Installing software w/ Tor as transport

I’ve attempted to install hexchat on one of my templates. I’ve set my Qubes to update via TOR. I’ve got errors like this:

root@debian-11-clone:/home/user# apt install hexchat
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
The following additional packages will be installed:
hexchat-common hexchat-perl hexchat-plugins hexchat-python3 libgail-common
libgail18 libgtk2.0-0 libgtk2.0-bin libgtk2.0-common
Suggested packages:
hexchat-otr unifont
The following NEW packages will be installed:
hexchat hexchat-common hexchat-perl hexchat-plugins hexchat-python3
libgail-common libgail18 libgtk2.0-0 libgtk2.0-bin libgtk2.0-common
0 upgraded, 10 newly installed, 0 to remove and 34 not upgraded.
Need to get 6,046 kB of archives.
After this operation, 32.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Err:1 Index of /debian bullseye/main amd64 hexchat-common all 2.14.3-6+deb11u1
Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. Could not handshake: Error in the certificate verification. [IP: 8082]

Does this mean that someone is running sslstrip on exit node I currently use? What should I do with this? Restart tor via sys-whonix tor control panel? Use “new identity”? Restart entire sys-whonix?
BTW: Does debian have tor mirrors? Does Qubes OS has tor mirror? Or this just works all over tor exit nodes?

If you scroll to the bottom of Debian’s onion page, you’ll find the hidden repos. If you’re updating via Whonix, you will not necessarily need the “tor+” that’s required for the apt-transport-tor package.

Thanks. Now I know debian has its own .onion , but according to the Debian’s onion page bottom the .onions are for ‘buster’ release. I indeed have bullseye (debian11). And installing apt-transport-tor package will install also tor itself into template. I’m not sure it’s okay - Qubes team didn’t made this - they left templates to update via sys-whonix.

If you check the repo list in your Debian template it will show you the correct format for Bullseye.

less /etc/apt/sources.list

Keep the same format and repos as listed there, but comment out the clear URLs and add new lines with the appropriate onion site. Be careful to distinguish between the ftp and security repos.

apt-transport-tor should already be installed in Whonix.

Everything you need is here:

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Onionizing_Repositories (whonix wiki)

Install apt-transport-tor without recommended packages because otherwise you might install a package that goes online unintentionally. Always check your template for unwanted traffic (eg. with iftop) after you installed sth new - best qube to do that should be sys-net or your first firewall qube.

Best reagrds