Kicksecure VM Build Documentation

From Kicksecure
Jump to navigation Jump to search

Instructions to build Kicksecure Virtual Machine Images from Source Code.

Introduction[edit]

This page documents how to build Kicksecure VM (Virtual Machine) images for VirtualBox (.ova) or KVM (.qcow2) "from source code". Most users do not build Kicksecure from source code but instead download Kicksecure.

For Kicksecure for Qubes, see Kicksecure for Qubes Build Documentation.

Building from source code as security advantages (see Trust).

The goal of this build documentation is to be usable by as many users as possible. Therefore written as easy as possible with no prior knowledge of tools used required.

The high level summary is:

  1. Host preparation.
  2. Get derivative-maker source code.
  3. Run derivative-maker.
  4. Done, build of Kicksecure has been completed.

Advanced users that already know how to use git and how to perform digital software verification using OpenPGP (gpg) do not need to strictly follow this documentation. See footnote(s) for details. [1]

Due to digital software verification instructions and Software Signature Verification Usability Issues these instructions might look more complicated then they actually are.

  • Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
  • Optional, not required: Digital signatures are optional and not mandatory for using Kicksecure, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
  • Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.

Steps concerning digital software verification are pointed out as "This step is recommended for better security, but is not strictly required. (See Trust.)"

When verifying digital software signatures, these instructions will be slightly more complicated but therefore even more secure.

  1. Host preparation.
  2. Get Kicksecure source code (which includes Kicksecure build script).
  3. Verify digital software signatures.
  4. Run Kicksecure build script
  5. Done, build of Kicksecure has been completed.

Host Preparation[edit]

Host Preparation Notices[edit]

  • operating system: You need to build on a Debian bookworm based operating system, such as Kicksecure 17 or a Debian bookworm VM.
  • disk space: You need ~ 30 GB free disk space.
  • RAM: You need ~ 4 GB free RAM.
    • Might actually work with a lot less RAM.
    • Might actually work with less RAM if you have swap.
  • linux user account: Do not build under user root. Login regular as user user. Do not use sudo to run derivative-maker because becoming root when necessary is handled by the build script.
  • build place notice: You cannot build on Kicksecure (due to networking issues).
  • build logs: Build logs: If using a GUI (graphical user interface) it is recommended to set your terminal (for example xfce4-terminal) to unlimited scrollback, so you can watch the full build log and share it for support in case there are issues.

...

  • private files in source code warning: Do not add private files to Kicksecure source code folder! [...]

Unless you know what you are doing. Technically, it would work. This is recommended against. Those files would get managed by the respective package. When you later update Kicksecure debian packages, your files would get deleted by the package manager. Also adding private files to Kicksecure source code folder, later contributing to Kicksecure development and accidentally pushing the wrong git branch would be a disaster. Better add your private files to Kicksecure after building Kicksecure. Or add a custom build step adding your files, which then get copied from a folder outside of Kicksecure source folder. See "Source Code Changes" in "Optional Build Configuration" below.

  • parallel builds unsupported warning: Do not try to build Kicksecure and Kicksecure at the same time!

Building Kicksecure and Kicksecure at the same time is not supported due to limitations in the build script. In other words, do not try to run for example ~/derivative-maker/derivative-maker --flavor whonix-gateway -- --target virtualbox and ~/derivative-maker/derivative-maker --flavor whonix-workstation -- --target virtualbox at the same time. The build would probably fail.

  • CI warning: Do not use images created inside Continuous Integration (CI) environments for anything besides testing!

Usually you are not using CIarchive.org environments without knowing.

You can find out if you are running inside a CI environment by running.

echo "$CI"

If it shows nothing, i.e.


Everything is fine.

Otherwise, if it were to show.

true

Then do not use these images for anything besides testing.

Reason: https://github.com/Kicksecure/derivative-maker/blob/master/build-steps.d/1200_prepare-build-machinearchive.org

  • official builds: In case of creating official builds to be redistributed on kicksecure.com and not for personal use, press expand on the right side.

Prepend the following variable: dist_build_redistributable=true

sets:

  • --repo true
  • --tb closed

See also: Dev/Redistribution

Host Preparation Steps[edit]

1. build dependencies:

Install build dependencies and get the source code.

Update the package lists.

sudo apt update

Install build dependencies.

sudo apt install git time curl apt-cacher-ng lsb-release fakeroot dpkg-dev fasttrack-archive-keyring safe-rm

2. Platform specific notices:

3. sudo setup:

Choose either Option A or Option B.

Option A: passwordless sudo

Option A: Set up passwordless sudo.

