Upgrading Kicksecure Deb Packages from Source Code
Introduction[edit]
This assumes you are updating Kicksecure debian packages while you are using Kicksecure.
Prerequisites[edit]
Might be a good idea to create a backup and/or clone before trying to update.
If you haven't done already, disable Kicksecure APT repository. [1]
sudo repository-dist --disable
Upgrade from Debian packages.
sudo apt update && sudo apt --yes full-upgrade
Get the Source Code[edit]
Get the Signing Key[edit]
This step is recommended for better security, but is not strictly required. (See Trust)
Get the Source Code[edit]
Install git.
sudo apt update && sudo apt install git
Get the source code including git submodules. [2] [3]
Note: Replace 17.0.4.5-stable
with the actual tag you want to build.
git clone --depth=1 --branch 17.0.4.5-stable --jobs=4 --recurse-submodules --shallow-submodules https://github.com/Kicksecure/derivative-maker.git
Change Directory[edit]
Get into the Kicksecure
source code folder because later on package build commands using ./derivative-maker
are expected to be run from the root of the source folder.
cd derivative-maker
OpenPGP Verify the Source Code[edit]
This chapter is recommended for better security, but is not strictly required. (See Trust.)
Change directly into source code folder.
cd derivative-maker
Git fetch. [4]
git fetch
Verify the chosen tag to build. Replace with tag you want to build.
git verify-tag 17.0.4.5-stable
The output should look similar to this.
type commit tag 17.0.4.5 tagger Patrick Schleizer <adrelanos@kicksecure.com> 1392320095 +0000
. gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@kicksecure.com>" [ultimate]The warning.
Is explained on the Kicksecure Signing Key page and can be safely ignored.
By convention, git tags should point to signed git commits. [6] (forum discussion) It is advisable to verify the signature of the git commit as well (replace
17.0.4.5
with the actual git tag being verified).
git verify-commit 17.0.4.5-stable^{commit}
The output should look similar to this.
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48 gpg: Good signature from "Patrick Schleizer <adrelanos@kicksecure.com>" [ultimate] Author: Patrick Schleizer <adrelanos@kicksecure.com> Date: Sun Dec 7 01:22:22 2014 +0000
.Choose Version[edit]
Retrieve a list of available git tags.
git --no-pager tag
Use git checkout to select the preferred version to build.
git checkout --recurse-submodules 17.0.4.5-stable
Replace 17.0.4.5-stable
with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. Follow the Kicksecure News Blog as it might contain information.
Check if you really got the version you want.
git describe
Should show:
17.0.4.5-stable
Check if source folder is pristine.
git status
Should show nothing.
HEAD detached at 17.0.4.5-stable
nothing to commit, working tree clean
If it shows something else, do not continue.
Check Git[edit]
Check if you really got the version you want.
git describe
The output should show.
Check if the source folder is pristine.
git status
The output should show nothing.
nothing to commit, working tree clean
If it shows something else, do not continue.
Build Dependencies[edit]
Get all build dependencies.
sudo -E ./build-steps.d/1100_prepare-build-machine --internalrun --build --target root
Why --target root
? This is correct, if you want to know why, see footnote. [7]
Create the Packages[edit]
If you're not debugging, create the packages with:
sudo -E ./build-steps.d/1200_create-debian-packages --build --internalrun --target root
If debugging, use the following command. Developers only! [8] Potentially insecure unless the untagged / uncommited changes are by you or by a trusted developer with a git gpg signature that you verified.
sudo -E ./build-steps.d/1200_create-debian-packages --build --allow-untagged true --allow-uncommitted true --internalrun --target root
Upgrade Kicksecure Debian Packages[edit]
Upgrade Kicksecure Debian Packages without contacting a Kicksecure APT Repository, using your own locally created apt package repository.
For Kicksecure.
sudo ./packages/kicksecure/developer-meta-files/debug-steps/locally-upgrade-derivative-debian-packages --build --target root --flavor whonix-gateway
For Kicksecure.
sudo ./packages/kicksecure/developer-meta-files/debug-steps/locally-upgrade-derivative-debian-packages --build --target root --flavor whonix-workstation
There will be a lot debug output. [10]
If everything went well, you will see [11] [12]
########################################################################
## INFO: Successfully configured (postinst script) Kicksecure. #
########################################################################
The last few highlighted messages will be similar to:
+ true 'INFO: Skipping script, because --target root: /home/user/whonix_dot/Kicksecure/help-steps/unmount-img'
+ true 'INFO: End of: ./debug-steps/locally-upgrade-derivative-debian-packages | exit_code: 0 | error(s) detected: 0 | benchmark: 00:01:40'
In case any error is caught, the script will loudly complain by echoing in a red colored error message:
ERROR in ./debug-steps/locally-upgrade-derivative-debian-packages! Aborted.
Lets hope it works well. Please get in Contact should there be any issues. Leave feedback if you are using this, if it worked for you, which issues you may have had, so these instructions can be updated.
Cleanup[edit]
OPTIONAL!
Remove temporary files.
WARNING: This will run git clean -d --force --force
in derivative-maker's main source code folder (
~/derivative-maker
) as well as in all sub folders of the Whonix packages folder
~/derivative-maker/packages
. This means, if you knowingly added any files to any of these folders that have not been committed to git, these will be deleted.
./help-steps/cleanup-files
See Also[edit]
Footnotes[edit]
- ↑ Project-APT-Repository#Disable_Kicksecure_APT_Repository
- ↑
Optional
git
parameters:--depth=1
: Used to speed up download.--branch 17.0.4.5-stable
Usability. Used to speed up download.--jobs=4
: Used to speed up download.--recurse-submodules --shallow-submodules
: Usability.
git
users are free to drop any of these optional parameters. - ↑ Alternatively, this can be achieved with the following commands in several steps. This is useful if network issues arise. git clone --depth=1 --branch 17.0.4.5-stable https://github.com/Kicksecure/derivative-maker.git cd derivative-maker git submodule update --init --recursive --progress --jobs=4
- ↑ Optional. [...]
- ↑ As defined by TUF: Attacks and Weaknesses:
- ↑ Beginning from git tag 9.6 and above.
- ↑ Setting the
--target
parameter toroot
will result in installing fewer build dependencies. For example VirtualBox will not be installed. These are only required to build full images, but since we just want to create updated Kicksecure Debian Packages, this is unnecessary. Not much harm done when forgetting to use--target root
, because the user is free to remove any build dependencies later. - ↑ Packages are possibly not matching the quality for redistributable testes or stable builds. This is because the package will potentially built from git master, which has no proper debian/changelog release version, and no signed git tag. There may be another package of that version in the repository that is different. Distinguishing these packages is hard and would cause confusion. Therefore this is considered unclean and only developers may do this for debugging purposes.
- ↑ Why use
--target root
"? Technical explanation:--target root
in context of Kicksecure source code means "do it on the system currently running, i.e. do it directly on the root folder "/[...]", don't do it inside "vm_image/[...]". - ↑ Unless you log in as root and run
export WHONIX_DEB_DEBUG=0
. - ↑ Or saying Kicksecure respectively
- ↑ It won't, if you have
export WHONIX_DEB_DEBUG=0
set. - ↑
https://github.com/Kicksecure/derivative-maker/blob/master/help-steps/cleanup-files
Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!