Installing Newer Tor Versions

From Kicksecure

Torversioning243231.png

Introduction[edit]

Info Testers only.

Note that a later Tor version will not always be installed from The Tor Project APT repository -- in the recent past, the Debian bullseye repositories for packages.debian.org and deb.torproject.org had identical Tor versions. In general, as the Debian stable release ages, the likelihood of receiving a newer Tor version from deb.torproject.org increases.

The Tor Project APT Repository[edit]

Info If the latest Tor version from deb.torproject.org has not been fully tested by Kicksecure ™ developers at a specific point in time, then problems can emerge such as broken connectivity. [1] Testers should always maintain a separate, working version of Kicksecure ™ so future connectivity problems can be averted.

If you wish to proceed despite the risk, two steps are required:

  • The deb.torproject.org repository must be enabled.
  • The anon-shared-build-apt-sources-tpo package must be installed, since it enables The Tor Project's APT signing key and installs the apt source torproject.list [2]

1. In Kicksecure ™ (kicksecure-16), update the package lists.

sudo apt update

2. Install anon-shared-build-apt-sources-tpo.

sudo apt install anon-shared-build-apt-sources-tpo

3. Optional: select an alternative Tor Project distribution for the Tor package.

Open file /etc/apt/sources.list.d/torproject.list in an editor with root rights.

(Kicksecure ™ inside Qubes: In Template)

This box uses sudoedit for better security. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Kicksecure ™, please refer to this link.

sudoedit /etc/apt/sources.list.d/torproject.list

Comment out deb tor+https://deb.torproject.org/torproject.org bullseye main by adding a hash (#) in front of it. Comment in a different distribution by removing the hash in front of it or by adding a newer deb URI line.

Save the file.

4. Refresh the package lists. [3]

sudo apt update

5. Install the (potentially) newer version of the tor package.

This step also installs the deb.torproject.org-keyring package which keeps the Tor Project repository apt key up-to-date.

sudo apt install tor deb.torproject.org-keyring

Onionize Tor Project APT Repository[edit]

Only follow these instructions if Newer Tor versions from The Tor Project Repository was configured. Note that The Tor Project deb apt signing key must be added first (see the prior link), or error messages will appear when completing these steps.

Run the following commands in Kicksecure ™.

1. Create a torproject.list file using an editor.

Open file /etc/apt/sources.list.d/torproject.list in an editor with root rights.

(Kicksecure ™ inside Qubes: In Template)

This box uses sudoedit for better security. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Kicksecure ™, please refer to this link.

sudoedit /etc/apt/sources.list.d/torproject.list

2. Cut and paste the following text and comment out (#) the corresponding http repository.

#deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main

Save and exit.

Install Tor from Source Code[edit]

Advanced users only!

All steps should be performed inside Kicksecure (kicksecure).

1. Add the Debian bullseye source repository.

echo "deb-src tor+https://deb.debian.org/debian bullseye main" | sudo tee /etc/apt/sources.list.d/debian-source.list

2. Update the package lists.

sudo apt update

3. Install build dependencies for Tor.

sudo apt build-dep tor

4. Fetch the signing key. [4]

Whonix first time users warning Warning:

The following command using gpg with --recv-keys is not recommended for security reasons and is often non-functional. [5] This is not a Kicksecure ™-specific issue. The OpenPGP public key should be downloaded from the web instead; see also Secure Downloads. This procedure is currently undocumented and can be resolved as per the Free Support Principle. Documentation contributions will be happily considered.

gpg --keyserver keys.openpgp.org --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601

If the attempt fails, utilize the v3 onion service instead.

gpg --keyserver zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601

5. Download the Tor source code archive.

Note: Replace Tor version 0.4.6.5 with the actual Tor version to be downloaded.

scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz

6. Download and verify the Tor source code OpenPGP signature.

scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz.asc

gpg --verify tor-0.4.6.5.tar.gz.asc

The output should look similar to the following.

gpg: assuming signed data in 'tor-0.4.6.5.tar.gz'

gpg: Signature made Mon 09 Dec 2019 06:21:51 PM UTC gpg: using RSA key 7A02B3521DC75C542BA015456AFEE6D49E92B601 gpg: Good signature from "Nick Mathewson <nickm@alum.mit.edu>" [unknown] gpg: aka "Nick Mathewson <nickm@wangafu.net>" [unknown] gpg: aka "Nick Mathewson <nickm@freehaven.net>" [unknown] gpg: aka "Nick Mathewson <nickm@torproject.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB

Subkey fingerprint: 7A02 B352 1DC7 5C54 2BA0 1545 6AFE E6D4 9E92 B601

7. Extract the Tor source code archive.

tar xvzf tor-0.4.6.5.tar.gz

8. Navigate to the Tor source code folder.

cd tor-0.4.6.5/

9. Run configure and build the binary package.

./configure

make

The build should now be finished.

10. Check the version of the built binary.

./src/app/tor --version

The output should show.

Tor version 0.4.6.5.

11. Kicksecure ™ for Qubes only: copy the newly built binary to Kicksecure ™ Template (whonix-gw-16).

qvm-copy ./src/app/tor

12. Stop Tor.

sudo systemctl stop tor

13. Copy the newly build Tor binary to the system.

sudo cp ./src/app/tor /usr/sbin/tor

Copy the binary again. [6]

sudo cp ./src/app/tor /usr/bin/tor

14. Restart Tor.

sudo systemctl start tor

The process of installing Tor from source code is now complete.

Footnotes[edit]

  1. At the time of writing Tor v4.2.5 is non-functional in Kicksecure ™.
  2. Alternatively, The Tor Project's native instructions for Debian can be used, but the manual steps are more difficult and involved. The verification of The Tor Project APT signing key is also harder. Since you already trust Kicksecure ™, the logical choice is to trust another Kicksecure ™ package to install the right signing key.
  3. So the newly installed /etc/apt/sources.list.d/torproject.list takes effect.
  4. https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607
  5. apt-file list tor shows both locations /usr/bin/tor and /usr/sbin/tor.


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.