freedomofpress · cfm · Aug 28, 2025 · Jul 23, 2025 · Aug 25, 2025 · Aug 26, 2025
@@ -148,7 +148,6 @@ jobs:
           - log
           - proxy
           - qubesdb-tools
-          - whonix-config
         debian_version:
           - bookworm
     runs-on: ubuntu-latest

@@ -16,7 +16,6 @@ This repository contains multiple components, including:
 * `qubesdb-tools`: tools for configuring non-Qubes-aware applications from
   QubesDB
 * `proxy`: restricted HTTP proxy
-* `whonix-config`: Whonix configuration for SecureDrop
 * `workstation-config`: configuration for SecureDrop Workstation templates
 
 Each component's folder has a README with more detail.

@@ -13,7 +13,10 @@ const proxyCommand = (timeout: number): ProxyCommand => {
   return {
     command: sdProxyCommand,
     options: [],
-    proxyOrigin: sdProxyOrigin,
+    env: new Map([
+      ["SD_PROXY_ORIGIN", sdProxyOrigin],
+      ["DISABLE_TOR", "yes"],
+    ]),
     timeout: timeout as ms,
   };
 };

@@ -29,7 +29,7 @@ const mockProxyCommand = (): ProxyCommand => {
   return {
     command: "",
     options: [],
-    proxyOrigin: "",
+    env: new Map(),
     timeout: 100 as ms,
   };
 };

@@ -25,9 +25,12 @@ export async function proxy(
 ): Promise<ProxyResponse> {
   let command = "";
   let commandOptions: string[] = [];
+  const env: Map<string, string> = new Map();
 
   if (import.meta.env.MODE == "development") {
     command = __PROXY_CMD__;
+    env.set("SD_PROXY_ORIGIN", __PROXY_ORIGIN__);
+    env.set("DISABLE_TOR", "yes");
   } else {
     command = "/usr/lib/qubes/qrexec-client-vm";
 
@@ -37,7 +40,7 @@ export async function proxy(
   const proxyCommand: ProxyCommand = {
     command: command,
     options: commandOptions,
-    proxyOrigin: __PROXY_ORIGIN__,
+    env: env,
     timeout: DEFAULT_PROXY_CMD_TIMEOUT_MS,
     abortSignal: abortSignal,
   };
@@ -97,7 +100,7 @@ export async function proxyJSONRequest(
 ): Promise<ProxyJSONResponse> {
   return new Promise((resolve, reject) => {
     const process = child_process.spawn(command.command, command.options, {
-      env: { SD_PROXY_ORIGIN: command.proxyOrigin },
+      env: Object.fromEntries(command.env),
       timeout: command.timeout,
       signal: command.abortSignal,
     });
@@ -188,7 +191,7 @@ export async function proxyStreamInner(
     let stderr = "";
     let stdout = "";
     const process = child_process.spawn(command.command, command.options, {
-      env: { SD_PROXY_ORIGIN: command.proxyOrigin },
+      env: Object.fromEntries(command.env),
       timeout: command.timeout,
       signal: command.abortSignal,
     });

@@ -9,7 +9,7 @@ export type ProxyRequest = {
 export type ProxyCommand = {
   command: string;
   options: string[];
-  proxyOrigin: string;
+  env: Map<string, string>;
   timeout: ms;
   abortSignal?: AbortSignal;
 };

