{{Header}} {{Title|title= Install Tor Browser on Debian, Kicksecure or Qubes using Tor Browser Downloader (by {{project_name_long}} developers) }} {{#seo: |description=Installing Tor Browser outside of {{project_name_short}}. Fallback if {{project_name_short}} breaks. Test Tor connectivity outside of {{project_name_short}}. |image=Tbboutside.jpg }} [[File:Tbboutside.jpg|thumb]] {{intro| * '''A)''' Installation of Tor Browser on Whonix: Tor Browser is installed by default in Whonix. For more information and re-installtion, see the [[Tor Browser]] wiki page. * '''B)''' Installation of Tor Browser using tb-updater (by {{project_name_short}} developers) for Debian, Kicksecure, or Qubes: See this wiki page. }} = Introduction = {{Community_Support|scope=page}} Various wiki sections recommend that a functional Tor Browser instance is maintained outside of the {{project_name_short}} platform. This is useful in various cases: * Should {{project_name_short}} ever break, it is possible to search for a solution anonymously. * System-wide Tor problems can be easily detected by testing connectivity outside of {{project_name_short}}. * Certain Tor / Tor Browser activities are difficult (or impossible) to configure in {{project_name_short}}, but are much easier in the standard configuration. <ref>For example, the [[Bridges#Snowflake|Snowflake]] pluggable transport client is currently experimental in {{project_name_short}}.</ref> In [[Non-Qubes-Whonix|{{non_q_project_name_short}}]], it is recommended to have Tor Browser installed on the Linux / macOS / Windows host platform. In [[Qubes|{{q_project_name_long}}]], it is recommended to install Tor Browser in a <code>debian-{{Stable project version based on Debian version short}}</code>, <code>debian-{{Stable project version based on Debian version short}}-minimal</code> or <code>kicksecure</code> App Qube (advanced users). <u>Note</u>: If an expired key signature message like below appears, the steps in this chapter must be performed again due to an update of the {{project_name_short}} signing key; see [https://forums.whonix.org/t/expired-key-signature/11457 Expired key signature]. <pre>The following signatures were invalid: EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer adrelanos@whonix.org</pre> = Easy = == All Platforms: Manual Tor Browser Download == Follow [[Tor_Browser/Manual_Download#Manually_Downloading_Tor_Browser |these instructions]] to manually download Tor Browser with Firefox-ESR via the available onion service. This method is not anonymous, unless [[Qubes|{{q_project_name_short}}]] users temporarily set <code>{{project_name_gateway_vm}}</code> as the NetVM for the non-{{project_name_short}} App Qube. == Debian Linux Hosts == Tor Browser can optionally be downloaded utilizing the [https://github.com/Kicksecure/tb-updater <code>tb-updater</code>] software package by {{project_name_short}} developers. By default the download <u>does not</u> occur over Tor, meaning it is <u>not</u> anonymous. {{Box|text= {{Project-APT-Repository-Add Easy}} '''5.''' Update the package lists. {{CodeSelect|code= sudo apt update }} '''6.''' Install <code>tb-updater</code>. {{CodeSelect|code= sudo apt install tb-updater }} }} = Moderate: QubesOS = {{mbox | image = [[File:Ambox_notice.png|40px]] | text = [[Qubes|{{q_project_name_short}}]] R4 only! This method is anonymous. }} Summary of instructions of Qubes OS. Details below. These instructions: # Anonymously retrieve and verify the {{project_name_short}} signing key. # Copy the {{project_name_short}} signing key to a debian-{{Stable project version based on Debian version short}} (<code>debian-{{Stable project version based on Debian version short}}-tor</code>) or debian-{{Stable project version based on Debian version short}}-minimal (<code>debian-{{Stable project version based on Debian version short}}-minimal-tor</code>) Template clone. # Add the {{project_name_short}} signing key to the list of trusted keys. # Install apt-transport-tor in the <code>debian-{{Stable project version based on Debian version short}}-tor</code> / <code>debian-{{Stable project version based on Debian version short}}-minimal-tor</code> Template. # Add the {{project_name_short}} APT repository. # Install <code>tb-updater</code> from the {{project_name_short}} repository. # Create a <code>debian-tor-browser</code> / <code>debian-minimal-tor-browser</code> App Qube based on the Template clone. The <code>debian-{{Stable project version based on Debian version short}}-minimal</code> template provides a smaller attack surface, but is recommended for advanced users. Several package prerequisites are required for full functionality; see footnote. <ref>At the time of writing the [https://www.qubes-os.org/doc/templates/minimal/ Qubes documentation] and [https://forum.qubes-os.org/t/debian-10-minimal-configuration/2603 forums] suggest the following essential packages for browsing purposes: * qubes-core-agent-passwordless-root * qubes-core-agent-networking * pulseaudio-qubes To utilize nautilus file manager so a GUI can be used to interact with downloaded files (optional): * qubes-core-agent-nautilus * nautilus * zenity If you plan on mounting encrypted drives (optional): * gnome-keyring * policykit-1 * libblockdev-crypto2 </ref> <ref>Also see [https://svensemmler.org/notes/deb-min-templates automate debian-minimal based template creation]</ref> == Clone the Template == {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = <u>Prerequisite</u>: The <code>debian-{{Stable project version based on Debian version short}}</code> or <code>debian-{{Stable project version based on Debian version short}}-minimal</code> Template must be manually installed first if it not already available. In <code>dom0</code>, run either. {{CodeSelect|code= sudo