Actions

Installer/Verify the Installer using the command line

From Whonix

< Installer

Introduction[edit]

You'll need GPG which you may find here: https://www.gpg4win.org

The releases of the Whonix ™-Installer have been signed by Ego which is why it is necessary to import his signing key to verify the Installer.

This page is strongly related to the Trust page.

Download the key[edit]

1. Download Ego's OpenPGP key:
ego.asc

2. Store ego.asc in a folder you will remember.

3. Open the command line by pressing the Windows-Key and R simultaneously and executing cmd.exe.

4. Change into the folder you stored ego.asc in by typing the following into the window you just opened:

cd /Foldername/

5. Check fingerprints/owners without importing anything by using the following.

gpg --keyid-format long --with-fingerprint ego.asc

6. Verify it shows the following.

pub  4096R/584A8DF9FBB8E862 2016-08-12 Ego <ego-superego-id@protonmail.com>
Key fingerprint = 2B72 83C9 D382 4D7F 9D11  8364 584A 8DF9 FBB8 E862
sub  4096R/B63EEBBFD6D1BAA7 2016-08-12

7. Import the key by typing.

gpg --import ego.asc

The output should tell you that the key was imported:

gpg: key FBB8E862: public key "Ego <ego-superego-id@protonmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

If you had already imported Ego's signing key in the past, the output should tell you that the key was not changed:

gpg: key FBB8E862: "Ego <ego-superego-id@protonmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

If you are shown the following message at the end of the output:

gpg: no ultimately trusted keys found

Analyse the other messages as usual: this extra message doesn't relate to Ego's signing key that you downloaded and usually means that you didn't create an OpenPGP key for yourself yet, which is of no importance to verify the virtual machine images.

Verifying the Installer[edit]

Now, download the cryptographic (OpenPGP) signature and save it in the same folder as the Installer:

™.exe.asc Install Whonix ™.exe.asc

Then, start the cryptographic verification, which may take several minutes by typing the following.

cd [the directory in which you downloaded the Installer and .asc files]
gpg --verify-options show-notations --verify "Install {{project_name}}.exe.asc" "Install {{project_name}}.exe"

If the Virtual Machine image is correct the output will tell you that the signature is good:

gpg: Signature made Sun Jan 6 11:55:22 PM 2017 CET using RSA key ID FBB8E862
gpg: Good signature from "Ego <ego-superego-id@protonmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B72 83C9 D382 4D7F 9D11  8364 584A 8DF9 FBB8 E862

This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in Ego's signing key and the Web of Trust. To remove this warning you would have to personally sign Ego's signing key with your own key.

If all checks out, the Installer hasn't been tampered with and can be used safely.


If the Virtual Machine image is not correct the output will tell you that the signature is bad:

gpg: Signature made Sun Jan 6 11:55:22 PM 2017 CET
gpg: using RSA key FBB8E862
gpg: BAD signature from "Ego <ego-superego-id@protonmail.com>"

In this case do NOT use the Installer! Please download it instead again!

See Also[edit]

License[edit]

{{project_name}} Installer/Verify the Installer using the command line wiki page Copyright (C) Amnesia <amnesia at boum dot org>
{{project_name}} Installer/Verify the Installer using the command line wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
{{project_name}} Installer/Verify the Installer using the command line wiki page Copyright (C) 2017 Ego <ego-superego-id@protonmail.com>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Bored? Want to chat with other Whonix users? Join us in IRC chat (Webchat).


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.