential-hook='echo firmware-ipw2x00 firmware-ipw2x00/license/accepted boolean true | chroot "$1" debconf-set-selections' \ 114 | --essential-hook='echo firmware-iwlwifi firmware-iwlwifi/license/accepted boolean true | chroot "$1" debconf-set-selections' \ 115 | --essential-hook='echo firmware-ralink firmware-ralink/license/accepted boolean true | chroot "$1" debconf-set-selections' \ 116 | --include "$pkg_to_test_item" \ 117 | bullseye \ 118 | "$path_to_chroot" \ 119 | "$path_to_temp_sources_list" 120 | 121 | ls "$path_to_chroot" 122 | ls "$path_to_chroot/home" 123 | 124 | ## Safe disk space. 125 | sudo --non-interactive \ 126 | rm --recursive --force "$path_to_chroot" 127 | done 128 | 129 | #### many tests with apt-cacher-ng Qubes-Whonix 130 | 131 | wget https://keys.qubes-os.org/keys/qubes-release-4-debian-signing-key.asc 132 | 133 | sudo --non-interactive \ 134 | apt-key --keyring /etc/apt/trusted.gpg.d/qubes.gpg add qubes-release-4-debian-signing-key.asc 135 | 136 | echo " 137 | # Qubes updates candidates repository 138 | deb [arch=amd64] http://HTTPS///deb.qubes-os.org/r4.0/vm bullseye-testing main 139 | 140 | # Qubes security updates testing repository 141 | deb [arch=amd64] http://HTTPS///deb.qubes-os.org/r4.0/vm bullseye-securitytesting main 142 | " >> "$path_to_temp_sources_list" 143 | 144 | cat "$path_to_temp_sources_list" 145 | 146 | pkg_to_test_list=" 147 | qubes-whonix-gateway 148 | qubes-whonix-workstation 149 | " 150 | 151 | for pkg_to_test_item in $pkg_to_test_list ; do 152 | path_to_chroot=~/"chroot/${pkg_to_test_item}" 153 | 154 | sudo --non-interactive \ 155 | DEBDEBUG=1 \ 156 | SOURCE_DATE_EPOCH="1548374400" \ 157 | SECURITY_MISC_INSTALL=force \ 158 | DERIVATIVE_APT_REPOSITORY_OPTS="--enable --codename $repo" \ 159 | anon_shared_inst_tb=open \ 160 | "$mmdebstrap_wrapper" \ 161 | --verbose \ 162 | --debug \ 163 | --variant=required \ 164 | --aptopt='Dpkg::Options { "--force-confnew"};' \ 165 | --aptopt='Acquire::http { Proxy "http://127.0.0.1:3142"; }' \ 166 | --aptopt='Acquire::https { Proxy "http://127.0.0.1:3142"; }' \ 167 | --aptopt='Acquire::tor { Proxy "http://127.0.0.1:3142"; }' \ 168 | --include "$pkg_to_test_item" \ 169 | bullseye \ 170 | "$path_to_chroot" \ 171 | "$path_to_temp_sources_list" 172 | 173 | ls "$path_to_chroot" 174 | ls "$path_to_chroot/home" 175 | 176 | ## Safe disk space. 177 | sudo --non-interactive rm --recursive --force "$path_to_chroot" 178 | done 179 | 180 | true "$0 INFO: OK. End." 181 | -------------------------------------------------------------------------------- /help-steps/cleanup-files: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | whonix_build_one_parsed="1" 18 | ROOT_CHECK="0" 19 | VMNAME="internalrun" 20 | 21 | source pre 22 | source colors 23 | source variables 24 | 25 | main() { 26 | shopt -s nullglob 27 | shopt -s dotglob 28 | 29 | ## Use -x to delete files listed in .gitignore. 30 | ## Make sure packages/uwt/libindp.so is deleted. 31 | git clean -d --force --force -x 32 | 33 | for item in "$WHONIX_SOURCE_FOLDER/packages/"*; do 34 | if [ ! -d "$item" ]; then 35 | true "INFO: Not a folder: $item" 36 | continue 37 | fi 38 | cd "$item" 39 | ## Use git rather than "make deb-cleanup" for better security. 40 | git clean -d --force --force -x 41 | done 42 | 43 | } 44 | 45 | main "$@" 46 | -------------------------------------------------------------------------------- /help-steps/colors: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | colors() { 4 | if [ "$TERM" = "" ]; then 5 | return 0 6 | fi 7 | 8 | ## Thanks to: 9 | ## http://mywiki.wooledge.org/BashFAQ/037 10 | ## Variables for terminal requests. 11 | [[ -t 2 ]] && { 12 | export alt=$( tput smcup || tput ti ) # Start alt display 13 | export ealt=$( tput rmcup || tput te ) # End alt display 14 | export hide=$( tput civis || tput vi ) # Hide cursor 15 | export show=$( tput cnorm || tput ve ) # Show cursor 16 | export save=$( tput sc ) # Save cursor 17 | export load=$( tput rc ) # Load cursor 18 | export bold=$( tput bold || tput md ) # Start bold 19 | export stout=$( tput smso || tput so ) # Start stand-out 20 | export estout=$( tput rmso || tput se ) # End stand-out 21 | export under=$( tput smul || tput us ) # Start underline 22 | export eunder=$( tput rmul || tput ue ) # End underline 23 | export reset=$( tput sgr0 || tput me ) # Reset cursor 24 | export blink=$( tput blink || tput mb ) # Start blinking 25 | export italic=$( tput sitm || tput ZH ) # Start italic 26 | export eitalic=$( tput ritm || tput ZR ) # End italic 27 | [[ $TERM != *-m ]] && { 28 | export red=$( tput setaf 1|| tput AF 1 ) 29 | export green=$( tput setaf 2|| tput AF 2 ) 30 | export yellow=$( tput setaf 3|| tput AF 3 ) 31 | export blue=$( tput setaf 4|| tput AF 4 ) 32 | export magenta=$( tput setaf 5|| tput AF 5 ) 33 | export cyan=$( tput setaf 6|| tput AF 6 ) 34 | } 35 | export white=$( tput setaf 7|| tput AF 7 ) 36 | export default=$( tput op ) 37 | export eed=$( tput ed || tput cd ) # Erase to end of display 38 | export eel=$( tput el || tput ce ) # Erase to end of line 39 | export ebl=$( tput el1 || tput cb ) # Erase to beginning of line 40 | export ewl=$eel$ebl # Erase whole line 41 | export draw=$( tput -S <<< ' enacs 42 | smacs 43 | acsc 44 | rmacs' || { \ 45 | tput eA; tput as; 46 | tput ac; tput ae; } ) # Drawing characters 47 | export back=$'\b' 48 | } 2>/dev/null ||: 49 | 50 | export whonix_build_already_defined_colors="true" 51 | } 52 | 53 | if [ ! "$whonix_build_already_defined_colors" = "true" ]; then 54 | colors 55 | fi 56 | -------------------------------------------------------------------------------- /help-steps/create-local-temp-apt-repo: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## Copyright (C) 2018 Algernon 5 | ## See the file COPYING for copying conditions. 6 | 7 | set -x 8 | set -e 9 | 10 | true "INFO: Currently running script: $BASH_SOURCE $@" 11 | 12 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 13 | 14 | source "$MYDIR/pre" 15 | source "$MYDIR/colors" 16 | source "$MYDIR/variables" 17 | 18 | main() { 19 | root_check 20 | 21 | ## DEB_INSTALL_FOLDER Example: 22 | ## /mnt/initialdeb 23 | 24 | ## WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER Example: 25 | ## /var/lib/whonix/sources_temp_list.d 26 | 27 | ## EMPTY_DIR Example: 28 | ## "/tmp/empty" 29 | 30 | ## WHONIX_APT_REPOSITORY_FOLDER Example: 31 | ## /home/user/whonix_binary/aptrepo_local 32 | 33 | mkdir --parents "$CHROOT_FOLDER/$DEB_INSTALL_FOLDER" 34 | mkdir --parents "$CHROOT_FOLDER/$EMPTY_DIR" 35 | mkdir --parents "$CHROOT_FOLDER/$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER" 36 | 37 | ## sets: WHONIX_APT_REPOSITORY_FOLDER 38 | set_WHONIX_BUILD_REPREPRO_FOLDER_OPTIONS 39 | 40 | if [ "$build_remote_derivative_pkgs" = "true" ]; then 41 | cp "$WHONIX_SOURCE_FOLDER/packages/usability-misc/usr/bin/repo-add-dist" "$CHROOT_FOLDER/$DEB_INSTALL_FOLDER/repo-add-dist" 42 | 43 | ## creates $WHONIX_SOURCES_LIST_TEMP_INITIAL_DEB_SOURCES_LIST 44 | $CHROOT bash -x "$DEB_INSTALL_FOLDER/repo-add-dist" 45 | else 46 | ## Mount our local apt repository inside the image (or machine). 