Installer/Verify the Installer using the command line
You'll need GPG which you may find here: https://www.gpg4win.org
The releases of the Whonix-Installer have been signed by Ego which is why it is necessary to import his signing key to verify the Installer.
This page is strongly related to the Trust page.
Download the key
2. Store ego.asc in a folder you will remember.
3. Open the command line by pressing the Windows-Key and R simultaneously and executing cmd.exe.
4. Change into the folder you stored ego.asc in by typing the following into the window you just opened:
5. Check fingerprints/owners without importing anything by using the following.
gpg --keyid-format long --with-fingerprint ego.asc
6. Verify it shows the following.
pub 4096R/584A8DF9FBB8E862 2016-08-12 Ego <firstname.lastname@example.org> Key fingerprint = 2B72 83C9 D382 4D7F 9D11 8364 584A 8DF9 FBB8 E862 sub 4096R/B63EEBBFD6D1BAA7 2016-08-12
7. Import the key by typing.
gpg --import ego.asc
The output should tell you that the key was imported:
gpg: key FBB8E862: public key "Ego <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
If you had already imported Ego's signing key in the past, the output should tell you that the key was not changed:
gpg: key FBB8E862: "Ego <firstname.lastname@example.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
If you are shown the following message at the end of the output:
gpg: no ultimately trusted keys found
Analyse the other messages as usual: this extra message doesn't relate to Ego's signing key that you downloaded and usually means that you didn't create an OpenPGP key for yourself yet, which is of no importance to verify the virtual machine images.
Verifying the Installer
Now, download the cryptographic (OpenPGP) signature and save it in the same folder as the Installer:
Then, start the cryptographic verification, which may take several minutes by typing the following.
cd [the directory in which you downloaded the Installer and .asc files]
gpg --verify-options show-notations --verify "Install Whonix.exe.asc" "Install Whonix.exe"
If the Virtual Machine image is correct the output will tell you that the signature is good:
gpg: Signature made Sun Jan 6 11:55:22 PM 2017 CET using RSA key ID FBB8E862 gpg: Good signature from "Ego <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2B72 83C9 D382 4D7F 9D11 8364 584A 8DF9 FBB8 E862
This might be followed by a warning saying:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in Ego's signing key and the Web of Trust. To remove this warning you would have to personally sign Ego's signing key with your own key.
If all checks out, the Installer hasn't been tampered with and can be used safely.
If the Virtual Machine image is not correct the output will tell you that the signature is bad:
gpg: Signature made Sun Jan 6 11:55:22 PM 2017 CET gpg: using RSA key FBB8E862 gpg: BAD signature from "Ego <firstname.lastname@example.org>"
In this case do NOT use the Installer! Please download it instead again!
Whonix Installer/Verify the Installer using the command line wiki page Copyright (C) Amnesia <amnesia at boum dot org> Whonix Installer/Verify the Installer using the command line wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <email@example.com> Whonix Installer/Verify the Installer using the command line wiki page Copyright (C) 2017 Ego <firstname.lastname@example.org> This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code. This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.