Verify the KVM Virtual Machine Images with KGpg

From Whonix


notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

It is necessary to have the KGpg package installed. To install it in Debian, Ubuntu or Whonix ™, issue the following commands.

Update the package lists.

sudo apt-get update

Install KGpg.

sudo apt-get install kgpg

1. First, download the Whonix Signing Key.

2. Open patrick.asc with KGpg.

The following message is notified.

KGpg Key Import Patrick's key.png

Or this message appears if you previously imported the key.

KGpg Import Patricks's previously imported key .png

3. Download the cryptographic signature corresponding to the virtual machine image (libvirt.xz archive) you want to verify and store it in the same folder as the virtual machine image.

4. Start KGpg.

Go to kgpgFileOpen EditorSignatureVerify Signature...Choose the downloaded cryptographic signature (.asc)

Note: This process will take a while and there is no progress meter. Please wait patiently for a few moments.

If the virtual machine image is correct, the notification will provide a good signature message.

KGpg Verify Signature good signature Patrick.png

warning Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2020 and now see a signature from 2019, then this might be a targeted rollback (downgrade) or indefinite freeze attack. [1]

The first line in the notification includes the signature creation timestamp.

Click on Details. See the example below.

[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2018-05-12

warning Note: OpenPGP signatures sign files, but not file names. [2]

To help verify that the file name has not been tampered with, beginning with Whonix version 9.6 the file@name OpenPGP notation routinely includes the file name.

Click on Details. See the example below.

Note: The version shown in the example ( corresponds to the current release version at the time this wiki was written. This notation should match the file name that is being verified.


If the virtual machine image is not correct, the notification will provide a bad signature message.

KGpg Verify Signature bad signature Patrick.png


When a GPG error is encountered, first try a web search for the relevant error. The security stackexchange website [archive] can also help to resolve GPG problems. Describe the problem thoroughly, but be sure it is GPG-related and not specific to Whonix ™.

More help resources are available on the Support page.

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Please help us to improve the Whonix Wikipedia Page [archive]. Also see the feedback thread [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.