Installing Newer Tor Versions
How-to: Install Newer Versions of Tor
Introduction[edit]
Note that a later Tor version will not always be installed from either:
- A) Install Tor from Backports, or
- B) The Tor Project APT repository -- in the recent past, the Debian
bullseye
repositories forpackages.debian.org
anddeb.torproject.org
had identical Tor versions. In general, as the Debian stable release ages, the likelihood of receiving a newer Tor version fromdeb.torproject.org
increases.
The Tor Project APT Repository[edit]
If you wish to proceed despite the risk, two steps are required:
- The
deb.torproject.org
repository must be enabled. - The
anon-shared-build-apt-sources-tpo
package must be installed, since it enables The Tor Project's APT signing key and installs the apt source torproject.list [2]
1. In Kicksecure (kicksecure-17
), update the package lists.
sudo apt update
2. Install anon-shared-build-apt-sources-tpo
.
sudo apt install anon-shared-build-apt-sources-tpo
3. Optional: select an alternative Tor Project distribution for the Tor package.
Open file /etc/apt/sources.list.d/torproject.list
in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit
for better security and how to use it.
sudoedit /etc/apt/sources.list.d/torproject.list
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/apt/sources.list.d/torproject.list
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/apt/sources.list.d/torproject.list
Comment out deb tor+https://deb.torproject.org/torproject.org bookworm main
by adding a hash (#
) in front of it. Comment in a different distribution by removing the hash in front of it or by adding a newer deb
URI line.
Save the file.
4. Refresh the package lists. [3]
sudo apt update
5. Install the (potentially) newer version of the tor
package.
This step also installs the deb.torproject.org-keyring
package which keeps the Tor Project repository apt key up-to-date.
sudo apt install tor deb.torproject.org-keyring
Onionize Tor Project APT Repository[edit]
Only follow these instructions if Newer Tor versions from The Tor Project Repository was configured. Note that The Tor Project deb apt signing key must be added first (see the prior link), or error messages will appear when completing these steps.
Run the following commands in Kicksecure.
1. Create a torproject.list file using an editor.
Open file /etc/apt/sources.list.d/torproject.list
in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit
for better security and how to use it.
sudoedit /etc/apt/sources.list.d/torproject.list
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/apt/sources.list.d/torproject.list
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/apt/sources.list.d/torproject.list
2. Cut and paste the following text and comment out (#) the corresponding http repository.
#deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bullseye main
Save and exit.
Install Tor from Backports[edit]
This can be an alternative to Tor installation from The Tor Project's APT Repository, which is documented above.
tor
can be installed from Debian backports. This is non-ideal, see footnote. [4]
1. Boot Kicksecure (kicksecure-17
) Template.
2. Add the current Debian stable backports codename bookworm-backports
to Debian apt sources.
Note: this applies to Kicksecure 17.2.8.5. Later Kicksecure versions may use a codename different to bookworm
.
In Kicksecure (kicksecure-17
) Template, run.
sudo su -c "echo -e 'deb tor+https://deb.debian.org/debian bookworm-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"
Alternatively, users who like Onionizing Repositories can set the .onion mirror.
sudo su -c "echo -e 'deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"
3. Update the package lists.
sudo apt update
4. Install the select software.
sudo apt -t bookworm-backports install tor
The procedure is now complete.
5. Undo.
On occasion it is necessary to undo this configuration, for example when upgrading from Debian bookworm
to trixie
. [5] To proceed, run.
sudo rm /etc/apt/sources.list.d/backports.list
Install Tor from Source Code[edit]
Advanced users only!
All steps should be performed inside Kicksecure (kicksecure
).
