Kicksecure-Qubes Security Documentation Virtualization Platform Security Previous page: Kicksecure-Qubes Security Index page: Documentation Next page: Virtualization Platform Security Installing Newer Tor Versions

How-to: Install Newer Versions of Tor

Introduction

Testers only.

Note that a later Tor version will not always be installed from either:

A) Install Tor from Backports, or
B) The Tor Project APT repository -- in the recent past, the Debian bullseye repositories for packages.debian.org and deb.torproject.org had identical Tor versions. In general, as the Debian stable release ages, the likelihood of receiving a newer Tor version from deb.torproject.org increases.

The Tor Project APT Repository

If the latest Tor version from deb.torproject.org has not been fully tested by Kicksecure developers at a specific point in time, then problems can emerge such as broken connectivity. ^[1] Testers should always maintain a separate, working version of Kicksecure so future connectivity problems can be averted.

If you wish to proceed despite the risk, two steps are required:

The deb.torproject.org repository must be enabled.
The anon-shared-build-apt-sources-tpo package must be installed, since it enables The Tor Project's APT signing key and installs the apt source torproject.sources ^[2]

In Kicksecure (kicksecure-18), update the package lists.

sudo apt update

Install the helper package that adds The Tor Project APT source and signing key.

sudo apt install anon-shared-build-apt-sources-tpo

Optional: switch to a different Tor Project distribution channel (for example, stable vs experimental).

Open file /etc/apt/sources.list.d/torproject.sources in an editor with administrative ("root") rights.

Select your platform.

Notes.

Sudoedit guidance: See Open File with Root Rights for details on why using sudoedit improves security and how to use it.
Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.

Open the file with root rights.

sudoedit /etc/apt/sources.list.d/torproject.sources

Notes.

Sudoedit guidance: See Open File with Root Rights for details on why using sudoedit improves security and how to use it.
Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.
Template requirement: When using Kicksecure-Qubes, this must be done inside the Template.

Open the file with root rights.

sudoedit /etc/apt/sources.list.d/torproject.sources

Notes.

Shut down Template: After applying this change, shut down the Template.
Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
Qubes persistence: See also Qubes Persistence
General procedure: This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Notes.

Example only: This is just an example. Other tools could achieve the same goal.
Troubleshooting and alternatives: If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

Open the file with root rights.

sudoedit /etc/apt/sources.list.d/torproject.sources

Disable the https://deb.torproject.org/torproject.org trixie main repository by finding the stanza with those settings, and changing Enabled: yes to Enabled: no in it. Then find the stanza for a different distribution, and enable it by changing that stanza's Enabled: no line to Enabled: yes.

Save the file.

Update the package lists so the new torproject.sources settings take effect. ^[3]

sudo apt update

Install Tor from The Tor Project repository (this may install a newer version).

This step also installs the deb.torproject.org-keyring package which keeps the Tor Project repository apt key up-to-date.

sudo apt install tor deb.torproject.org-keyring

Onionize Tor Project APT Repository

Only follow these instructions if Newer Tor versions from The Tor Project Repository was configured. Note that The Tor Project deb apt signing key must be added first (see the prior link), or error messages will appear when completing these steps.

Open torproject.sources in a text editor.

Open file /etc/apt/sources.list.d/torproject.sources in an editor with administrative ("root") rights.

Select your platform.

Notes.

Sudoedit guidance: See Open File with Root Rights for details on why using sudoedit improves security and how to use it.
Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.

Open the file with root rights.

sudoedit /etc/apt/sources.list.d/torproject.sources

Notes.

Sudoedit guidance: See Open File with Root Rights for details on why using sudoedit improves security and how to use it.
Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.
Template requirement: When using Kicksecure-Qubes, this must be done inside the Template.

Open the file with root rights.

sudoedit /etc/apt/sources.list.d/torproject.sources

Notes.

Shut down Template: After applying this change, shut down the Template.
Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
Qubes persistence: See also Qubes Persistence
General procedure: This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Notes.

