It is necessary to have the KGpg package installed. To install it in Debian, Ubuntu or Whonix ™, issue the following commands.
Update the package lists.
sudo apt-get install kgpg
1. First, download the Whonix Signing Key.
patrick.asc with KGpg.
The following message is notified.
Or this message appears if you previously imported the key.
3. Download the cryptographic signature corresponding to the virtual machine image (libvirt.xz archive) you want to verify and store it in the same folder as the virtual machine image.
4. Start KGpg.
Go to kgpg →
Open Editor →
Verify Signature... →
Choose the downloaded cryptographic signature (.asc)
Note: This process will take a while and there is no progress meter. Please wait patiently for a few moments.
If the virtual machine image is correct, the notification will provide a good signature message.
Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2020 and now see a signature from 2019, then this might be a targeted rollback (downgrade) or indefinite freeze attack. 
The first line in the notification includes the signature creation timestamp.
Details. See the example below.
[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2018-05-12
Note: OpenPGP signatures sign files, but not file names. 
To help verify that the file name has not been tampered with, beginning with Whonix version 9.6 the file@name OpenPGP notation routinely includes the file name.
Details. See the example below.
Note: The version shown in the example (18.104.22.168.4) corresponds to the current release version at the time this wiki was written. This notation should match the file name that is being verified.
[GNUPG:] NOTATION_NAME file@name
[GNUPG:] NOTATION_DATA Whonix-22.214.171.124.4.libvirt.xz
If the virtual machine image is not correct, the notification will provide a bad signature message.
When a GPG error is encountered, first try a web search for the relevant error. The security stackexchange website [archive] can also help to resolve GPG problems. Describe the problem thoroughly, but be sure it is GPG-related and not specific to Whonix ™.
More help resources are available on the Support page.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.