Jump to: navigation, search

KVM/Verify the virtual machine images using Linux

< KVM

You need to have the kgpg package installed. If you're not sure or want to install it, under Debian, Ubuntu or Whonix you can issue the following commands:

sudo apt-get update
sudo apt-get install kgpg

First, download the Whonix Signing Key.

Open patrick.asc with kgpg.

You will get notified will the following message:

(E-mail was changed to adrelanos at riseup do net, but this doesn't change anything, since the key fingerprint remains the same.)

Kgpg key imported new.png

Or if you previously already imported the key:

Kgpg key imported unchanged.png

Now, download the cryptographic signature corresponding to the virtual machine image (libvirt.xz archive) you want to verify and store it in the same folder as the virtual machine image:

Download Whonix Signature

Start kgpg, go to kgpg -> File -> Open Editor -> Signature -> Verify Signature... -> Choose the downloaded cryptographic signature (.asc).

It will take a while and there is no progress meter. Please wait a few moments.

If the virtual machine image is correct you will get a notification telling you that the signature is good:

(E-mail was changed to adrelanos at riseup do net, but this doesn't change anything, since the key fingerprint remains the same.)

Kgpg verification success.png

The first line includes the signature creation timestamp.

Click on Details. See example below.

[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2015-01-19

To help you check, that the file name has not been tampered with, beginning from Whonix version 9.6 and above, by convention, the file@name OpenPGP notation includes the file name.

Click on Details. See example below.

gpg: Signature notation: file@name=Whonix-Gateway-13.0.0.1.1.libvirt.xz

If the virtual machine image is not correct you will get a notification telling you that the signature is bad:

(E-mail was changed to adrelanos at riseup do net, but this doesn't change anything, since the key fingerprint remains the same.)

Kgpg verification failed.png

Troubleshooting[edit]

If you encounter an error with GPG, first try a web search with the relevant error text. Additionally, the security stackexchange siteis able to help with GPG problems. Describe your problem thoroughly, but be sure that your question is GPG related and not Whonix specific.

More help resources are on the Support page.
  1. Defined as per TUF: Attacks and Weaknesses:
  2. http://lists.gnupg.org/pipermail/gnupg-users/2015-January/052185.html