  • Abstract task overview: Setup passwordless sudo for your Linux user account name.
  • Detailed task overview: Setup sudo and add your current linux user account to the linux user group sudo. The following instructions use Linux user account name user as an example. If the user is using a different Linux user account name such as myname then the commands below have to be adjusted accordingly.
  • Unspecific: Configuration of sudo is unspecific to Kicksecure.
  • Kicksecure specific: When building inside Kicksecure, user user is already a member of group sudo by default. Therefore the following step "1." can be skipped.
  • Detailed steps:

1. Setup sudoers. Add the operating system user name to sudoers.

Become root.

su

Add the user account to the sudoer's group. Replace user with the actual operating system user name.

sudo adduser user sudo

Reboot so group changes take effect.

reboot

2. Configure user user to be able to use sudo without a password.

echo '%sudo ALL=(ALL:ALL) NOPASSWD:ALL' | sudo EDITOR=tee visudo -f /etc/sudoers.d/dist-build-sudo-passwordless >/dev/null

3. Done.

The process of setting up passwordless sudo has been completed.

Option B: long sudo timeout

Option B: Set a longer sudo password timeout.

  • Abstract task overview: Setup sudo with a longer timeout for your Linux user account name.
  • Detailed task overview: Setup sudo and increase the sudo password timeout (four all Linux user accounts or all users). The following instructions use Linux user account name user as an example. If the user is using a different Linux user account name such as myname then the commands below have to be adjusted accordingly.
  • Unspecific: Configuration of sudo is unspecific to Kicksecure.
  • Kicksecure specific: When building inside Kicksecure, user user is already a member of group sudo by default. Therefore the following step "1." can be skipped.
  • Detailed steps:

1. Setup sudoers. Add the operating system user name to sudoers.

Become root.

su

Add the user account to the sudoer's group. Replace user with the actual operating system user name.

sudo adduser user sudo

Reboot so group changes take effect.

reboot

2. Configure user user to be able to use sudo without a password.

echo 'Defaults timestamp_timeout=30' | sudo EDITOR=tee visudo -f /etc/sudoers.d/dist-build-sudo-timeout >/dev/null

3. Done.

The process of setting up a longer sudo timeout has been completed.

Special Notice[edit]

None.

Choose Version[edit]

Kicksecure default admin password is: changeme Version Numbers Choice Information

1. Common sense is required when choosing the right version number.

2. For example, the latest available git tag version number is not necessarily the most stable or suitable.

3. Follow the Kicksecure News Blog as it might contain information.

4. This documentation will be using 17.2.8.0-stable as an example. Replace 17.2.8.0-stable with the actual version chosen for the build.

5. Git tags by convention:

  • have one of the following appendixes stable, testers-only or developers-only version.
  • For example:
    • 17.2.8.0-stable
    • 17.2.8.0-testers-only
    • 17.2.8.0-developers-only
  • all represent the very same source code. [3]

6. If there is only git tag 17.2.8.0-developers-only available but a stable release announcement has been published, then there is no need to wait for the creation of 17.2.8.0-stable since it actually has already been blessed stable, would contain the identical source code anyhow but just have a different git tag name.

Kicksecure default admin password is: changeme Version Numbers Choice Instructions

1. Go to https://forums.kicksecure.com/c/news/archive.org and look for the latest stable version number.

2. Compare with the stable version number mentioned in the wiki.

3. For example, if 17.2.8.0 has been announced in the forums and is available from the wiki, git tag 17.2.8.0-developers-only is avaialble but 17.2.8.0-stable is not, then 17.2.8.0-developers-only can be safely used.

Get the Signing Key[edit]

Info This step is recommended for better security, but is not strictly required. (See Trust.)

Get the Kicksecure Signing Key and import it.

Get the Source Code[edit]

FREE

Note: By proceeding, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.

1. Install git.

sudo apt update && sudo apt install git

2. Get the source code including git submodules. [4] [5]

Note: Replace 17.2.8.0-stable with the actual tag you want to build.

git clone --depth=1 --branch 17.2.8.0-stable --jobs=4 --recurse-submodules --shallow-submodules https://github.com/Kicksecure/derivative-maker.git

3. Check if above command succeeded.

If there have been errors such as:

fatal: unable to access 'https://github.com/.../': Could not resolve host: github.com

Or.

fatal: unable to access 'https://github.com/.../': gnutls_handshake() failed: The TLS connection was non-properly terminated. 

Then the download probably failed.

Checking if the download failed or succeeded can be done by checking the exit code.

Choose your shell.

Zsh in Kicksecure or Derivatives

If the last line contains something such as the following.

zsh: exit 1

Then do not proceed and see footnote. [6]

bash and other Shells

Show the exit code.

echo $?

Output should show.

0

If any other exit code is shown, do not proceed and see footnote. [6]

4. Done.

Git repository cloning has been completed.

Change Directory[edit]

Change directory to the derivative-maker source code folder because later on package build commands using ./derivative-maker are expected to be run from the root of the source folder.

cd derivative-maker

OpenPGP Verify the Source Code[edit]

This chapter is recommended for better security, but is not strictly required. (See Trust.)

  • Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
  • Optional, not required: Digital signatures are optional and not mandatory for using Kicksecure, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
  • Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.

1. Verify the chosen tag to build.

Note: Replace with tag you want to build.

git verify-tag 17.2.8.0-stable

2. Check the output of the verification step.

If the file is verified successfully, the output will include Good signature, which is the most important thing to check.

gpg: Good signature

This output might be followed by a warning as follows.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This message does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the Kicksecure signing key and the web of trust. To remove this warning, the Kicksecure signing key must be personally signed with your own key.

warning Remember to check the GPG signature timestamp. For instance, if you previously saw a signature from 2023 and now see one from 2022, this could indicate a potential rollback (downgrade) or indefinite freeze attack.[7]

2. Verify the git commit to build. [8]

Note: Replace 17.2.8.0 with the actual git tag being verified.

git verify-commit 17.2.8.0-stable^{commit}

3. Check the output of the verification step.

4. Done.

Checkout Version[edit]

1. Retrieve a list of available git tags.

git --no-pager tag

2. Use git checkout to select the preferred version to build.

Note: Replace 17.2.8.0-stable with the actual version chosen for the build: the stable, testers-only or developers version. Common sense is required when choosing the right version number. For example, the latest available version number is not necessarily the most stable or suitable. Follow the Kicksecure News Blog as it might contain information.

git checkout --recurse-submodules 17.2.8.0-stable

3. Digital signature verification.

Optional. If you choose to perform digital signature verification above, you could verify the currently chosen commit ("HEAD") yet again for extra security.

git verify-commit HEAD

4. Done.

Version selection has been completed.

Check Git[edit]

1. Check if you really got the version you want.

git describe

The output should show.

17.2.8.0-stable

2. Check if source folder is pristine.

git status

Output should be the following.

  • A)

HEAD detached at 17.2.8.0-stable
nothing to commit, working tree clean

or,

  • B)
Not currently on any branch.
nothing to commit, working tree clean

If it shows something else, do not continue.

3. Done.

Build[edit]

1. Build target selection.

Mandatory The following build targets are available.

Choose a --target. Either option A), B), C) or D). [9] [10]

Option Build Target Comment Image Type Target Parameter
A) VirtualBox VMs Stable. .vdi --target virtualbox
B) KVM (and QEMU) KVM: Stable.; QEMU: unsupported .qcow2 --target qcow2
C) raw images Mostly interesting for developers / porters. .raw --target raw
D) UTM with QEMU [11] Tested on Mac M1, M2, ... testers only, --arch arm64. .raw --target utm
E) ISO Testers only. .iso --target iso

2. Flavor selection.

Mandatory. Choose a flavor.

  • --flavor kicksecure-cli
  • --flavor kicksecure-xfce

3. CPU target architecture selection.

Mandatory. Choose a target CPU architecture.

Option CPU Architecture Name Comment CPU Architecture Parameter
A) Intel and AMD64 [12] Default, best tested. --arch amd64
B) i386 Unsupported. [13] --arch i386
C) ARM64 Unsupported. --arch arm64
D) Others. Potentially. [14]

4. Kicksecure APT repository choice.

Optional. Enable Kicksecure APT repository inside the images. [15] See Trust. This is done for official Kicksecure redistributeable builds.

--repo true

5. Optional configurations.

Optional. See also Optional Build Configuration.

6. Notices.

  • These instructions assume you have the Kicksecure source code in your home folder (~/derivative-maker), and
  • use VirtualBox as an example.

7. build command:

  • A) Build a Kicksecure virtual machine image.
    • ~/derivative-maker/derivative-maker --flavor kicksecure-xfce --target virtualbox --repo true
  • B) Build a Kicksecure ISO image.
    • ~/derivative-maker/derivative-maker --flavor kicksecure-xfce --target iso --repo true

While building, you might see a few Expected Build Warnings.

Build Logs[edit]

Optional.

Mostly useful in case of build issues where sharing the build log is necessary for support.

If using:

  • A) GUI (graphical user interface): It is recommended to set your terminal (for example xfce4-terminal) to unlimited scrollback, so you can watch the full build log and share it for support in case there are issues.
  • B) CLI (command line user interface): In case there are build issues, it is recommended to redirect the build log to a text file. To do that, for example >> ~/build-log 2>&1 could be appended to the very end of the build command to redirect the build output to build log file ~/build-log.
    • Note: when using that command there will be no output in the terminal until the build is completed. This is as per Linux default and unspecific to Kicksecure. The build might not complete. In that case, that command would hang forever. To see if the build is stuck, it would be possible to open the build log file with a text editor. In that case, the file would have to be re-opened or refreshed to with F5 key to see new build output appended to the build log file. Or by using for example tail -n 100 -f ~/build-log 2>&1

VM Build Result[edit]

  • VirtualBox: The resulting .ova images can be found in ~/derivative-binary folder.
  • KVM, QEMU, raw images: The resulting .qcow2 and/or .raw images can be found in ~/derivative-binary folder.
  • ISO: The resulting .iso image can be found in ~/derivative-binary folder.