47 | mount --bind "$WHONIX_APT_REPOSITORY_FOLDER" "$CHROOT_FOLDER/$DEB_INSTALL_FOLDER" 48 | 49 | ## Create a sources.list file for our local apt repository. 50 | echo "deb [trusted=yes] file:$DEB_INSTALL_FOLDER/ $WHONIX_BUILD_APT_CODENAME main contrib non-free" > "$WHONIX_SOURCES_LIST_TEMP_INITIAL_DEB_SOURCES_LIST" 51 | fi 52 | 53 | ## For debugging / Info. 54 | cat "$WHONIX_SOURCES_LIST_TEMP_INITIAL_DEB_SOURCES_LIST" 55 | 56 | ## Copy which (frozen) sources.list will be used for building Whonix into the image (or machine). 57 | cp "$whonix_build_sources_list_primary" "$CHROOT_FOLDER/$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER/build_sources.list" 58 | 59 | ## For debugging / Info. 60 | cat "$CHROOT_FOLDER/$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER/build_sources.list" 61 | 62 | sync 63 | 64 | ## For debugging / Info. 65 | ls -la "$CHROOT_FOLDER/$DEB_INSTALL_FOLDER" 66 | ls -la "$CHROOT_FOLDER/$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER" 67 | } 68 | 69 | main "$@" 70 | -------------------------------------------------------------------------------- /help-steps/delete-qcow: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | source "$MYDIR/pre" 14 | source "$MYDIR/colors" 15 | source "$MYDIR/variables" 16 | 17 | main() { 18 | if [ -e "$binary_image_qcow2" ]; then 19 | rm "$binary_image_qcow2" 20 | fi 21 | sync 22 | } 23 | 24 | main "$@" 25 | -------------------------------------------------------------------------------- /help-steps/delete-vbox-vm: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | source "$MYDIR/pre" 14 | source "$MYDIR/colors" 15 | source "$MYDIR/variables" 16 | 17 | main() { 18 | ## Turning off the VM without saving. 19 | sudo $SUDO_OPTS VBoxManage controlvm "$VMNAME" poweroff || true 20 | sync 21 | 22 | ## Delete old Whonix-Gateway. 23 | sudo $SUDO_OPTS VBoxManage unregistervm "$VMNAME" --delete || true 24 | sync 25 | 26 | ## The "VBoxManage unregistervm --delete" does not do its job, 27 | ## we have to manually delete the VM folder. 28 | if [ -d "$HOMEVAR/VirtualBox VMs/$VMNAME" ]; then 29 | rm -r "$HOMEVAR/VirtualBox VMs/$VMNAME" 30 | fi 31 | sync 32 | 33 | ## Delete old ova. 34 | if [ -e "$binary_image_ova" ]; then 35 | rm "$binary_image_ova" 36 | fi 37 | sync 38 | } 39 | 40 | main "$@" 41 | -------------------------------------------------------------------------------- /help-steps/git_sanity_test: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | if [[ "${BASH_SOURCE[0]}" != "${0}" ]]; then 7 | script_was_sourced="true" 8 | else 9 | script_was_sourced="false" 10 | fi 11 | 12 | if [ "$script_was_sourced" = "false" ]; then 13 | set -x 14 | set -e 15 | 16 | true "INFO: Currently running script: $BASH_SOURCE $@" 17 | 18 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 19 | 20 | cd "$MYDIR" 21 | cd .. 22 | cd help-steps 23 | 24 | whonix_build_one_parsed="1" 25 | VMNAME="internalrun" 26 | 27 | source pre 28 | source colors 29 | source variables 30 | fi 31 | 32 | git_sanity_test_parse_cmd() { 33 | true "INFO: $FUNCNAME | args: $@" 34 | while : 35 | do 36 | case $1 in 37 | --allow-untagged) 38 | if [ "$2" = "false" ]; then 39 | true "${cyan}INFO: Would stop if building form untagged commits.${reset}" 40 | elif [ "$2" = "true" ]; then 41 | true "${cyan}INFO: Would build form untagged commits.${reset}" 42 | export whonix_build_ignore_untagged="true" 43 | else 44 | echo "${red}${bold}ERROR: supported options for --allow-untagged are 'true' or 'false'.${reset}" 45 | exit 1 46 | fi 47 | shift 2 48 | ;; 49 | --allow-uncommitted) 50 | if [ "$2" = "false" ]; then 51 | true "${cyan}INFO: Would stop if uncommitted changes detected.${reset}" 52 | elif [ "$2" = "true" ]; then 53 | true "${cyan}INFO: Would ignore if uncommitted changes detected.${reset}" 54 | export whonix_build_ignore_uncommitted="true" 55 | else 56 | echo "${red}${bold}ERROR: supported options for --allow-uncommitted are 'true' or 'false'.${reset}" 57 | exit 1 58 | fi 59 | shift 2 60 | ;; 61 | *) 62 | break 63 | ;; 64 | esac 65 | done 66 | } 67 | 68 | git_sanity_test_hint() { 69 | true "${cyan}$BASH_SOURCE INFO: (As a developer or advanced user you might want to use:)${reset} 70 | ${bold}${under}--allow-untagged true${eunder} ${under}--allow-uncommitted true${eunder}${reset} 71 | " 72 | } 73 | 74 | git_sanity_test_check_for_untagged_commits() { 75 | git_tag_nearest="$(git describe --always --abbrev=0)" 76 | git_tag_current="$(git describe --always --abbrev=1000000000)" 77 | 78 | ## Example git_tag_nearest: 79 | ## 9.6 80 | 81 | ## Example git_tag_current: 82 | ## 10.0.0.3.7-developers-only-6-g505c39d44d2a08451f7ff53ce67d78745e05816b 83 | 84 | true "${cyan}$BASH_SOURCE INFO: git_tag_nearest: $git_tag_nearest ${reset}" 85 | true "${cyan}$BASH_SOURCE INFO: git_tag_current: $git_tag_current ${reset}" 86 | 87 | if [ "$git_tag_nearest" == "$git_tag_current" ]; then 88 | true "${cyan}$BASH_SOURCE INFO: Git reports tagged commit. ${reset}" 89 | else 90 | if [ "$whonix_build_ignore_untagged" = "true" ]; then 91 | true "${bold}${cyan}$BASH_SOURCE INFO: Git reports a untagged commit! But you requested to ignore untagged commits, continuing... ${reset}" 92 | else 93 | true "${bold}${red}---------------------------------------------------------------------${reset}" 94 | true "${bold}${red}$BASH_SOURCE ERROR: Git reports a untagged commit! ${reset}" 95 | true "${cyan}$BASH_SOURCE INFO: (And you are not using ${under}--allow-untagged true${eunder}, \ 96 | which you also should not do for security reasons, unless you are a developer or advanced user and know what you are doing. \ 97 | Such as in case you added custom commits.) ${reset}" 98 | git_sanity_test_hint 99 | true "${cyan}$BASH_SOURCE INFO: (See build documentation on how to verify and checkout git tags.)${reset}" 100 | true "${bold}${red}---------------------------------------------------------------------${reset}" 101 | 102 | error "Untagged commit! See above!" 