Tor Browser on Silverblue

Ask Fedora
, ,
1

Has anyone ever installed Tor Browser on Fedora Silverblue?

  • on Fedora Workstation there was an rpm packet. This is useful, because it provided a downloader and (what is more important!) SELinux rules to secure the Tor Browser installation.
  • There is a ticket on Tor Browser’s issue tracker for creating an (official) flatpak of the Tor Browser, but unfortunately they did not show much interest in it. (Though you can possibly upvote/comment it!)
  • of course, you could always just download the binaries from https://www.torproject.org/ and place them in /opt or so, but then you miss SELinux rules, it’s not such a nice 8clean) installation method and obviously you don’t ahve any (better) sandboxing via flatpak.

So what is your recommend way? I could only also imagine using rpm-ostree to layer the original torbrowser-launcher rpm, but is it really worth it?

Installing Fedora 31 to existing encrypted partition
2

I use it on two of my Silverblue workstations, what I did was grab the browser binaries, extract them to ~/.local/opt/torbrowser and then let it make it’s .desktop file however it wanted to on first run.

This tends to me my standard practice - if I can’t run it in Flatpak, and it isn’t something for which I want to bother with running it via toolbox, I’ll usually compile/extract it somewhere in my ~/.local structure rather than a system folder.

1 Like
3

Okay, though you loose the SELinux sandboxing then AFAIK. (it’s in the rpm package of torbrowser-launcher)

So my idea now was:

  • make a new container with podman
  • in it install torbrowser-launcher.
  • I then have a double sandboxing and SELinux rules inside the container for Tor Browser
  • going forward, maybe there is a way to move the files and even prevent home dir access

So installing and even downloading worked, but in the end it seems to launch the Firefox browser it uses in some strange way and I cannot see it:

$ torbrowser-launcher
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.3.1
https://github.com/micahflee/torbrowser-launcher
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
Launching Tor Browser.
Running /home/rugk/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
Launching './Browser/start-tor-browser --detach'...
DNF update plan (auto-updates?) in toolbox
4

Sandboxing with podman is definitely a good way to go. I’ve done that for a whole handful of other untrusted apps (now I just need to find a way to make .desktop files for them to automagically launch in podman!)

If you can’t see it, explore the options in that warning. Sounds like it may be having an issue with wayland?

5

There is no warning.(?)

6

FYI SELinux doesn’t apply normally inside containers, the container can’t set any custom SELinux policies. The only way that SELinux takes effect afaik is when you mount volumes into the container.

7

Thanks, that is an important information, because then using Tor Browser in toolbox hardly brings any security advantage.

8 
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.

I was referring to this one!

9

AFAIK that warning just means it does not use Wayland (because Qt does have bad Wayland support, AFAIK that is from Qt??), but the x server. So AFAIK it is not really the root cause, at least.

10

BTW funny, but I indeed did not yet ask the package maintainer whether they could possibly package the launcher (and Tor Browser) as a flatpak. Done now:
https://bugzilla.redhat.com/show_bug.cgi?id=1731284

(This obviously be the optimal solution.)

11

Oh, did not notice that, but actually there is already a proposed Flatpak manifest for Tor Browser (Lauchner): Package and distribute Tor Browser using Flatpak (#25578) · Issues · Legacy / Trac · GitLab

Maybe this can be more officially supported/maintained (AFAIK they’ve asked for a maintainer there).

Anyway, I’ve also asked the TorBrowser-Launcher (upstream) makers:

12

@rugk

I know this is a thread on Silverblue, but with what you are trying to do with sandboxing the Tor Browser, could you use policycoreutils-sandbox ? I actually use firefox in this fashion.

sandbox -X -w 1920x1080 -H temphome -T tmp -t sandbox_web_t firefox

This instance of Firefox has only access to files in sandbox/temphome, sandbox/tmp . I actually have a Downloads folder and have a firefox profile .mozilla file as well. You are running a virtual X server so copy and paste from that sandboxed firefox won’t work. I do have my vpn plugin for firefox and that works as well. This type of setup works for me for now. Although I have been intrigued by silverblue so far, I’m just not ready to move over completely.

