Download Docs News Forums

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Your support makes all the difference!

We believe security software like Kicksecure needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!

Introduction[edit]

This page documents how to build Kicksecure ™ VM (Virtual Machine) images for VirtualBox (.ova) or KVM (.qcow2) "from source code".

For Kicksecure ™ for Qubes, see Kicksecure ™ for Qubes Build Documentation.

Building from source code as security advantages (see Trust).

The goal of this build documentation is to be usable by as many users as possible. Therefore written as easy as possible with no prior knowledge of tools used required.

The high level summary is:

1. Host preparation.
2. Get Kicksecure ™ source code (which includes Kicksecure ™ build script).
3. Run Kicksecure ™ build script.
4. Done, build of Kicksecure ™ has been completed.

Advanced users that already know how to use git and how to perform digital software verification using OpenPGP (gpg) do not need to strictly follow this documentation. See footnote(s) for details. ^[1]

Due to digital software verification instructions and Software Signature Verification Usability Issues these instructions might look more complicated then they actually are.

Steps concerning digital software verification are pointed out as "This step is recommended for better security, but is not strictly required. (See Trust.)"

When verifying digital software signatures, these instructions will be slightly more complicated but therefore even more secure.

1. Host preparation.
2. Get Kicksecure ™ source code (which includes Kicksecure ™ build script).
3. Verify digital software signatures.
4. Run Kicksecure ™ build script
5. Done, build of Kicksecure ™ has been completed.

Host Preparation[edit]

Expand all Collapse all

Host Preparation Notices[edit]

• operating system: You need to build on Debian bullseye, such as Kicksecure ™ 16 or a Debian bullseye VM.
• disk space: You need ~ 30 GB free disk space.
• RAM: You need ~ 4 GB free RAM.
  • Might actually work with a lot less RAM.
  • Might actually work with less RAM if you have swap.
• linux user account: Do not build under user root. Login regular as user user. Do not use sudo to run derivative-maker because this is handled by the build script.
• build place notice: You cannot build on Kicksecure ™ (due to networking issues).
• build logs: Build logs: If using a GUI (graphical user interface) it is recommended to set your terminal (for example xfce4-terminal) to unlimited scrollback, so you can watch the full build log and share it for support in case there are issues.
• private files in source code warning: Do not add private files to Kicksecure ™ source code folder! [...]

• Exiting VMs name collision warning: Make sure there aren't any VMs in VirtualBox (inside your build machine) already called Kicksecure ™ or Kicksecure ™!

• Parallel builds unsupported warning: Do not try to build Kicksecure ™ and Kicksecure ™ at the same time!

• CI warning: Do not use images created inside Continuous Integration (CI) environments for anything besides testing!

true

Host Preparation Steps[edit]

1. build dependencies:

Install build dependencies and get the source code.

Update the package lists.

sudo apt update

Install build dependencies.

sudo apt install git time curl apt-cacher-ng lsb-release fakeroot dpkg-dev fasttrack-archive-keyring

2. Platform specific notices:

• VirtualBox: Install VirtualBox on the build machine as per recommended VirtualBox version. ^[2]
• Other platforms: No special notice.

3. sudo setup:

Chose either Option A or Option B.

Choose Version[edit]

Get the Signing Key[edit]

This step is recommended for better security, but is not strictly required. (See Trust)

Get Kicksecure ™ Signing Key.

Get the Source Code[edit]

FREE

Install git.

sudo apt update && sudo apt install git

Get the source code including git submodules. ^{[4] [5]}

Note: Replace 16.0.9.8-stable with the actual tag you want to build.

git clone --depth=1 --branch 16.0.9.8-stable --jobs=4 --recurse-submodules --shallow-submodules https://github.com/Kicksecure/derivative-maker.git

Change Directory[edit]

Get into Kicksecure source code folder because later on package build commands using ./derivative-maker are expected to be run from the root of the source folder.

cd derivative-maker/

OpenPGP Verify the Source Code[edit]

This chapter is recommended for better security, but is not strictly required. (See Trust.)

Change directly into source code folder.

cd derivative-maker

Git fetch. ^[6]

git fetch

Verify the chosen tag to build. Replace with tag you want to build.

git verify-tag 16.0.9.8-stable

The output should look similar to this.

The warning.

Is explained on the Kicksecure ™ Signing Key page and can be safely ignored.

By convention, git tags should point to signed git commits. ^[8] (forum discussion) It is advisable to verify the signature of the git commit as well (replace 16.0.9.8 with the actual git tag being verified).

git verify-commit 16.0.9.8-stable^{commit}

The output should look similar to this.

Checkout Version[edit]

Retrieve a list of available git tags.

git --no-pager tag

Use git checkout to select the preferred version to build.

git checkout --recurse-submodules 16.0.9.8-stable

Replace 16.0.9.8-stable with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. Follow the Kicksecure ™ News Blog as it might contain information.