103 | true 104 | fi 105 | fi 106 | } 107 | 108 | git_sanity_test_check_for_uncommitted_changes() { 109 | if [ -n "$(git status --porcelain)" ]; then 110 | if [ "$whonix_build_ignore_uncommitted" = "true" ]; then 111 | true "${bold}${cyan}$BASH_SOURCE INFO: Git reports uncommitted changes! But you requested to ignore uncommitted changes, continuing... ${reset}" 112 | true "${cyan}$BASH_SOURCE INFO: Running \"git status\" for debugging. ${reset}" 113 | git status 114 | true "${cyan}$BASH_SOURCE INFO: Running git \"clean -d --force --force --dry-run\" for debugging. ${reset}" 115 | git clean -d --force --force --dry-run 116 | true 117 | else 118 | true "${bold}${red}---------------------------------------------------------------------${reset}" 119 | true "${bold}${red}$BASH_SOURCE ERROR: Git reports uncommitted changes! ${reset}" 120 | true "${cyan}$BASH_SOURCE INFO: (And you are not using ${under}--allow-uncommitted true${eunder}, \ 121 | which you also should not do for security reasons, unless you are a developer or advanced user and know what you are doing. \ 122 | Such as in case you added custom code.) ${reset}" 123 | git_sanity_test_hint 124 | true "${cyan}$BASH_SOURCE INFO: Running \"git status\" for your convenience. ${reset}" 125 | git status 126 | true "${cyan}$BASH_SOURCE INFO: Running git \"clean -d --force --force --dry-run\" for your convenience. ${reset}" 127 | git clean -d --force --force --dry-run 128 | true "${cyan}$BASH_SOURCE You most likely like to run:${reset} 129 | ${under}$WHONIX_SOURCE_HELP_STEPS_FOLDER/cleanup-files${eunder} 130 | ${cyan}or if you know what you are doing:${reset} 131 | ${under}git clean -d --force --force${eunder} 132 | ${under}git reset --hard${eunder} 133 | " 134 | true "${bold}${red}---------------------------------------------------------------------${reset}" 135 | 136 | error "Uncommitted changes! See above!" 137 | true 138 | fi 139 | fi 140 | } 141 | 142 | git_sanity_test_main() { 143 | git_sanity_test_parse_cmd "$@" 144 | git_sanity_test_check_for_untagged_commits 145 | git_sanity_test_check_for_uncommitted_changes 146 | } 147 | 148 | if [ "$script_was_sourced" = "false" ]; then 149 | main() { 150 | git_sanity_test_main "$@" 151 | } 152 | main "$@" 153 | fi 154 | -------------------------------------------------------------------------------- /help-steps/gpg_test_sign: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | whonix_build_one_parsed="1" 18 | VMNAME="internalrun" 19 | 20 | source pre 21 | source colors 22 | source variables 23 | 24 | main() { 25 | echo "test" > "$WHONIX_BINARY/test_sign_file" 26 | chown "$user_name:$user_name" "$WHONIX_BINARY/test_sign_file" 27 | sudo $SUDO_OPTS $gpg_bin --detach-sign --armor --yes --output "$WHONIX_BINARY/test_sign_file.asc" "$WHONIX_BINARY/test_sign_file" 28 | sudo $SUDO_OPTS $gpg_bin --verify "$WHONIX_BINARY/test_sign_file.asc" "$WHONIX_BINARY/test_sign_file" 29 | rm "$WHONIX_BINARY/test_sign_file" 30 | rm "$WHONIX_BINARY/test_sign_file.asc" 31 | } 32 | 33 | main "$@" 34 | -------------------------------------------------------------------------------- /help-steps/mount-raw: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | if [[ "${BASH_SOURCE[0]}" != "${0}" ]]; then 7 | script_was_sourced="true" 8 | else 9 | script_was_sourced="false" 10 | fi 11 | 12 | if [ "$script_was_sourced" = "false" ]; then 13 | set -x 14 | set -e 15 | 16 | true "INFO: Currently running script: $BASH_SOURCE $@" 17 | 18 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 19 | 20 | source "$MYDIR/pre" 21 | source "$MYDIR/colors" 22 | source "$MYDIR/variables" 23 | 24 | error_handler_mount-raw() { 25 | : echo " 26 | ${red}${bold}BASH_COMMAND${reset}: $BASH_COMMAND 27 | ${red}${bold}ERROR $BASH_SOURCE: | caller: $(caller)${reset} 28 | " 29 | exit 1 30 | } 31 | fi 32 | 33 | mount_raw() { 34 | if [ "$script_was_sourced" = "false" ]; then 35 | trap "error_handler_mount-raw" ERR INT TERM 36 | fi 37 | 38 | if [ "$mount_folder" = "" ]; then 39 | true 40 | else 41 | ## hack for help-steps/analyze-image 42 | CHROOT_FOLDER="$mount_folder" 43 | fi 44 | 45 | sync 46 | 47 | if [ "$WHONIX_BUILD_MOUNT_RAW_FILE" = "" ]; then 48 | local img="$binary_image_raw" 49 | else 50 | local img="$WHONIX_BUILD_MOUNT_RAW_FILE" 51 | fi 52 | 53 | ## Debugging. 54 | losetup --all 55 | sync 56 | 57 | sleep 2 & 58 | wait "$!" 59 | 60 | ## Better not use this, because this can lead to a kpartx bug: 61 | ## "ioctl: LOOP_CLR_FD: Device or resource busy" 62 | ## Difficult to reproduce. 63 | ## Debugging. 64 | #kpartx -l -s -v "$img" 65 | #sync 66 | 67 | local kpartx_output a b device 68 | kpartx_output="$(kpartx -a -s -v "$img" 2>&1)" 69 | sync 70 | 71 | if [ "$kpartx_output" = "" ]; then 72 | local msg="kpartx did not output anything." 73 | error "$msg" 74 | fi 75 | 76 | ## Debugging. 77 | losetup --all 78 | sync 79 | 80 | read a b device _ <<< "$kpartx_output" 81 | dev_mapper_device="/dev/mapper/$device" 82 | 83 | if [ "$kpartx_only" = "true" ]; then 84 | true "kpartx_only=$kpartx_only, skipping creating and mounting $CHROOT_FOLDER." 85 | return 0 86 | fi 87 | 88 | sudo $SUDO_OPTS mkdir --parents "$CHROOT_FOLDER" 89 | sync 90 | 91 | mount "$dev_mapper_device" "$CHROOT_FOLDER" 92 | sync 93 | } 94 | 95 | if [ "$script_was_sourced" = "false" ]; then 96 | main() { 97 | root_check 98 | if [ "$ANON_BUILD_INSTALL_TO_ROOT" = "1" ]; then 99 | true "${green}INFO: Skipping script, because ANON_BUILD_INSTALL_TO_ROOT=1: $BASH_SOURCE${reset}" 100 | exit 0 101 | else 102 | mount_raw 103 | fi 104 | } 105 | main "$@" 106 | fi 107 | -------------------------------------------------------------------------------- /help-steps/package-sign-cmd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | 5 | true "${bold}INFO: Currently running script: $BASH_SOURCE $@${reset}" 6 | 7 | ## Last resort only. 8 | #export GPG_AGENT_INFO=/tmp/gpg-ayQ880/S.gpg-agent:5863:1 9 | 10 | ## Idea, hopefully not required. 11 | #source /home/user/.gnupg/gpg-agent-info-host 12 | 13 | gpg_exit_code="0" 14 | 15 | gpg \ 16 | --no-options \ 17 | --no-emit-version \ 18 | --no-comments \ 19 | --display-charset utf-8 \ 20 | --personal-digest-preferences SHA512 \ 21 | --cert-digest-algo SHA512 \ 22 | --default-preference-list "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" \ 23 | --keyserver-options no-honor-keyserver-url \ 24 | --fixed-list-mode \ 25 | --keyid-format 0xlong \ 26 | --list-options show-uid-validity \ 27 | --sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g \ 28 | --no-default-keyring \ 29 | "$@" 30 | 31 | gpg_exit_code="$?" 