Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information



Gpg fingerprint verification

Before adding any foreign repository or software source, it is necessary to fetch the associated signing key (if available) and verify the fingerprint.

It is not safe to only rely on the Whonix wiki for confirmation of a key's expected fingerprint. The reason is websites rely on fallible SSL or .onion architecture, which provides a lower verification standard than the OpenPGP implementation. In practice, this means:

  • Researching the expected key fingerprint from multiple, trusted Internet sources.
  • Explicitly checking the key fingerprint matches the expected output, before importing it or adding it to a trusted key-ring.

For the best possible security, users should always rely on the OpenPGP Web of Trust.