Most users have completed the build process at this point, can start using Kicksecure and skip the rest of this page.

Prepare Release[edit]

dm-prepare-releasearchive.org is useful for:

  • Creation of a unifiedarchive.org .ova image or libvirt.xz archive
  • Creation of torrent files.
  • Creation of hash sum files.
  • Creation of digital software signatures.
  • Adding the license agreement.
  • Adding the disclaimer.
  • Redistribution.
  • Example: dm-prepare-release --build --target virtualbox --flavor kicksecure-xfce

For private builds, i.e. for builds which are not supposed to be redistributed to others, none of this is important. If any of this was important, it could also be done manually.

Troubleshooting[edit]

Build repeatedly errors out with hash sum mismatch[edit]

If corrupted data is present on a Debian mirror during a build, apt will generate a hash sum mismatch error which will cause the build to fail. apt-cacher-ng will also have cached the corrupted file, meaning all subsequent builds will fail until apt-cacher-ng's cache is purged.

To purge the cache:

sudo systemctl stop apt-cacher-ng sudo rm -rf /var/cache/apt-cacher-ng sudo mkdir /var/cache/apt-cacher-ng sudo chown apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng sudo systemctl start apt-cacher-ng sudo systemctl status apt-cacher-ng

If apt-cacher-ng's status is active (running) after this, the cache purge is successful.

Footnotes[edit]

  1. For example, these instructions fetch only a specific git tag. If you know how to use git, you are of course free to git clone the whole repository and then use git verify-tag, git verify-commit, git checkout --quiet and git generally as per usual. The reason why more specific commands are being used on this page is to simplify the process for laymen, to make these instructions as fail-safe as possible.
  2. Due to technical challenges, see VirtualBox Installation Challenges.
  3. git diff 17.2.8.0-stable 17.2.8.0-developers-only
  4. Optional git parameters:
    • --depth=1: Used to speed up the download.
    • --branch 17.2.8.0-stable: Usability. Used to speed up the download.
    • --jobs=4: Used to speed up the download.
    • --recurse-submodules --shallow-submodules: Usability.
    Knowledgeable git users are free to drop any of these optional parameters.
  5. Alternatively, this can be achieved with the following commands in several steps. This is useful if network issues arise.
    • Over HTTPS:
      • git clone --depth=1 --branch 17.2.8.0-stable https://github.com/Kicksecure/derivative-maker.git
    • Over SSH.
      • Might work better over slow networks but requires a GitHub account and a configured SSH public key at GitHub. See footnote [A] below.
      • git clone --depth=1 --branch 17.2.8.0-stable git@github.com:Kicksecure/derivative-maker.git
    cd derivative-maker git submodule update --init --recursive --progress --jobs=4

    [A] GitHub SSH public key setup.

    1. You need to create an SSH public key.

    Undocumented.

    2. You view your your SSH public key.

    cat ~/.ssh/id_ed25519.pub

    3. Copy it.

    4. And paste your the SSH public key on GitHub.

    https://github.com/settings/keysarchive.org

  6. 6.0 6.1 Delete the derivative-maker source code folder and retry.
    sudo rm -r derivative-maker
    
  7. As defined by TUF: Attacks and Weaknesses:
  8. It is advisable to verify the signature of the git commit as well. By convention, git tags should point to signed git commits. Beginning from git tag 9.6 and above. (forum discussionarchive.org)
  9. Multiple build targets at the same time are also possible. --target virtualbox --target qcow2 --target raw
  10. Physical Isolation Build Documentation --target root
  11. info amd64 might imply AMD only. This is wrong.

    amd64 means Intel and AMD.

    For technical reasons, in Debian (and in many other Linux / Freedom Software related places) both, Intel and AMD, is called amd64. This is common knowledge without controversy among technical people, in doubt see Wikipedia X86-64archive.org.

  12. 32-bit or 64-bit?
    • Build script parameter --arch results in setting the BUILD_TARGET_ARCH build variable. If you inspect (grep tip) the build scripts for the variable name you can see other architectures might work but are untested.
    • porting Kicksecure to other platforms
  13. --repo true will set export build_remote_repo_enable="true" which results in setting
    DERIVATIVE_APT_REPOSITORY_OPTS="--enable --codename $derivative-maker_apt_stable_release"
    export DERIVATIVE_APT_REPOSITORY_OPTS
    

    derivative-maker_apt_stable_release defaults to bookworm and could optionally through a build configuration set to bookworm-proposed-updates, bookworm-testers or bookworm-developers.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!