Hope this helps

1 Like
13

Unfortunately, is doesn’t solve the problem as in some countries you can’t download Tor Browser directly so Tor Browser Lauchner is useless there.
I think it would be better if the Flatpak included all the beast instead.

Anyway, could we just install Tor Browser rpm in toolbox and run it from there?

14

Oh, so it’s Tor Browser Launcher, not the browser itself. So it doesn’t solve the problem for me, unfortunately.

Any ideas what are the options then?

17

Well this is kinda off-topic as not Fedora specific, but if the main Tor website is blocked, here is a thread explaining how you could download the Tor binaries (manually and just execute them):

Look for mirrors of the website that may not be blocked like https://lacebolla.net/ or https://tor.eff.org/

Also there is a Telegram bot and a mail for receiving mirrors. Copied the official information from here:

Copied information for downloading

The safest and simplest way to download Tor Browser is from the official Tor Project website at Tor Project | Download. Your connection to the site will be secured using HTTPS, which makes it much harder for somebody to tamper with. However, there may be times when you cannot access the Tor Project website: for example, it could be blocked on your network. If this happens, you can use one of the alternative download methods listed below:

Mirrors

If you’re unable to download Tor Browser from the official Tor Project website, you can instead try downloading it from one of our official mirrors, either through EFF or La Cebolla.

GetTor

GetTor is a service that automatically responds to messages with links to the latest version of Tor Browser, hosted at a variety of locations, such as Dropbox, Google Drive and GitHub.

Get Tor Browser on Telegram

Send a message to @GetTor_Bot on Telegram.

  • Tap on ‘Start’ or write /start in the chat.
  • Select your language.

There are two options to download Tor Browser.

  • Tap on ‘Send me Tor Browser’ and choose your operating system. GetTor will respond with a downloadable Tor Browser file and the signature which can be used to verify the download.
  • Tap on ‘Send me other mirrors for Tor Browser’ to download from one of the official mirrors.

Get Tor Browser via email

Send an email to gettor@torproject.org, and in the body of the message simply write “windows”, “osx”, “linux”, or “android” (without quotation marks) depending on your operating system. For example, to get links for downloading Tor Browser for Windows, send an email to gettor@torproject.org with the word “windows” in it.

GetTor will respond with an email containing links from which you can download the Tor Browser package, the cryptographic signature (needed for verifying the download), the fingerprint of the key used to make the signature, and the package’s checksum. You may be offered a choice of “32-bit” or “64-bit” software: this depends on the model of the computer you are using.

Remember to verify the signature of it:

Signature verification: Import parts of guide copied from website

Fetching the Tor Developers key

The Tor Browser team signs Tor Browser releases. Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):

gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org

This should show you something like:

gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
      EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid           [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>

NOTE: Your output may deviate somewhat from the above (eg. expiration dates), however you should see the key correctly imported.

If you get an error message, something has gone wrong and you cannot continue until you’ve figured out why this didn’t work. You might be able to import the key using the Workaround (using a public key) section instead.

After importing the key, you can save it to a file (identifying it by its fingerprint here):

gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

This command results in the key being saved to a file found at the path ./tor.keyring, i.e. in the current directory. If ./tor.keyring doesn’t exist after running this command, something has gone wrong and you cannot continue until you’ve figured out why this didn’t work.

Verifying the signature

To verify the signature of the package you downloaded, you will need to download the corresponding “.asc” signature file as well as the installer file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.

The examples below assume that you downloaded these two files to your “Downloads” folder. Note that these commands use example file names and yours will be different: you will need to replace the example file names with exact names of the files you have downloaded.

For GNU/Linux users (change x86_64 to i686 if you have the 32-bit package):

gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-linux-x86_64-13.0.1.tar.xz.asc ~/Downloads/tor-browser-linux-x86_64-13.0.1.tar.xz

The result of the command should contain:

gpgv: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"

If you get error messages containing ‘No such file or directory’, either something went wrong with one of the previous steps, or you forgot that these commands use example file names and yours will be a little different.