32 | 33 | if [ "$gpg_exit_code" = "0" ]; then 34 | true "${bold}INFO: End of: $BASH_SOURCE | $whonix_build_error_counter error(s) detected. (benchmark: skipped)${reset}" 35 | else 36 | true "${bold}${red}INFO: End of: $BASH_SOURCE ERROR detected. (benchmark: skipped)${reset}" 37 | fi 38 | 39 | exit "$gpg_exit_code" 40 | -------------------------------------------------------------------------------- /help-steps/pbuilder-chroot-script: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2017 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "${bold}INFO: Currently running pbuilder chroot script.${reset}" 10 | 11 | set -o pipefail 12 | ## TODO 13 | #set -o nounset 14 | 15 | ## Debugging. 16 | cat "/home/$user_name/pbuilder_config_file" 17 | 18 | source "/home/$user_name/pbuilder_config_file" 19 | 20 | if [ "$whonix_build_unsafe_io" = "true" ]; then 21 | #if ! test -h /usr/lib/libeatmydata.so ; then 22 | #ln -s /usr/lib/x86_64-linux-gnu/libeatmydata.so /usr/lib/libeatmydata.so || true 23 | #fi 24 | ## Debugging. 25 | #ls -la /usr/lib/libeatmydata.so || true 26 | 27 | echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/02apt-speedup 28 | cat /etc/dpkg/dpkg.cfg.d/02apt-speedup 29 | fi 30 | 31 | ## Debugging. 32 | true "apt_unattended_opts: $apt_unattended_opts" 33 | 34 | ## Debugging. 35 | cat /etc/apt/sources.list 36 | true "\${APTGETOPT[@]}: 37 | ${APTGETOPT[@]}" 38 | 39 | if test -f /var/lib/dpkg/available ; then 40 | true "INFO: /var/lib/dpkg/available exists." 41 | else 42 | true "INFO: /var/lib/dpkg/available does not yet exist." 43 | fi 44 | 45 | ## /var/lib/dpkg/available is missing after running mmdebstrap. 46 | ## aptitude does not like that. 47 | ## Leading to cowbuilder issue during make deb-pkg. 48 | ## Exerpt: 49 | ## 50 | ## Setting up pbuilder-satisfydepends-dummy (0.invalid.0) ... 51 | ## ++ chroot /var/cache/pbuilder/build/cow.6916 cow-shell env XDG_CACHE_HOME=/root aptitude -y --without-recommends -o APT::Install-Recommends=false -o Aptitude::ProblemResolver::StepScore=100 -o 'Aptitude::ProblemResolver::Hints::KeepDummy=reject pbuilder-satisfydepends-dummy :UNINST' -o Aptitude::ProblemResolver::Keep-All-Level=55000 -o Aptitude::ProblemResolver::Remove-Essential-Level=maximum install pbuilder-satisfydepends-dummy 52 | ## [ ERR] Writing extended state information 53 | ## [ ERR] Building tag database 54 | ## E: Failed to execute process to save dpkg selections, dpkg or trying to execute it exited with status/errno: 2 55 | ## E: failed to save selections to dpkg database 56 | ## E: pbuilder-satisfydepends failed 57 | ## 58 | ## The workaround is to run 'dpkg --clear-avail' followed by "apt-get update", 59 | ## which regenerates /var/lib/dpkg/available. 60 | ## 61 | ## No longer required in Debian bullseye. 62 | #dpkg --clear-avail 63 | 64 | ## generate /var/lib/dpkg/available 65 | ## Inspired by Chris Gibson who pointed at /usr/lib/dpkg/methods/apt/update 66 | ## https://unix.stackexchange.com/users/162231/chris-gibson 67 | ## https://unix.stackexchange.com/a/271387/49297 68 | #/usr/lib/dpkg/methods/apt/update /var/lib/dpkg apt apt 69 | 70 | apt-get ${APTGETOPT[@]} $apt_unattended_opts --yes dist-upgrade 71 | 72 | ## Sanity test for above aptitude issue. 73 | test -f /var/lib/dpkg/available 74 | stat --printf="%s" /var/lib/dpkg/available 75 | 76 | # adduser --no-create-home --home /nonexistent --quiet --system --group "$user_name" 77 | # chown --recursive "$user_name:$user_name" "/home/$user_name" 78 | # 79 | # pushd "/home/$user_name" 80 | # pushd genmkfile 81 | # 82 | # ## set 'make_use_cowbuilder=false' because we cannot build the 83 | # ## cowbuilder image itself using cowbuilder. 84 | # 85 | # sudo $SUDO_OPTS make_use_cowbuilder=false make_use_debsign=false make deb-pkg 86 | # make_use_cowbuilder=false make_use_debsign=false make deb-install 87 | # 88 | # popd 89 | # popd 90 | 91 | true "${bold}INFO: End of script pbuilder chroot script.${reset}" 92 | -------------------------------------------------------------------------------- /help-steps/pbuilder-debootstrap-command-filter: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2017 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | ## This script fixes the interaction between multiple tools. 7 | ## 8 | ## - `cowbuilder` hardcodes setting '--buildplace'. 9 | ## 10 | ## - `pbuilder` sets by default '--force-check-gpg'. 11 | ## (This could also be sorted in `whonix_build_pbuilder_config_file`.) 12 | ## - `pbuilder` `/usr/lib/pbuilder/pbuilder-createbuildenv` hardcodes calling `${DEBOOTSTRAP}`. 13 | ## 14 | ## - `mmdebstrap` does not support '--force-check-gpg'. 15 | ## - `mmdebstrap` requires the parameters in a certain order. 16 | 17 | set -x 18 | set -e 19 | 20 | true "${bold}INFO: Currently running $0.${reset}" 21 | 22 | args="$@" 23 | 24 | ## Example $@: 25 | ## --include=apt --variant=buildd --force-check-gpg bullseye /var/cache/pbuilder/base.cow http://ftp.us.debian.org/debian 26 | 27 | ## Debugging. 28 | true "BUILDPLACE: $BUILDPLACE" 29 | true "whonix_build_sources_list_primary: $whonix_build_sources_list_primary" 30 | true "http_proxy: $http_proxy" 31 | true "REPO_PROXY: ${REPO_PROXY}" 32 | true "APTGETOPT: $APTGETOPT" 33 | true "BUILD_TARGET_ARCH: $BUILD_TARGET_ARCH" 34 | 35 | ## filter out default mirror by cowbuilder or pbuilder (if we were not using --mirror) 36 | args="${args//"http://ftp.us.debian.org/debian"}" 37 | args="${args//"https://ftp.us.debian.org/debian"}" 38 | 39 | ## filter out default mirror by grml-debootstrap 40 | args="${args//"http://httpredir.debian.org/debian"}" 41 | args="${args//"https://httpredir.debian.org/debian"}" 42 | args="${args//"http://deb.debian.org/debian"}" 43 | args="${args//"https://deb.debian.org/debian"}" 44 | 45 | ## filter out --mirror 46 | args="${args//"$whonix_build_apt_sources_mirror"}" 47 | 48 | ## filter out variable BUILDPLACE (set by pbuilder) because we need to adjust the order of arguments 49 | args="${args//"$BUILDPLACE"}" 50 | 51 | ## filter out --force-check-gpg (set by cowbuilder or pbuilder) since mmdebstrap does this by default and therefore does not support that command 52 | args="${args//"--force-check-gpg"}" 53 | 54 | ## filter out --verbose (set by grml-debootstrap) since we add it by ourselfes. 55 | args="${args//"--verbose"}" 56 | 57 | ## filter out --include=apt (set by cowbuilder or pbuilder) since we will use our own --include switch. 58 | args="${args//"--include=apt"}" 59 | 60 | ## Default to default --variant. Decide which packages are to be installed using --include. 