Example only: This is just an example. Other tools could achieve the same goal.
Troubleshooting and alternatives: If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

Open the file with root rights.

sudoedit /etc/apt/sources.list.d/torproject.sources

Replace the clearnet repository with the onion repository by toggling Enabled:.

Disable the https://deb.torproject.org/torproject.org repository, and enable the tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org repository.

#### ENABLED SOURCES #### Types: deb URIs: https://deb.torproject.org/torproject.org Suites: trixie Components: main Enabled: no # <<<<< change this line from "yes" to "no" Signed-By: /usr/share/keyrings/deb.torproject.org-keyring.gpg #### DISABLED BY DEFAULT SOURCES #### Types: deb-src URIs: https://deb.torproject.org/torproject.org Suites: trixie Components: main Enabled: no Signed-By: /usr/share/keyrings/deb.torproject.org-keyring.gpg Types: deb deb-src URIs: https://deb.torproject.org/torproject.org Suites: tor-experimental-trixie Components: main Enabled: no Signed-By: /usr/share/keyrings/deb.torproject.org-keyring.gpg Types: deb deb-src URIs: https://deb.torproject.org/torproject.org Suites: tor-nightly-main-trixie Components: main Enabled: no Signed-By: /usr/share/keyrings/deb.torproject.org-keyring.gpg Types: deb deb-src # <<<<< Optional: Remove 'deb-src' from this line to save network bandwidth URIs: tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org Suites: trixie Components: main Enabled: yes # <<<<< change this line from "no" to "yes" Signed-By: /usr/share/keyrings/deb.torproject.org-keyring.gpg

Update the package lists so the modified torproject.sources takes effect. ^[4]

sudo apt update

Install Tor from Backports

This can be an alternative to Tor installation from The Tor Project's APT Repository, which is documented above.

tor can be installed from Debian backports. This is non-ideal; see the footnote. ^[5]

Boot Kicksecure (kicksecure-18) Template.

Add the current Debian stable backports codename trixie-backports to Debian apt sources.

Note: this applies to Kicksecure 18.0.8.7. Later Kicksecure versions may use a codename different from trixie.

In Kicksecure (kicksecure-18) Template, run.

sudo su -c "echo -e 'Types: deb URIs: tor+https://deb.debian.org/debian Suites: trixie-backports Components: main contrib non-free Enabled: yes Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg' > /etc/apt/sources.list.d/backports.sources"

Alternatively, users who like Onionizing Repositories can set the .onion mirror.

sudo su -c "echo -e 'Types: deb URIs: tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian Suites: trixie-backports Components: main contrib non-free Enabled: yes Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg' > /etc/apt/sources.list.d/backports.sources"

Update the package lists.

sudo apt update

Install the selected software.

sudo apt -t trixie-backports install tor

The procedure is now complete.

Undo.

On occasion it is necessary to undo this configuration, for example when upgrading from Debian trixie to forky. ^[6] To proceed, run.

sudo rm /etc/apt/sources.list.d/backports.sources

Install Tor from Source Code

Advanced users only!

All steps should be performed inside Kicksecure (kicksecure).

Add the Debian sources file so source repositories can be enabled.

Open file /etc/apt/sources.list.d/debian.sources in an editor with administrative ("root") rights.

Select your platform.

Notes.

Sudoedit guidance: See Open File with Root Rights for details on why using sudoedit improves security and how to use it.
Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.

Open the file with root rights.

sudoedit /etc/apt/sources.list.d/debian.sources

Notes.

Sudoedit guidance: See Open File with Root Rights for details on why using sudoedit improves security and how to use it.
Editor requirement: Close Featherpad (or the chosen text editor) before running the sudoedit command.
Template requirement: When using Kicksecure-Qubes, this must be done inside the Template.

Open the file with root rights.

sudoedit /etc/apt/sources.list.d/debian.sources

Notes.