Refreshing the PGP key

Run the following command to refresh the Tor Browser Developers signing key in your local keyring from the keyserver. This will also fetch the new subkeys.

gpg --refresh-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290

Workaround (using a public key)

If you encounter errors you cannot fix, feel free to download and use this public key instead. Alternatively, you may use the following command:

curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -

Tor Browser Developers key is also available on keys.openpgp.org and can be downloaded from https://keys.openpgp.org/vks/v1/by-fingerprint/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290. The key can also be fetched by running the following command:

gpg --keyserver keys.openpgp.org --search-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290

You may also want to learn more about GnuPG.

Finally, if you are in such a country that does so much censoring, you may also read the sections about unblocking tor:

Excerpts from website

Request bridges from within Tor Browser

If you’re starting Tor Browser for the first time, click on “Configure Connection” to open the Tor settings window. In the “Bridges” section, locate the option to “Find more bridges” and click on “Request bridges” for Tor Project to provide a bridge. Complete the Captcha and click “Submit”. Click “Connect” to save your settings.

Or, if you have Tor Browser running, click on “Settings” in the hamburger menu (≡) and then on “Connection” in the sidebar. In the “Bridges” section, locate the option to “Find more bridges” and click on “Request bridges” for Tor Project to provide a bridge. Complete the Captcha and click “Submit”. Your setting will automatically be saved once you close the tab.

Obtain bridges from the Bridges website

  1. Visit our bridges website.
  2. Click on ‘Just give me bridges!’ and copy the bridge lines.
  3. Or use advanced options to select the type of pluggable transport and only get bridges with a IPv6 address.

Obtain bridges via Telegram Bot

  1. Send a message to @GetBridgesBot on Telegram.
  2. Tap on ‘Start’ or write /start in the chat.
  3. To get bridges, type /obfs4 or /webtunnel.
  4. Copy the bridge addresses.

Obtain bridges via Email

Email bridges@torproject.org from a Gmail or Riseup email address and copy the bridge addresses received in the email.

Country-specific guides

China

Below are reliable ways to obtain Tor Browser and connect from within China.

1. Get Tor Browser safely

To get an updated version of Tor Browser, try the Telegram bot first: @gettor_bot. If that doesn’t work, you can send an email to gettor@torproject.org with the subject “windows”, “macos”, “linux” or “android” for the respective operating system.

(Optional but recommended). Verify Tor Browser’s signature.

2. Try Connection Assist first

After the installation, Tor Browser will try to connect to the Tor network. If Tor is blocked in your location, Connection Assist will try to automatically connect using a bridge or Snowflake. But if that doesn’t work, the second step will be to obtain a bridge that works in China.

3. Bridge options that work in China

  • Try connecting to Tor with WebTunnel bridges. WebTunnel makes the traffic look like a regular HTTPS connection to a webpage server giving the impression that the user is simply browsing the web. Support for WebTunnel bridges is available on Tor Browser for Desktop and Android, Tails and Tor VPN Beta.

To obtain WebTunnel bridges:

  • Send a message to @GetBridgesBot on Telegram. Tap on ‘Start’ or write /start in the chat. Next, tap on ‘webtunnel bridges’ or type /webtunnel and copy the bridge addresses.
  • Visit our bridges website. From the “Advanced options” select “WebTunnel”, from the dropdown, as the pluggable transport. Then click on “Get Bridges”.

For WebTunnel bridges obtained via Telegram or from the Bridges website, follow instructions to enter the bridge addresses in Tor Browser. If that does not work, check your Tor logs and try the following options.

  • Snowflake: uses ephemeral proxies to connect to the Tor network. It’s available in Tor Browser and other Tor powered apps like Orbot. You can select Snowflake from Tor Browser’s built-in bridge menu.
  • meek: makes it look like you are browsing a website instead of using Tor. However, because it has a bandwidth limitation, this option will be quite slow. You can select meek from Tor Browser’s built-in bridges dropdown.