61 | args="${args//"--variant=buildd"}" 62 | 63 | ## example args: 64 | ## bullseye 65 | 66 | true "args: $args" 67 | 68 | if [ "$BUILDPLACE" = "" ]; then 69 | true "$0: probably called by called by grml-debootstrap" 70 | 71 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/mmdebstrap" \ 72 | --verbose \ 73 | --debug \ 74 | --variant=required \ 75 | --architectures="$whonix_build_multiarch_package_item" \ 76 | --aptopt="$whonix_aptgetop_file" \ 77 | $args 78 | 79 | ## example: 80 | ## mmdebstrap --verbose --debug --architectures=amd64 --aptopt=/home/user/whonix_binary/aptgetopt.conf --arch amd64 --include=eatmydata,apt-transport-tor,gnupg2 bullseye /mnt/debootstrap.15557 /home/user/Whonix/build_sources/debian_stable_current_clearnet.list 81 | else 82 | true "$0: probably called by called by pbuilder" 83 | 84 | ## build dependencies 85 | include_opt="--include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,eatmydata,aptitude,cowdancer,fasttrack-archive-keyring" 86 | 87 | cat "$whonix_aptgetop_file" 88 | 89 | "$WHONIX_SOURCE_HELP_STEPS_FOLDER/mmdebstrap" \ 90 | --verbose \ 91 | --debug \ 92 | --variant=required \ 93 | --architectures="$whonix_build_multiarch_package_item" \ 94 | --aptopt="$whonix_aptgetop_file" \ 95 | $include_opt \ 96 | $args \ 97 | "$BUILDPLACE" 98 | 99 | #"$whonix_build_sources_list_primary" 100 | fi 101 | 102 | ## example: 103 | ## mmdebstrap bullseye /var/cache/pbuilder/base.cow /home/user/whonix_dot/Whonix/build_sources/debian_stable_current_clearnet.list 104 | 105 | true "${bold}INFO: End of script $0.${reset}" 106 | -------------------------------------------------------------------------------- /help-steps/pbuilder-hooks/G10sources_list_restore.bsh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2017 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | ## `pbuilder` component `/usr/lib/pbuilder/pbuilder-createbuildenv` 7 | ## unfortunately runs function `installaptlines` after `${DEBOOTSTRAP}`, 8 | ## which uses a different sources list. This pbuilder hook script restores 9 | ## Whonix build APT sources list. 10 | 11 | set -x 12 | set -e 13 | 14 | true "${bold}INFO: Currently running $0.${reset}" 15 | 16 | echo "$whonix_build_sources_list_primary_contents" > "/etc/apt/sources.list" 17 | 18 | ## Debugging. 19 | cat "/etc/apt/sources.list" 20 | 21 | true "${bold}INFO: End of script $0.${reset}" 22 | -------------------------------------------------------------------------------- /help-steps/policy-rc.d: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | ## Prevents daemons from starting while using apt-get. 7 | ## Takes care of chroot mount from getting locked. 8 | 9 | ## Therefore for example prevents connecting to the public Tor network while 10 | ## building the images. This is interesting for (obfuscated) bridge users and 11 | ## also prevents sensitive data from the build machine, such as the Tor 12 | ## consensus /var/lib/tor leaking into the image. 13 | 14 | ## This file gets deleted by the build script at the end. 15 | 16 | ## Thanks to 17 | ## http://lifeonubuntu.com/how-to-prevent-server-daemons-from-starting-during-apt-get-install/ 18 | 19 | exit 101 20 | -------------------------------------------------------------------------------- /help-steps/prevent-daemons-from-starting: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | source "$MYDIR/pre" 14 | source "$MYDIR/colors" 15 | source "$MYDIR/variables" 16 | 17 | error_handler_prevent_daemons_from_starting() { 18 | : echo " 19 | ${red}${bold}BASH_COMMAND${reset}: $BASH_COMMAND 20 | ${red}${bold}ERROR $BASH_SOURCE: | caller: $(caller)${reset} 21 | " 22 | exit 1 23 | } 24 | 25 | main() { 26 | trap "error_handler_prevent_daemons_from_starting" ERR INT TERM 27 | 28 | root_check 29 | 30 | sync 31 | 32 | echo "$FUNCNAME: copy policy-rc.d into /usr/sbin/ to prevent daemons from starting." 33 | 34 | cp --preserve --verbose "$WHONIX_SOURCE_HELP_STEPS_FOLDER/policy-rc.d" "$CHROOT_FOLDER"/usr/sbin/policy-rc.d 35 | 36 | sync 37 | } 38 | 39 | main "$@" 40 | -------------------------------------------------------------------------------- /help-steps/remove-local-temp-apt-repo: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## Copyright (C) 2018 Algernon 5 | ## See the file COPYING for copying conditions. 6 | 7 | set -x 8 | set -e 9 | 10 | true "INFO: Currently running script: $BASH_SOURCE $@" 11 | 12 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 13 | 14 | source "$MYDIR/pre" 15 | source "$MYDIR/colors" 16 | source "$MYDIR/variables" 17 | 18 | main() { 19 | root_check 20 | 21 | rm --force "$WHONIX_SOURCES_LIST_TEMP_INITIAL_DEB_SOURCES_LIST" 22 | rm --force "$CHROOT_FOLDER/$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER/build_sources.list" 23 | rm --force "$CHROOT_FOLDER/$WHONIX_SOURCES_LIST_TEMP_BUILD_FOLDER/qubes-builder.list" 24 | 25 | ## Exists only when using: 26 | ## build_remote_derivative_pkgs=true / --remote-derivative-packages true 27 | if [ ! "$apt_target_key_derivative" = "" ]; then 28 | rm --force "$CHROOT_FOLDER/$apt_target_key_derivative" 29 | fi 30 | 31 | ## "$CHROOT_FOLDER/$DEB_INSTALL_FOLDER" gets unmounted in help-steps/unchroot script. 32 | } 33 | 34 | main "$@" 35 | -------------------------------------------------------------------------------- /help-steps/repo_download_chroot_script: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | 8 | set -e 9 | 10 | true "INFO: (hardcoded) this script is: help-steps/repo_download_script" 11 | true "INFO: \$0: $0 | \$@; $@" 12 | 13 | test -f "$if_no_pbuilder_base_folder/tmp/temporary-repository/newer.list" 14 | 15 | cat "$if_no_pbuilder_base_folder/tmp/temporary-repository/newer.list" 16 | 17 | true "APTGETOPT_ALT: $APTGETOPT_ALT" 18 | 19 | ## Delete the binary version in case it is there. 20 | rm -f "/etc/apt/trusted.gpg.d/newer.asc" 21 | 22 | if [ -f "$if_no_pbuilder_base_folder/tmp/temporary-repository/repo_signing_key.asc" ]; then 23 | cp --verbose "$if_no_pbuilder_base_folder/tmp/temporary-repository/repo_signing_key.asc" "/etc/apt/trusted.gpg.d/newer.asc" 24 | ## Fix for: 25 | ## The key(s) in the keyring /etc/apt/trusted.gpg.d/newer.asc are ignored as the file is not readable by user '_apt' executing apt-key. 26 | chmod o+r "/etc/apt/trusted.gpg.d/newer.asc" 27 | ## Debugging. 28 | gpg --keyid-format long --import --import-options show-only --with-fingerprint "/etc/apt/trusted.gpg.d/newer.asc" 29 | fi 30 | 31 | if [ "$temp_newer_packages" = "" ]; then 32 | echo "ERROR $0: temp_newer_packages is empty!" 