1. Add the Debian bookworm
source repository.
echo "deb-src tor+https://deb.debian.org/debian bookworm main" | sudo tee /etc/apt/sources.list.d/debian-source.list
2. Update the package lists.
sudo apt update
3. Install build dependencies for Tor.
sudo apt build-dep tor
4. Fetch the signing key. [6]
gpg --keyserver keys.openpgp.org --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601
If the attempt fails, utilize the v3 onion service instead.
gpg --keyserver zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion --recv-keys 7A02B3521DC75C542BA015456AFEE6D49E92B601
5. Download the Tor source code archive.
Note: Replace Tor version 0.4.6.5
with the actual Tor version to be downloaded.
scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz
6. Download and verify the Tor source code OpenPGP signature.
scurl-download https://dist.torproject.org/tor-0.4.6.5.tar.gz.asc
gpg --verify tor-0.4.6.5.tar.gz.asc
The output should look similar to the following.
gpg: assuming signed data in 'tor-0.4.6.5.tar.gz'
gpg: Signature made Mon 09 Dec 2019 06:21:51 PM UTC gpg: using RSA key 7A02B3521DC75C542BA015456AFEE6D49E92B601 gpg: Good signature from "Nick Mathewson <nickm@alum.mit.edu>" [unknown] gpg: aka "Nick Mathewson <nickm@wangafu.net>" [unknown] gpg: aka "Nick Mathewson <nickm@freehaven.net>" [unknown] gpg: aka "Nick Mathewson <nickm@torproject.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2133 BC60 0AB1 33E1 D826 D173 FE43 009C 4607 B1FB
Subkey fingerprint: 7A02 B352 1DC7 5C54 2BA0 1545 6AFE E6D4 9E92 B601
7. Extract the Tor source code archive.
tar xvzf tor-0.4.6.5.tar.gz
8. Navigate to the Tor source code folder.
cd tor-0.4.6.5/
9. Run configure and build the binary package.
./configure
make
The build should now be finished.
10. Check the version of the built binary.
./src/app/tor --version
The output should show.
Tor version 0.4.6.5.
11. Kicksecure for Qubes only: copy the newly built binary to Kicksecure Template (whonix-gw-17
).
qvm-copy ./src/app/tor
12. Stop Tor.
sudo systemctl stop tor
13. Copy the newly build Tor binary to the system.
sudo cp ./src/app/tor /usr/sbin/tor
Copy the binary again. [8]
sudo cp ./src/app/tor /usr/bin/tor
14. Restart Tor.
sudo systemctl start tor
The process of installing Tor from source code is now complete.
Tor Version Downgrade[edit]
It is usually not required to downgrade the Tor version. This should be only used in very specific cases to work around a bug or for testing.
1. Platform specific notice.
- non-Qubes users: No special notice.
- Qubes users: In Template.
2. Show available Tor versions.
apt list tor -a
3. Downgrade for example to Tor version 0.4.7.16-1
.
Note: The version number was appropriate at time of writing but might need replacement in the future.
sudo apt install tor=0.4.7.16-1 tor-geoipdb=0.4.7.16-1
4. Platform specific notice.
- non-Qubes users: No special notice.
- Qubes users: Shut down Template.
5. Reboot.
A reboot of the (VM) running Tor is required.
6. Done.
The process of Tor version downgrade has been completed.
Footnotes[edit]
- ↑ At the time of writing Tor v4.2.5 was non-functional in Kicksecure.
- ↑ Alternatively, The Tor Project's native instructions for Debian can be used, but the manual steps are more difficult and involved. The verification of The Tor Project APT signing key is also harder. Since you already trust Kicksecure, the logical choice is to trust another Kicksecure package to install the right signing key.
- ↑ So the newly installed /etc/apt/sources.list.d/torproject.list takes effect.
- ↑
Users should Prefer Packages from Debian Stable Repository, but using backports is better than manual software installation or using third party package managers since this prefers APT.
To contain the risk,
- Kicksecure users: might want to consider using Multiple Kicksecure
- Kicksecure inside Qubes users: might want to consider using Multiple Kicksecure Templates or Software Installation in a App Qube.
- ↑ Most often this step applies before attempting major Kicksecure upgrades; upgrade instructions are also made available at that time (see Stay Tuned).
- ↑
- ↑ https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607
- ↑
apt-file list tor
shows both locations/usr/bin/tor
and/usr/sbin/tor
.
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!