Check if you really got the version you want.

git describe

Should show:

16.0.9.8-stable

Check if source folder is pristine.

git status

Should show nothing.

HEAD detached at 16.0.9.8-stable
nothing to commit, working tree clean

If it shows something else, do not continue.

Check Git[edit]

Check if you really got the version you want.

git describe

The output should show.

Check if the source folder is pristine.

git status

The output should show nothing.

If it shows something else, do not continue.

VM Creation[edit]

Mandatory. The following build targets are available.

• --target virtualbox creates VirtualBox VMs.
• --target qcow2 creates .qcow2 images for KVM and QEMU.
• --target raw creates .raw images.
• --target root is for Physical Isolation Build Documentation.
• --target utm , preliminary support, tested on Mac M1 (--arch arm64) with QEMU. ^[9]
• --target virtualbox , --target qcow2 , and --target raw can be combined to build multiple images at once.

Mandatory. Choose a flavor.

• --flavor kicksecure-gateway-cli
• --flavor kicksecure-gateway-xfce
• --flavor kicksecure-workstation-cli
• --flavor kicksecure-workstation-xfce

Optional. Choose a target CPU architecture.

• --arch amd64 default, best tested.
• --arch i386 is untested. ^[10]
• --arch arm64
• Potentially others. ^[11]

Optional. Enable Kicksecure ™ APT repository inside the images. ^[12] See Trust. This is done for official Kicksecure ™ redistributeable builds.

--repo true

See also Optional Build Configuration.

Note: These instructions use VirtualBox as an example, assume you have the Kicksecure ™ source code in your home folder (~/derivative-maker).

Delete any existing Kicksecure ™ virtual machine with the following command. Warning: This will delete any virtual machine named Kicksecure ™ from VirtualBox installed on your build machine!

~/Kicksecure/derivative-maker --flavor kicksecure-gateway-xfce --target virtualbox --clean

Delete any existing Kicksecure ™ virtual machine with the following command. Warning: This will delete any virtual machine named Kicksecure ™ from VirtualBox installed on your build machine!

~/Kicksecure/derivative-maker --flavor kicksecure-workstation-xfce --target virtualbox --clean

Build a Kicksecure ™ virtual machine image.

~/Kicksecure/derivative-maker --flavor kicksecure-gateway-xfce --target virtualbox --build

Build a Kicksecure ™ virtual machine image.

~/Kicksecure/derivative-maker --flavor kicksecure-workstation-xfce --target virtualbox --build

While building, you might see a few Expected Build Warnings.

VM Build Result[edit]

• VirtualBox: The newly created VMs can be seen in VirtualBox user interface and in the usual VirtualBox data folders.
• KVM, QEMU, raw images: The resulting .qcow2 and/or .raw images can be found in ~/whonix_binary folder.

Most users have completed the build process at this point, can start using Kicksecure ™ and skip the rest of this page.

Unified Images[edit]

Optional: Creation of (unified) .ova image(s) for Kicksecure ™ VirtualBox or libvirt.xz archives for Kicksecure ™ KVM. This might only be interesting if the goal is Redistribution of images to third parties such as the public.

There are two options.

• A) Automated, a bit difficult (since it expects preexisting signing keys), using prepare_release script, OR
• B) Manually.
  • VirtualBox: Using the VirtualBox graphical or command line interface VM export feature could be used. ^[13]
  • KVM: Manually.

Prepare Release[edit]

prepare_release is useful for:

• Creation of a unified .ova image or libvirt.xz archive
• Creation of torrent files.
• Creation of hash sum files.
• Creation of digital software signatures.
  • OpenPGP (gpg) signatures
  • signify signatures
• Adding the license agreement.
• Adding the disclaimer.
• Redistribution.
• Example: sudo -E /home/user/derivative-maker/packages/kicksecure/developer-meta-files/release/prepare_release --build --target virtualbox --flavor whonix-workstation-xfce

For private builds, i.e. for builds which are not supposed to be redistributed to others, none of this is important. If any of this was important, it could also be done manually.

Footnotes[edit]

----

Kicksecure ™ A secure by default operating system with the latest security research in place.

Donate

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

Dark mode

At Kicksecure we believe in freedom and trust. That's why we fully support Open Source and Freedom Software.

Kicksecure ™ is supported by Evolution Host DDoS Protected VPS.

The personal opinions of moderators or contributors to the Kicksecure ™ project do not represent the project as a whole. By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service , Privacy Policy , Cookie Policy , E-Sign Consent , DMCA , Imprint Kicksecure ENCRYPTED SUPPORT LP, 2023

Donate

Kicksecure is free from corporate interest by being user funded. Thank you so much!

Scan the QR code or use the wallet address below.