33 | exit 1 34 | fi 35 | 36 | pushd "$temp_newer_packages" 37 | 38 | ## Use dpkg multiarch so we can download other architectures than the build host's one using apt-get. 39 | for architecture in $architecture_list ; do 40 | dpkg --add-architecture "$architecture" 41 | done 42 | 43 | apt-get \ 44 | $APTGETOPT_ALT \ 45 | $apt_unattended_opts \ 46 | -o Dir::Etc::sourcelist="$if_no_pbuilder_base_folder/tmp/temporary-repository/newer.list" \ 47 | -o Dir::Etc::sourceparts="-" \ 48 | update 49 | 50 | # apt-cache \ 51 | # $APTGETOPT_ALT \ 52 | # $apt_unattended_opts \ 53 | # -o Dir::Etc::sourcelist="$if_no_pbuilder_base_folder/tmp/temporary-repository/newer.list" \ 54 | # -o Dir::Etc::sourceparts="-" \ 55 | # show $newer_package_list || true 56 | 57 | #apt-config \ 58 | #$APTGETOPT_ALT \ 59 | #$apt_unattended_opts \ 60 | #-o Dir::Etc::sourcelist="$if_no_pbuilder_base_folder/tmp/temporary-repository/newer.list" \ 61 | #-o Dir::Etc::sourceparts="-" 62 | #dump 63 | 64 | #ls /var/lib/apt/lists/ 65 | 66 | apt-get \ 67 | $APTGETOPT_ALT \ 68 | $apt_unattended_opts \ 69 | -o Dir::Etc::sourcelist="$if_no_pbuilder_base_folder/tmp/temporary-repository/newer.list" \ 70 | -o Dir::Etc::sourceparts="-" \ 71 | download \ 72 | $newer_package_list 73 | 74 | if [ "$download_source_package" = "true" ]; then 75 | apt-get \ 76 | $APTGETOPT_ALT \ 77 | $apt_unattended_opts \ 78 | --yes \ 79 | --download-only \ 80 | -o Dir::Etc::sourcelist="$if_no_pbuilder_base_folder/tmp/temporary-repository/newer.list" \ 81 | -o Dir::Etc::sourceparts="-" \ 82 | source \ 83 | $newer_package_list 84 | fi 85 | 86 | popd 87 | -------------------------------------------------------------------------------- /help-steps/udevadm: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | 8 | true "$0 (dummy script by Whonix build script) called with the following args: $@" 9 | -------------------------------------------------------------------------------- /help-steps/umount_kill.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | # 4 | # Written by Jason Mehring (nrgaway@gmail.com) 5 | # Modified by Patrick Schleizer (adrelanos@whonix.org) 6 | # 7 | # Kills any processes within the mounted location and 8 | # unmounts any mounts active within. 9 | # 10 | # To keep the actual mount mounted, add a '/' to end 11 | # 12 | # $1: directory to umount 13 | # 14 | # Examples: 15 | # To kill all processes and mounts within 'chroot-jessie' but keep 16 | # 'chroot-jessie' mounted: 17 | # 18 | # ./umount_kill.sh chroot-jessie/ 19 | # 20 | # To kill all processes and mounts within 'chroot-jessie' AND also 21 | # umount 'chroot-jessie' mount: 22 | # 23 | # ./umount_kill.sh chroot-jessie 24 | # 25 | 26 | # $1 = full path to mount; 27 | # $2 = if set will not umount; only kill processes in mount 28 | umount_kill() { 29 | MOUNTDIR="$1" 30 | 31 | # We need absolute paths here so we don't kill everything 32 | if ! [[ "$MOUNTDIR" = /* ]]; then 33 | MOUNTDIR="${PWD}/${MOUNTDIR}" 34 | fi 35 | 36 | # Strip any extra trailing slashes ('/') from path if they exist 37 | # since we are doing an exact string match on the path 38 | MOUNTDIR=$(echo "$MOUNTDIR" | sed s#//*#/#g) 39 | 40 | echo "-> Attempting to kill any processes still running in '$MOUNTDIR' before un-mounting" 41 | for dir in $(grep "$MOUNTDIR" /proc/mounts | cut -f2 -d" " | sort -r | grep "^$MOUNTDIR") 42 | do 43 | pids=$(lsof "$dir" 2> /dev/null | \ 44 | grep "$dir" | \ 45 | tail -n +2 | \ 46 | awk '{print $2}') 47 | 48 | if [ "$pids" = "" ]; then 49 | echo "Okay, no pids still running in '$MOUNTDIR', no need to kill any." 50 | else 51 | echo "Okay, the following pids are still running inside '$MOUNTDIR', which will now be killed." 52 | ps -p $pids 53 | kill -9 $pids 54 | fi 55 | 56 | if ! [ "$2" ] && $(mountpoint -q "$dir"); then 57 | echo "un-mounting $dir" 58 | umount -n "$dir" 2> /dev/null || \ 59 | umount -n -l "$dir" 2> /dev/null || \ 60 | echo "umount $dir unsuccessful!" 61 | elif ! [ "$2" ]; then 62 | # Look for (deleted) mountpoints 63 | echo "not a regular mount point: $dir" 64 | base=$(basename "$dir") 65 | dir=$(dirname "$dir") 66 | base=$(echo "$base" | sed 's/[\].*$//') 67 | dir="$dir/$base" 68 | umount -v -f -n "$dir" 2> /dev/null || \ 69 | umount -v -f -n -l "$dir" 2> /dev/null || \ 70 | echo "umount $dir unsuccessful!" 71 | fi 72 | done 73 | } 74 | 75 | kill_processes_in_mount() { 76 | umount_kill $1 "false" || : 77 | } 78 | 79 | if [ $(basename "$0") == "umount_kill.sh" -a "$1" ]; then 80 | umount_kill "$1" 81 | fi 82 | -------------------------------------------------------------------------------- /help-steps/unchroot-raw: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | source "$MYDIR/pre" 14 | source "$MYDIR/colors" 15 | source "$MYDIR/variables" 16 | 17 | error_handler_unchroot-raw() { 18 | : echo " 19 | ${red}${bold}BASH_COMMAND${reset}: $BASH_COMMAND 20 | ${red}${bold}ERROR $BASH_SOURCE: | caller: $(caller)${reset} 21 | " 22 | exit 1 23 | } 24 | 25 | main() { 26 | trap "error_handler_unchroot-raw" ERR INT TERM 27 | 28 | root_check 29 | 30 | sync || true 31 | 32 | if [ "$ANON_BUILD_INSTALL_TO_ROOT" = "1" ]; then 33 | true 34 | else 35 | umount "$CHROOT_FOLDER"/dev/pts || true 36 | umount "$CHROOT_FOLDER"/dev || true 37 | umount "$CHROOT_FOLDER"/proc || true 38 | umount "$CHROOT_FOLDER"/sys || true 39 | 40 | ## {{{ 41 | umount "$CHROOT_FOLDER/usr/bin/udevadm" || true 42 | rm --force "$CHROOT_FOLDER/usr/bin/udevadm" || true 43 | ## }}} 44 | fi 45 | 46 | umount "$CHROOT_FOLDER/$DEB_INSTALL_FOLDER" || true 47 | 48 | rmdir --ignore-fail-on-non-empty "$CHROOT_FOLDER/$DEB_INSTALL_FOLDER" || true 49 | 50 | ## Also possibly unmount .backup file for bare metal builds. 51 | umount "$CHROOT_FOLDER"/etc/resolv.conf || true 52 | umount "$CHROOT_FOLDER"/etc/hosts || true 53 | umount "$CHROOT_FOLDER"/etc/hostname || true 54 | umount "$CHROOT_FOLDER"/etc/network/interfaces || true 55 | 56 | if [ "$ANON_BUILD_INSTALL_TO_ROOT" = "1" ]; then 57 | ## $CHROOT_FOLDER would be /, not wise to kill all 58 | true 59 | else 60 | ## kill dbus-launch when building Non-Qubes-Whonix inside a Qubes Debian template 61 | ## The leading '/' is important to prevent umounting $CHROOT_FOLDER itself. 62 | "$MYDIR/umount_kill.sh" "$CHROOT_FOLDER/" 63 | fi 64 | 65 | sync || true 66 | } 67 | 68 | main "$@" 69 | -------------------------------------------------------------------------------- /help-steps/unmount-raw: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | source "$MYDIR/pre" 14 | source "$MYDIR/colors" 15 | source "$MYDIR/variables" 16 | 17 | errorhandlerunmount-raw() { 18 | true "${red}${bold}BASH_COMMAND${reset}: $BASH_COMMAND 19 | ${red}${bold}ERROR $BASH_SOURCE: | caller: $(caller)${reset}" 20 | exit 1 21 | } 22 | 23 | unmount_raw() { 24 | trap "errorhandlerunmount-raw" ERR INT TERM 25 | 26 | if [ "$mount_folder" = "" ]; then 27 | true 28 | else 29 | ## hack for help-steps/analyze-image 30 | CHROOT_FOLDER="$mount_folder" 31 | fi 32 | 33 | sync 34 | 35 | ## kill gpg-agent 36 | ## The leading '/' is important to prevent umounting $CHROOT_FOLDER itself. 