Jump to: navigation, search

Installer/Verify the Installer using the command line

Introduction[edit]

You'll need GPG which you may find here: https://www.gpg4win.org

The releases of the Whonix-Installer have been signed by Ego which is why it is necessary to import his signing key to verify the Installer.

This page is strongly related to the Trust page.

Download the key[edit]

1. Download Ego's OpenPGP key:
ego.asc

2. Store ego.asc in a folder you will remember.

3. Open the command line by pressing the Windows-Key and R simultaneously and executing cmd.exe.

4. Change into the folder you stored ego.asc in by typing the following into the window you just opened:

cd /Foldername/

5. Check fingerprints/owners without importing anything by using the following.

gpg --keyid-format long --with-fingerprint ego.asc

6. Verify it shows the following.

pub  4096R/584A8DF9FBB8E862 2016-08-12 Ego <ego-superego-id@protonmail.com>
Key fingerprint = 2B72 83C9 D382 4D7F 9D11  8364 584A 8DF9 FBB8 E862
sub  4096R/B63EEBBFD6D1BAA7 2016-08-12

7. Import the key by typing.

gpg --import ego.asc

The output should tell you that the key was imported:

gpg: key FBB8E862: public key "Ego <ego-superego-id@protonmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

If you had already imported Ego's signing key in the past, the output should tell you that the key was not changed:

gpg: key FBB8E862: "Ego <ego-superego-id@protonmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

If you are shown the following message at the end of the output:

gpg: no ultimately trusted keys found

Analyse the other messages as usual: this extra message doesn't relate to Ego's signing key that you downloaded and usually means that you didn't create an OpenPGP key for yourself yet, which is of no importance to verify the virtual machine images.

Verifying the Installer[edit]

Now, download the cryptographic (OpenPGP) signature and save it in the same folder as the Installer:

Whonix-Installer.exe.asc

Then, start the cryptographic verification, which may take several minutes by typing the following.

cd [the directory in which you downloaded the Installer and .asc files]
gpg --verify-options show-notations --verify Whonix-Installer.exe.asc Whonix-Installer.exe

If the Virtual Machine image is correct the output will tell you that the signature is good:

gpg: Signature made Sun Jan 6 11:55:22 PM 2017 CET using RSA key ID FBB8E862
gpg: Good signature from "Ego <ego-superego-id@protonmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B72 83C9 D382 4D7F 9D11  8364 584A 8DF9 FBB8 E862

This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in Ego's signing key and the Web of Trust. To remove this warning you would have to personally sign Ego's signing key with your own key.

If all checks out, the Installer hasn't been tampered with and can be used safely.


If the Virtual Machine image is not correct the output will tell you that the signature is bad:

gpg: Signature made Sun Jan 6 11:55:22 PM 2017 CET
gpg: using RSA key FBB8E862
gpg: BAD signature from "Ego <ego-superego-id@protonmail.com>"

In this case do NOT use the Installer! Please download it instead again!

See Also[edit]

License[edit]

Whonix Installer/Verify the Installer using the command line wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Installer/Verify the Installer using the command line wiki page Copyright (C) 2012 - 2017 Patrick Schleizer <adrelanos@riseup.net>
Whonix Installer/Verify the Installer using the command line wiki page Copyright (C) 2017 Ego <ego-superego-id@protonmail.com>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)