Shut down Template: After applying this change, shut down the Template.
Restart App Qubes: All App Qubes based on the Template need to be restarted if they were already running.
Qubes persistence: See also Qubes Persistence
General procedure: This is a general procedure required for Qubes and is unspecific to Kicksecure-Qubes.

Notes.

Example only: This is just an example. Other tools could achieve the same goal.
Troubleshooting and alternatives: If this example does not work for you, or if you are not using Kicksecure, please refer to Open File with Root Rights.

Open the file with root rights.

sudoedit /etc/apt/sources.list.d/debian.sources

Enable the deb-src repositories required to fetch Tor source and build dependencies.

Find the deb-src stanzas in this file. Enable either those that contain torified HTTPS addresses or those that contain onion addresses. To enable a repository, change the line Enabled: no in the repository's stanza to Enabled: yes.

Update the package lists after enabling source repositories.

sudo apt update

Install build dependencies for Tor.

sudo apt build-dep tor

Fetch the Tor release signing key so the source archive signature can be verified. ^[7]

Warning:

The following command using gpg with --recv-keys is not recommended for security reasons and is often non-functional. ^[8] This is not a Kicksecure-specific issue. The OpenPGP public key should be downloaded from the web instead; see also Secure Downloads. This procedure is currently undocumented and can be resolved as per the Self Support First Policy. Documentation contributions will be happily considered.

gpg --keyserver keys.openpgp.org --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601

If the attempt fails, utilize the v3 onion service instead.

gpg --keyserver zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601

Download the Tor source code archive for the desired version.

Note: Replace Tor version 0.4.6.5 with the actual Tor version to be downloaded.

scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz

Download the OpenPGP signature and verify the source archive.

scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz.asc

gpg --verify tor-0.4.6.5.tar.gz.asc

The output should look similar to the following.

gpg: assuming signed data in 'tor-0.4.6.5.tar.gz'
gpg: Signature made Mon 09 Dec 2019 06:21:51 PM UTC gpg: using RSA key 7A02B3521DC75C542BA015456AFEE6D49E92B601 gpg: Good signature from "Nick Mathewson <nickm@alum.mit.edu>" [unknown] gpg: aka "Nick Mathewson <nickm@wangafu.net>" [unknown] gpg: aka "Nick Mathewson <nickm@freehaven.net>" [unknown] gpg: aka "Nick Mathewson <nickm@torproject.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB
Subkey fingerprint: 7A02 B352 1DC7 5C54 2BA0 1545 6AFE E6D4 9E92 B601

Extract the source archive.

tar xvzf tor-0.4.6.5.tar.gz

Change into the extracted source directory.

cd tor-0.4.6.5/

Configure the build and compile Tor from source.

./configure

make

The build should now be finished.

Verify the version of the newly built Tor binary.

./src/app/tor --version

The output should show.

Tor version 0.4.6.5.

Kicksecure for Qubes only: copy the newly built binary into the Kicksecure Template (whonix-gw-18).

qvm-copy ./src/app/tor

Stop the currently running Tor service before replacing the binary.

sudo systemctl stop tor

Replace the system Tor binary with the newly built binary.

sudo cp ./src/app/tor /usr/sbin/tor

Copy the binary again. ^[9]

sudo cp ./src/app/tor /usr/bin/tor

Start Tor again to apply the new binary.

sudo systemctl start tor

The process of installing Tor from source code is now complete.

Tor Version Downgrade

It is usually not required to downgrade the Tor version. This should be used only in very specific cases to work around a bug or for testing.

Platform specific notice.

non-Qubes users: No special notice.
Qubes users: In Template.

Show available Tor versions.

apt list tor -a

Downgrade, for example, to Tor version 0.4.7.16-1.

Note: The version number was appropriate at the time of writing but might need replacement in the future.

sudo apt install tor=0.4.7.16-1 tor-geoipdb=0.4.7.16-1

Platform specific notice.

non-Qubes users: No special notice.
Qubes users: Shut down Template.