37 | "$MYDIR/umount_kill.sh" "$CHROOT_FOLDER/" 38 | 39 | sync 40 | ## Sleep to work around some obscure bug. 41 | ## http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734794 42 | ## Could also try as a workaround: 43 | ## dmsetup ls 44 | ## dmsetup remove $device 45 | sleep 2 & 46 | wait "$!" 47 | sync 48 | 49 | if [ "$kpartx_only" = "true" ]; then 50 | true "INFO: kpartx_only=$kpartx_only, skipping unmount $CHROOT_FOLDER" 51 | else 52 | umount "$CHROOT_FOLDER" 53 | sync 54 | fi 55 | 56 | if [ "$WHONIX_BUILD_MOUNT_RAW_FILE" = "" ]; then 57 | local img="$binary_image_raw" 58 | else 59 | local img="$WHONIX_BUILD_MOUNT_RAW_FILE" 60 | fi 61 | 62 | ## Sleep to work around some obscure bug. 63 | ## http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734794 64 | sleep 2 & 65 | wait "$!" 66 | sync 67 | 68 | ## Debugging. 69 | losetup --all 70 | sync 71 | 72 | kpartx -d -s -v "$img" 73 | sync 74 | 75 | ## Debugging. 76 | losetup --all 77 | sync 78 | 79 | if [ "$kpartx_only" = "true" ]; then 80 | true "INFO: kpartx_only=$kpartx_only, skipping debugging: ls -la $CHROOT_FOLDER" 81 | else 82 | ls -la "$CHROOT_FOLDER" 83 | fi 84 | 85 | if [ "$kpartx_only" = "true" ]; then 86 | true "INFO: kpartx_only=$kpartx_only, skipping rmdir." 87 | else 88 | ## Delete temporary folder. 89 | ## It did not contain anything. It was only a mount point. 90 | rmdir "$CHROOT_FOLDER" || true 91 | sync 92 | fi 93 | } 94 | 95 | main() { 96 | root_check 97 | if [ "$ANON_BUILD_INSTALL_TO_ROOT" = "1" ]; then 98 | true "${green}INFO: Skipping script, because ANON_BUILD_INSTALL_TO_ROOT=1: $BASH_SOURCE${reset}" 99 | exit 0 100 | else 101 | unmount_raw 102 | fi 103 | } 104 | 105 | main "$@" 106 | -------------------------------------------------------------------------------- /help-steps/unprevent-daemons-from-starting: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | source "$MYDIR/pre" 14 | source "$MYDIR/colors" 15 | source "$MYDIR/variables" 16 | 17 | main() { 18 | root_check 19 | 20 | sync || true 21 | 22 | rm --verbose --force "$CHROOT_FOLDER"/usr/sbin/policy-rc.d || true 23 | sync || true 24 | } 25 | 26 | main "$@" 27 | -------------------------------------------------------------------------------- /help-steps/vm-exists-test: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | cd .. 15 | cd help-steps 16 | 17 | source pre 18 | source colors 19 | source variables 20 | 21 | main() { 22 | if [ "$WHONIX_BUILD_INTERNALRUN" = "1" ]; then 23 | true "${cyan}INFO: WHONIX_BUILD_INTERNALRUN=$WHONIX_BUILD_INTERNALRUN, skipping check, ok.${reset}" 24 | return 0 25 | fi 26 | 27 | true "${cyan}INFO: Checking, if a VirtualBox VM named $VMNAME already exists...${reset}" 28 | 29 | ## For example, we are checking if there is a VM named Whonix-Gateway or 30 | ## Whonix-Workstation in VirtualBox. There must be for example no VM named 31 | ## Whonix-Gateway in Virtual Box, because in the create-vbox-vm step we will 32 | ## create a VM named Whonix-Gateway. This would not be possible, if a VM 33 | ## with that name would be already in VirtualBox. 34 | 35 | ## We are checking this here and not in the create-vbox-vm step, because it 36 | ## is better to break the build at this early stage rather than after the 37 | ## majority of the build time, which would be demotivating for the builder. 38 | 39 | local vboxmanage_exit_code 40 | vboxmanage_exit_code="0" 41 | ## Do not use sudo -E or it will fail. 42 | sudo $SUDO_OPTS VBoxManage showvminfo "$VMNAME" >/dev/null 2>/dev/null || { vboxmanage_exit_code="$?" ; true; }; 43 | 44 | if [ "$vboxmanage_exit_code" = "0" ]; then 45 | true "${bold}${red}$BASH_SOURCE ERROR: $VMNAME already exists! ${reset}" 46 | true "${cyan}$BASH_SOURCE You most likely want to delete already existing Virtual Machines. 47 | (Feel free to comment this check out, if you know what you are doing.) 48 | To delete $VMNAME, run:${reset} 49 | sudo $build_script_main --clean --target virtualbox --flavor $WHONIX_BUILD_FLAVOR 50 | 51 | To delete both virtual machines, use: 52 | 53 | sudo $build_script_main --clean --target virtualbox --flavor whonix-gateway-${WHONIX_BUILD_DESKTOP} 54 | sudo $build_script_main --clean --target virtualbox --flavor whonix-workstation-${WHONIX_BUILD_DESKTOP} 55 | 56 | ${bold}${red}WARNING${reset}: This will delete the virtual machine(s) from VirtualBox as well!" 57 | error "A VirtualBox VM named $VMNAME already exists!" 58 | else 59 | true "${cyan}INFO: Done, no VirtualBox VM named $VMNAME does exist, ok.${reset}" 60 | fi 61 | 62 | true "${cyan}INFO: Checking, if an VirtualBox ova file $binary_image_ova already exists...${reset}" 63 | 64 | ## For example, we are checking if there is a VirtualBox ova file 65 | ## /home/user/whonix_binary/15.0.1.6.7/Kicksecure-XFCE-15.0.1.6.7.ova 66 | ## already exists. There must be no such file, because otherwise the build 67 | ## would fail later. 68 | 69 | ## We are checking this here and not in the create-vbox-vm step, because it 70 | ## is better to break the build at this early stage rather than after the 71 | ## majority of the build time, which would be demotivating for the builder. 72 | 73 | ## Although the above test using "VBoxManage showvminfo" already passed at 74 | ## this point, it could be the case, that the builder manually deleted the 75 | ## VirtualBox VM but forgot to delete the ova from whonxi_binary folder. 76 | 77 | if [ -e "$binary_image_ova" ]; then 78 | true "${bold}${red}$BASH_SOURCE ERROR: VirtualBox ova file $binary_image_ova already exists! ${reset}" 79 | true "${cyan}$BASH_SOURCE You most likely want to delete already existing ova files. 80 | (Feel free to comment this check out, if you know what you are doing.) 81 | To delete $VMNAME, run:${reset} 82 | sudo ./whonix_build --clean --target virtualbox --flavor $WHONIX_BUILD_FLAVOR 83 | 84 | To delete both virtual machines, use: 85 | 86 | sudo ./whonix_build --clean --target virtualbox --flavor whonix-gateway 87 | sudo ./whonix_build --clean --target virtualbox --flavor whonix-workstation 88 | 89 | ${bold}${red}WARNING${reset}: This will delete the virtual machine(s) from VirtualBox as well!" 90 | error "A VirtualBox ova file $binary_image_ova already exists!" 91 | else 92 | true "${cyan}INFO: Done, no VirtualBox ova file $binary_image_ova exist, ok.