@@ -76,11 +76,7 @@ end
 subgraph sd-proxy
 spProxy["securedrop-proxy"]
 end
-spProxy --HTTP--> spTor
-subgraph sd-whonix
-spTor["Tor"]
-end
-spTor --> spServer["SecureDrop Server"]
+spProxy --HTTP over Tor--> spServer["SecureDrop Server"]
 end
 ```
 

@@ -337,6 +337,7 @@ def _send_json_request(
         env = {}
         if self.development_mode:
             env["SD_PROXY_ORIGIN"] = self.server
+            env["DISABLE_TOR"] = "yes"
 
         # Streaming
         if stream:

@@ -37,7 +37,8 @@ Description: Python module and qrexec service to store logs for SecureDrop Works
 
 Package: securedrop-proxy
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}, libqubesdb
+# TODO: add securedrop-arti once that's published
+Depends: ${misc:Depends}, ${shlibs:Depends}, libqubesdb, python3, python3-cryptography, python3-qubesdb
 Description: This is securedrop Qubes proxy service
  This package provides the network proxy on Qubes to talk to the SecureDrop server.
 
@@ -49,14 +50,6 @@ Description: Tools for configuring non-Qubes-aware applications from QubesDB.
  This package provides tools for configuring non-Qubes-aware applications from
  QubesDB.
 
-Package: securedrop-whonix-config
-Section: admin
-Architecture: all
-# FIXME: s/tor/anon-gw-anonymizer-config/ (requires Whonix repositories in piuparts)
-Depends: ${misc:Depends}, securedrop-qubesdb-tools, tor
-Description: Whonix configuration for SecureDrop.
- This package configures Whonix/Tor for SecureDrop.
-
 Package: securedrop-workstation-config
 Architecture: all
 Depends: python3-qubesdb, rsyslog, mailcap, apparmor, nautilus, securedrop-keyring, xfce4-terminal

@@ -39,5 +39,6 @@ override_dh_installdeb:
 override_dh_installsystemd:
 	dh_installsystemd --name securedrop-log-server
 	dh_installsystemd --name securedrop-logging-disabled
-	dh_installsystemd --name securedrop-whonix-config
+	dh_installsystemd --name securedrop-proxy-onion-config
+	dh_installsystemd --name securedrop-arti
 	dh_installsystemd --name securedrop-mime-handling
@@ -1,3 +1,5 @@
+#!/usr/bin/dh-exec --with=install
 proxy/qubes/securedrop.Proxy etc/qubes-rpc/
 target/release/securedrop-proxy usr/bin/
 proxy/usr.bin.securedrop-proxy /etc/apparmor.d/
+proxy/configure_onion_service.py => usr/bin/securedrop-configure-onion-service
@@ -0,0 +1,28 @@
+[Unit]
+Description=System Tor Service (Arti) for securedrop-proxy
+After=network.target
+Before=nss-lookup.target
+Wants=nss-lookup.target
+ConditionPathExists=/var/run/qubes-service/securedrop-arti
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/arti proxy
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+User=_arti
+Group=_arti
+LimitNOFILE=16384
+
+# Create /var/lib/arti
+StateDirectory=arti
+StateDirectoryMode=0700
+
+# Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,15 @@
+[Unit]
+Description=SecureDrop Proxy configuration
+ConditionPathExists=/var/run/qubes-service/securedrop-arti
+
+# Ensure that tor is ready
+After=securedrop-arti.service
+
+[Service]
+Type=exec
+User=_arti
+ExecStart=/usr/bin/securedrop-configure-onion-service
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
@@ -8,7 +8,7 @@ securedrop-workstation-config: section-is-dh_make-template
 securedrop-workstation-config: extended-description-line-too-long
 
 # We're just restarting paxctld, it's fine
-securedrop-workstation-config: maintainer-script-calls-systemctl [postinst:28]
+securedrop-workstation-config: maintainer-script-calls-systemctl
 
 # We're not shipping CDs, so this is fine
 securedrop-workstation-config: package-has-long-file-name

@@ -20,16 +20,11 @@ set -e
 
 case "$1" in
     configure)
-    # move pax flags and restart paxctld service
-    # copy and set default mimeapps handling
-    # except for whonix-based VMs
-    if [ ! -e "/etc/whonix_version" ]; then
-      cp /opt/sdw/paxctld.conf /etc/paxctld.conf
-      systemctl restart paxctld
-      cp /opt/sdw/open-in-dvm.desktop /usr/share/applications/
-      cp /opt/sdw/mimeapps.list.sd-app /usr/share/applications/mimeapps.list
-      cp /opt/sdw/mimeapps.list.sd-app /opt/sdw/mimeapps.list.default
-    fi
+    cp /opt/sdw/paxctld.conf /etc/paxctld.conf
+    systemctl restart paxctld
+    cp /opt/sdw/open-in-dvm.desktop /usr/share/applications/
+    cp /opt/sdw/mimeapps.list.sd-app /usr/share/applications/mimeapps.list
+    cp /opt/sdw/mimeapps.list.sd-app /opt/sdw/mimeapps.list.default
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

@@ -11,7 +11,7 @@ qubesdb = []
 [dependencies]
 anyhow = {version = "1.0.75"}
 futures-util = "0.3.30"
-reqwest = { version = "0.12", features = ["gzip", "stream"] }
+reqwest = { version = "0.12", features = ["gzip", "stream", "socks"] }
 serde = {version = "1.0.188", features = ["derive"]}
 serde_json = "1.0.107"
 tokio = {version = "1.0", features = ["macros", "rt"]}

@@ -40,18 +40,15 @@ sequenceDiagram
 participant c as securedrop-client
 participant sdk as securedrop-sdk
 participant p as securedrop-proxy
-participant w as sd-whonix
 participant server as SecureDrop
 
 c ->> sdk: job
 activate sdk
 sdk -->> p: JSON over qrexec
 activate p
-p -->> w: HTTP
-w -->> server: HTTP over Tor
+p -->> server: HTTP over Tor
 
-server -->> w: HTTP over Tor
-w -->> p: HTTP
+server -->> p: HTTP over Tor
 
 alt stream: false
 p -->> sdk: JSON over qrexec