4. Getting help

If you need help, you can contact our support team on Telegram Tor Project Support and Signal. Or send an email to frontdesk@torproject.org with the phrase “connect cn” in the subject of the email.

Russia

Since December 2021, many Internet providers in Russia have been blocking direct connections to the Tor network, so users generally need to connect through a bridge. The obfs4 bridge type remains the most widely used in Russia, but some mobile ISPs have begun blocking it through Deep Package Inspection (DPI). In those cases, switching to WebTunnel bridges hosted on less well-known providers (rather than major hosts like OVH, Hetzner, Linode, or DigitalOcean) can help you bypass these restrictions.

Find up-to-date instructions on how to circumvent censorship and connect to Tor from Russia on our forum guide: Tor blocked in Russia - how to circumvent censorship.

To get an updated version of Tor Browser, try the Telegram bot first: @gettor_bot.

If you need help, contact us via Telegram, WhatsApp, Signal, or by email frontdesk@torproject.org. When you reach out, include “private bridge ru” in your message (subject line or chat text) so our team can send you the right instructions more quickly.

Turkmenistan

In Turkmenistan, direct access to the Tor network is heavily restricted. The most reliable way to connect with Tor Browser is usually through Snowflake, and using AMP cache as the front domain. It’s also possible to connect using obfs4 bridges, but users need to find bridges hosted on less-well-known providers rather than major hosting companies, since they are frequently blocked.

To get an updated version of Tor Browser, try the Telegram bot first: @gettor_bot.

If you need help, contact us via Telegram, WhatsApp, Signal, or by email frontdesk@torproject.org. When you reach out, include “private bridge tm” in your message (subject line or chat text) so our team can send you the right instructions more quickly.

Belarus

If you are connecting to Tor from Belarus, there are several options you can try.

Download Tor Browser

To get an updated version of Tor Browser, try our Telegram bot: @GetTor_bot.

1. Direct connection

The first and easiest option to try is a direct connection to Tor, which could be available on some ISPs. Open Tor Browser and click or tap “Connect”.

2. Using a Tor bridge

If the direct connection to the Tor network didn’t work, you may need to use a Tor bridge. At the moment, we aren’t aware of any specific bridge blocking mechanism in Belarus, so you can use obfs4, WebTunnel bridges, or snowflake.

Obfs4

To get obfs4 bridges please use our Telegram bot: @getbridgesbot.

Start the chat with the bot and type the command /obfs4.

WebTunnel

To get WebTunnel bridges please use our Telegram bot: @getbridgesbot.

Start the chat with the bot and type the command /webtunnel.

Snowflake

If the direct connection doesn’t work, try using Snowflake.

Using Snowflake with Tor Browser for Android

  1. Tap “Configure connection” when on the “Connect to Tor” screen.
  2. Navigate to the “Connection” section in Settings.
  3. Tap “Config Bridge” to configure a bridge.
  4. With the “Use a Bridge” option select “Snowflake”.
  5. Return to the “Connect to Tor” screen and tap “Connect”.

Using Snowflake with Tor Browser for Desktop

If you have Tor Browser running,

  1. Click “Settings” in the hamburger menu (≡) and then go to “Connection” in the sidebar.
  2. In the “Bridges” section, from the option “Choose from one of Tor Browser’s built-in bridges” select “Snowflake”.

Getting support

If you need help, contact us via Telegram, WhatsApp, Signal, or by email frontdesk@torproject.org. When you reach out, include “private bridge by” in your message (subject line or chat text) so our team can send you the right instructions more quickly.

18

You can still do this in Silverblue, if you want to: run rpm-ostree install torbrowser-launcher as root. (Yes, this is not nice. And you need to reboot to apply the RPM installation)

However, I don’t see SELinux rules in the package – or are they stored somewhere else, just relying on the paths in that package?