Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes Intel / AMD64 ARM64 PPC64 USB ISO Raspberry Pi More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Template:Verification tools mininav

todo

• Signed git head: The git head should always be signed by a core developer.
• Signed git tags: All git tags should always be signed.
• Source code digital signatures policy: All source code used to build Whonix has security level System Security Level Always use software signatures verification.
  • Source code by Whonix developers: Must be signed at least after merge.
  • Signed git tag policy: Git tags in all source code repositories must always be signed and point to signed commits.
  • Signed commits policy: The head of git commits in all source code repositories must always be signed.

• Build source code signature verification: All source code used to build Whonix using Derivative-Maker must always verify all digital software signatures.
• Unsigned code execution prohibition: Executing unsigned code is prohibited.
• Unsigned code deployment prohibition: Deployment of unsigned code is prohibited.
• Software build digital signatures policy: All source code used to build Whonix must always use software digital signature verification.
  • Download signature verification during build: When Derivative-Maker downloads software (such as dependency packages, default installed packages) for the creation of binary images, all software must always come with digital signatures that are verified before executing the code and/or before adding the software to the image.
• Failure reaction: If software signature verification fails, the build must be aborted.
• Exception policy: Hardcoding strong hashsums might be appropriate in exceptional cases where digital software signatures are unavailable.

• Image signing: All images must always be signed.
• Repository signing: The package repository must always be signed.

• Documentation digital signatures policy: All documentation on the topic of software installation and updating should always contain recommendations (and if feasible, detailed instructions) to verify digital signatures. Wiki templates such as Template:Always_verify_signatures and Template:unsigned_software should be used.
  • Automatic verification notice exemption: If digital software verification is automatic, such as in the case of installing packages from packages.debian.org using APT default repositories, then a superfluous special notice is not required.
• Prohibition examples:
  • curl bash pipe: For example, Derivative-Maker using a curl bash pipe curl some-domain.com | bash (i.e. downloading an executable from a remote server and executing it without prior digital software signature verification) is prohibited.
  • Unverified software installation: As a hypothetical example: "wget virtualbox.org/virtualbox.deb && dpkg --install virtualbox.deb" (in this example, downloading a VirtualBox Debian package from the VirtualBox website and installing it without digital software verification) is prohibited.
• Manual verification reminder requirement: If digital signature verification is not automated (such as by using APT when using Debian default repositories), then Template:Always verify signatures reminder must always be used.

• Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
• Optional, not required: Digital signatures are optional and not mandatory for using Whonix, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
• Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.

Template:Always verify signatures reminder used on the following wiki pages: Special:WhatLinksHere/Template:Always verify signatures reminder

• Unsigned software documentation policy: If documented software does not provide digital signatures, then Template:Unsigned_software must always be used.

This software installation might be a security risk. Installation is discouraged, following the recommended best practices for software installation:

Unsigned software: You cannot follow the usual security advice to always verify software signatures, because - as far as the author of this page knows - at the time of writing, the original developer (upstream) does not provide digital signatures for their software. Users may wish to check if that has changed or consider requesting this feature from the developer.

Template:Unsigned_software used on the following wiki pages: Special:WhatLinksHere/Template:Unsigned_software

• Date of enforcement: This policy has always been enforced for Whonix. However, this elaborate technical description was added in April 2025. It was moved to its own dedicated wiki page at the end of July 2025.

signed git tags / signed git commits

For better security, could you please sign all upcoming git commits and git tags?

It's useful in case github [gets hacked](http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted) again in case [SSL CA's](https://en.wikipedia.org/wiki/DigiNotar) get [hacked](http://www.scmagazine.com/two-more-comodo-resellers-owned-in-ssl-hack/article/199620/) again.

> What about commits from other developers that submit pull requests?

In that case you just sign the merge commit. Therefore git master will always be some git commit signed by you, no matter if you merged commits by other developers.

References:

* https://github.com/blog/2144-gpg-signature-verification
* https://help.github.com/articles/signing-commits-with-gpg/
* http://mikegerwitz.com/papers/git-horror-story
* https://forums.whonix.org/t/security-git-general-verification-verifying-whonix-submodules/513/11

I think this makes sense. I've been signing my git commits by default lately, ever since I discovered I could my my ~/.gitconfig look like this:

~/.gitconfig

[user]
    name = Your Name
    email = example@example.com
    signingkey = signing-key-fingerprint

## Qubes
#[gpg]
    #program = qubes-gpg-client-wrapper

[commit]
    gpgsign = true

• https://github.com/onionshare/onionshare/issues/221
• https://github.com/annealmail/annealmail/issues/11

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!