qvm-template install debian-{{Stable project version based on Debian version short}} }} Or. {{CodeSelect|code= sudo qvm-template install debian-{{Stable project version based on Debian version short}}-minimal }} }} In Qube Manager: <code>Right-click debian-{{Stable project version based on Debian version short}} or debian-{{Stable project version based on Debian version short}}-minimal template</code> → <code><u>C</u>lone qube</code> → <code>Rename to debian-{{Stable project version based on Debian version short}}-tor or debian-{{Stable project version based on Debian version short}}-minimal-tor</code> == {{project_name_workstation_vm}} Steps == Run the following commands in <code>{{project_name_workstation_vm}}</code> terminal. Advanced users can utilize a {{project_name_short}} DispVM instead in this section. {{Box|text= '''1.''' Download the {{project_name_short}} signing key. {{CodeSelect|code= curl --tlsv1.3 --proto =https --max-time 180 --output derivative.asc https://www.whonix.org/derivative.asc }} '''2.''' Display the key fingerprint. {{CodeSelect|code= gpg --keyid-format long --import --import-options show-only --with-fingerprint derivative.asc }} '''3.''' Verify the {{project_name_short}} signing key fingerprint. Compare the fingerprint to the one found [[Signing Key|here]]. The most important check is confirming the fingerprint <u>exactly</u> matches the output below. <ref>Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.</ref> <pre> Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA </pre> The message <code>gpg: key 8D66066A2EEACCDA: 104 signatures not checked due to missing keys</code> is related to the [[OpenPGP#The_OpenPGP_Web_of_Trust|The OpenPGP Web of Trust]]. Advanced users can learn more about this [[Main/Project Signing Key#OpenPGP_Web_of_Trust|here]]. '''4.''' Rename the {{project_name_short}} signing key to a temporary <code>derivative.asc</code> file. {{CodeSelect|code= mv derivative.asc /tmp/derivative.asc }} '''5.''' Copy the <code>derivative.asc</code> text file to the <code>debian-{{Stable project version based on Debian version short}}-tor</code> or <code>debian-{{Stable project version based on Debian version short}}-minimal-tor</code> Template. {{CodeSelect|code= qvm-copy /tmp/derivative.asc }} When prompted, choose either the <code>debian-{{Stable project version based on Debian version short}}-tor</code> or <code>debian-{{Stable project version based on Debian version short}}-minimal-tor</code> Template. }} == Template Steps == Complete the following steps in <code>debian-{{Stable project version based on Debian version short}}-tor</code> or <code>debian-{{Stable project version based on Debian version short}}-minimal-tor</code> terminal. {{Box|text= '''1.''' Add the {{project_name_short}} signing key to the list of trusted keys. {{CodeSelect|code= sudo cp ~/QubesIncoming/{{project_name_workstation_vm}}/derivative.asc /usr/share/keyrings/derivative.asc }} '''2.''' Add the {{project_name_short}} stable APT repository. <ref> Alternatively use the stable onion APT repository: {{CodeSelect|code= echo "deb [signed-by=/usr/share/keyrings/derivative.asc] http://deb.{{project_onion}} {{Stable project version based on Debian codename}} main contrib non-free" {{!}} sudo tee /etc/apt/sources.list.d/derivative.list }} </ref> <ref> Note: <code>tor+http</code> does not work in this configuration. </ref> {{CodeSelect|code= echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.{{project_clearnet}} {{Stable project version based on Debian codename}} main contrib non-free" {{!}} sudo tee /etc/apt/sources.list.d/derivative.list }} '''3.''' Update the package lists. {{CodeSelect|code= sudo apt update }} '''4.''' Install <code>tb-updater</code> by {{project_name_short}}. {{CodeSelect|code= sudo apt install tb-updater }} Note: This step will correctly install <code>tb-updater</code> and should also automatically download Tor Browser. If that does not occur, complete steps 2 to 4 below after creating an App Qube. }} == App Qube Steps == {{Box|text= '''1.''' Create an App Qube based on the <code>debian-{{Stable project version based on Debian version short}}-tor</code> or <code>debian-{{Stable project version based on Debian version short}}-minimal-tor</code> Template. In Qube Manager: <code>Left-click <u>Q</u>ube</code> → <code>Create <u>n</u>ew qube</code> Use the following settings: * <u>Name and label:</u> debian-tor-browser or debian-minimal-tor-browser * <u>Type:</u> App Qube * <u>Template:</u> debian-{{Stable project version based on Debian version short}}-tor or debian-{{Stable project version based on Debian version short}}-minimal-tor * <u>Networking:</u> default (sys-firewall) '''2.''' ''Optional:'' Temporarily set <code>{{project_name_gateway_vm}}</code> as the NetVM for the Debian App Qube. If Tor Browser was not downloaded at step 5 in the previous section, complete steps 2 to 4. In Qube Manager: <code>Right-click ''debian-tor-browser''</code> or <code>''debian-minimal-tor-browser''</code> → <code>Qube s<u>e</u>ttings</code> → <code>Networking</code> → <code>Select ''{{project_name_gateway_vm}}''</code> → <code>OK</code> '''3.''' ''Optional:'' Download Tor Browser. In terminal, run. {{CodeSelect|code= update-torbrowser --input gui }} '''4.''' ''Optional:'' Revert the networking setting to <code>sys-firewall</code> in Qube Manager. '''5.''' Launch Tor Browser from the App Qube menu and check it is functional. Note: Tor Browser can be kept up-to-date using Tor Browser's internal updater. It is not necessary to run the ''update-torbrowser'' command again. }} '''Figure:''' ''Tor Browser in Qubes' <code>debian-minimal-tor-browser</code> App Qube'' [[File:Debian10minimaltorbrowser.png|border]] = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]