Reboot.

A reboot of the (VM) running Tor is required.

Done.

The Tor version downgrade process has been completed.

Footnotes

↑ At the time of writing Tor v4.2.5 was non-functional in Kicksecure.
↑ Alternatively, The Tor Project's native instructions for Debian can be used, but the manual steps are more difficult and involved. The verification of The Tor Project APT signing key is also harder. Since you already trust Kicksecure, the logical choice is to trust another Kicksecure package to install the right signing key.
↑ So the newly installed /etc/apt/sources.list.d/torproject.sources takes effect.
↑ So the modified /etc/apt/sources.list.d/torproject.sources takes effect.
↑
Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk,
- Kicksecure users: might want to consider using Multiple Kicksecure
- Kicksecure inside Qubes users: might want to consider using Multiple Kicksecure Templates or Software Installation in a App Qube.
↑ Most often this step applies before attempting major Kicksecure upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
↑
↑ https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607
↑ apt-file list tor shows both locations /usr/bin/tor and /usr/sbin/tor.

Kicksecure-Qubes Security Documentation Virtualization Platform Security Previous page: Kicksecure-Qubes Security Index page: Documentation Next page: Virtualization Platform Security

Kicksecure

A secure by default operating system with the latest security research in place.

Dark mode

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012- 2026 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

[1] At the time of writing Tor v4.2.5 was non-functional in Kicksecure.

[2] Alternatively, The Tor Project's native instructions for Debian can be used, but the manual steps are more difficult and involved. The verification of The Tor Project APT signing key is also harder. Since you already trust Kicksecure, the logical choice is to trust another Kicksecure package to install the right signing key.

[3] So the newly installed /etc/apt/sources.list.d/torproject.sources takes effect.

[4] So the modified /etc/apt/sources.list.d/torproject.sources takes effect.

[5] Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT. To contain the risk,
Kicksecure users: might want to consider using Multiple Kicksecure

Kicksecure inside Qubes users: might want to consider using Multiple Kicksecure Templates or Software Installation in a App Qube.

[6] Kicksecure users: might want to consider using Multiple Kicksecure

[7] Kicksecure inside Qubes users: might want to consider using Multiple Kicksecure Templates or Software Installation in a App Qube.

[6] Most often this step applies before attempting major Kicksecure upgrades; upgrade instructions are also made available at that time (see Stay Tuned).

[7] 
https://2019.www.torproject.org/docs/signing-keys.html.en

https://support.torproject.org/tbb/how-to-verify-signature/

stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org

https://gitlab.torproject.org/tpo/web/support/-/issues/139

[10] ttps://2019.www.torproject.org/docs/signing-keys.html.en

[11] ttps://support.torproject.org/tbb/how-to-verify-signature/

[12] stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org

[13] ttps://gitlab.torproject.org/tpo/web/support/-/issues/139

[8] ttps://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607

[9] apt-file list tor shows both locations /usr/bin/tor and /usr/sbin/tor.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

Installing Newer Tor Versions

Contents

Introduction

The Tor Project APT Repository

Kicksecure

Kicksecure-Qubes

Others and Alternatives

Onionize Tor Project APT Repository

Kicksecure

Kicksecure-Qubes

Others and Alternatives

Install Tor from Backports

Install Tor from Source Code

Kicksecure

Kicksecure-Qubes

Others and Alternatives

Tor Version Downgrade

Footnotes

Navigation menu

Installing Newer Tor Versions

Introduction

The Tor Project APT Repository

Kicksecure

Kicksecure-Qubes

Others and Alternatives

Onionize Tor Project APT Repository

Kicksecure

Kicksecure-Qubes

Others and Alternatives

Install Tor from Backports

Install Tor from Source Code

Kicksecure

Kicksecure-Qubes

Others and Alternatives

Tor Version Downgrade

Footnotes

Navigation menu

Search