${reset}" 93 | fi 94 | 95 | ## }} 96 | } 97 | 98 | main "$@" 99 | -------------------------------------------------------------------------------- /iso/grub-embedded.cfg: -------------------------------------------------------------------------------- 1 | search --no-floppy --set=root --file /boot/grub/grub.cfg 2 | set prefix=($root)/boot/grub 3 | -------------------------------------------------------------------------------- /iso/grub.cfg: -------------------------------------------------------------------------------- 1 | insmod all_video 2 | 3 | set default="0" 4 | set timeout=10 5 | 6 | menuentry "Whonix-Host Live" { 7 | linux /live/vmlinuz boot=live spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy 8 | initrd /live/initrd 9 | } 10 | -------------------------------------------------------------------------------- /iso/isolinux.cfg: -------------------------------------------------------------------------------- 1 | UI menu.c32 2 | 3 | prompt 0 4 | menu title Boot Menu 5 | 6 | timeout 30 7 | 8 | label Whonix-Host Live 9 | menu label ^Whonix-Host Live 10 | menu default 11 | kernel /live/vmlinuz 12 | append initrd=/live/initrd boot=live spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy 13 | text help 14 | Boot Whonix-Host Live 15 | endtext 16 | 17 | label Whonix-Host Live Quiet 18 | menu label ^Whonix-Host Live (Quiet / Silent Boot) 19 | menu default 20 | kernel /live/vmlinuz 21 | append initrd=/live/initrd boot=live spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy quiet 22 | text help 23 | Boot Whonix-Host Live with the quiet flag to hide kernel messages 24 | endtext 25 | 26 | label hdt 27 | menu label ^Hardware Detection Tool (HDT) 28 | kernel hdt.c32 29 | text help 30 | HDT displays low-level information about the systems hardware 31 | endtext 32 | 33 | label memtest86+ 34 | menu label ^Memory Failure Detection (memtest86+) 35 | kernel /live/memtest 36 | text help 37 | Test system memory 38 | endtext 39 | -------------------------------------------------------------------------------- /make-helper-overrides.bsh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## workaround for 4 | ## "rerunning 'make get-sources' breaks Qubes Builder" 5 | ## https://phabricator.whonix.org/T415 6 | 7 | get-sources() { 8 | true ............... 9 | } 10 | 11 | verify-sources() { 12 | true ............... 13 | } 14 | -------------------------------------------------------------------------------- /whonix_build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | set -x 7 | set -e 8 | 9 | true "INFO: Currently running script: $BASH_SOURCE $@" 10 | 11 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 12 | 13 | cd "$MYDIR" 14 | 15 | source ./help-steps/pre 16 | source ./help-steps/colors 17 | 18 | error_handler_whonix_build_one() { 19 | true "${red}${bold}ERROR in $0${reset}" 20 | true "${red}${bold}BASH_COMMAND${reset}: $BASH_COMMAND" 21 | true "${red}${bold}whonix_build_one_build_step_current${reset}: $whonix_build_one_build_step_current" 22 | true "${red}args: $args${reset}" 23 | true "${red}${bold}INFO: Now exiting from $0 (because error was detected, see above).${reset}" 24 | exit 1 25 | } 26 | 27 | trap "error_handler_whonix_build_one" ERR 28 | 29 | export WHONIX_BUILD_ONE_SCRIPT_STARTED="1" 30 | 31 | whonix_build_preparation() { 32 | cd help-steps 33 | 34 | source parse-cmd 35 | whonix_build_one_parse_cmd "$@" 36 | export whonix_build_one_parsed="1" 37 | 38 | cd .. 39 | } 40 | 41 | whonix_build_machine() { 42 | run-parts --verbose --test ./build-steps.d 43 | 44 | ## Not using: 45 | #run-parts --verbose --exit-on-error ./build-steps.d 46 | ## Because of an issue, 47 | ## "run-parts, trap INT, read error": 48 | ## https://lists.gnu.org/archive/html/help-bash/2015-03/msg00066.html 49 | 50 | for whonix_build_one_build_step_current in ./build-steps.d/*; do 51 | if [ -x "$whonix_build_one_build_step_current" ]; then 52 | ## If the last character is a ~, ignore that file, 53 | ## because it was created by some editor, 54 | ## which creates backup files. 55 | if [ "${whonix_build_one_build_step_current: -1}" = "~" ]; then 56 | continue 57 | fi 58 | ## Skipping files such as .dpkg-old and .dpkg-dist. 59 | if ( echo "$whonix_build_one_build_step_current" | grep -q ".dpkg-" ); then 60 | true "skip $whonix_build_one_build_step_current" 61 | continue 62 | fi 63 | true "${cyan}${bold}${under}############################################################${reset}" 64 | true "${cyan}${bold}${under}############################################################${reset}" 65 | true "${cyan}${bold}${under}############################################################${reset}" 66 | true "${cyan}${bold}${under}INFO: BEGIN: whonix_build_one_build_step_current: $whonix_build_one_build_step_current${reset}" 67 | "./$whonix_build_one_build_step_current" 68 | true "${cyan}${bold}${under}INFO: END : whonix_build_one_build_step_current: $whonix_build_one_build_step_current${reset}" 69 | true "${cyan}${bold}${under}############################################################${reset}" 70 | true "${cyan}${bold}${under}############################################################${reset}" 71 | true "${cyan}${bold}${under}############################################################${reset}" 72 | fi 73 | done 74 | } 75 | 76 | whonix_build_clean() { 77 | local cleaned_up 78 | ## Fallback 79 | cleaned_up="false" 80 | 81 | if [ "$WHONIX_BUILD_VIRTUALBOX" = "true" ]; then 82 | cleaned_up="true" 83 | ./help-steps/delete-vbox-vm 84 | fi 85 | ## TODO: WHONIX_BUILD_RAW 86 | # if [ "$WHONIX_BUILD_RAW" = "true" ]; then 87 | # cleaned_up="true" 88 | # ./help-steps/delete-raw 89 | # fi 90 | if [ "$WHONIX_BUILD_QCOW2" = "true" ]; then 91 | cleaned_up="true" 92 | ./help-steps/delete-qcow 93 | fi 94 | if [ "$ANON_BUILD_INSTALL_TO_ROOT" = "1" ]; then 95 | error "${red}${bold}For --flavor root builds, --clean is not implemented.${reset}" 96 | fi 97 | 98 | if [ "$cleaned_up" = "false" ]; then 99 | parse_cmd_target_error 100 | fi 101 | } 102 | 103 | main() { 104 | root_check 105 | 106 | args=""$@"" 107 | 108 | whonix_build_preparation "$@" 109 | 110 | ## XXX 111 | trap "error_handler_whonix_build_one" ERR 112 | trap - INT 113 | trap - TERM 114 | 115 | if [ "$WHONIX_BUILD_CLEAN" = "1" ]; then 116 | whonix_build_clean 117 | elif [ "$WHONIX_BUILD_BUILD" = "1" ]; then 118 | whonix_build_machine 119 | else 120 | true "${bold}${red}ERROR $BASH_SOURCE: You must either use --build or --clean. ${reset}" 121 | exit 1 122 | fi 123 | } 124 | 125 | main "$@" 126 | --------------------------------------------------------------------------------