Jump to: navigation, search

Template:Verify the virtual machine images using Linux

You need to have the KGpg package installed. To install it in Debian, Ubuntu or Whonix, issue the following commands.

sudo apt-get update
sudo apt-get install kgpg

First, download the Whonix Signing Key.

Open patrick.asc with KGpg.

Note: The email address displayed below has changed to adrelanos at riseup dot net, but this doesn't affect the process since the key fingerprint remains the same.

The following message is notified.

Kgpg key imported new.png

Or this message appears if you previously imported the key.

Kgpg key imported unchanged.png

Next, download the cryptographic signature corresponding to the virtual machine image ({{{file_extension}}}) you want to verify and store it in the same folder as the virtual machine image.

[[{{{download_signature_link}}}|Download Whonix Signature]]

Start KGpg.

Go to kgpg -> File -> Open Editor -> Signature -> Verify Signature... -> Choose the downloaded cryptographic signature (.asc)

Note: This process will take a while and there is no progress meter. Please wait patiently for a few moments. Also, the email address displayed below has changed to adrelanos at riseup dot net, but this doesn't affect the process since the key fingerprint remains the same.

If the virtual machine image is correct, the notification will provide a good signature message.

Kgpg verification success.png

The first line includes the signature creation timestamp.

Click on Details. See the example below.

[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2015-01-19

To help verify that the file name has not been tampered with, beginning with Whonix version 9.6 the file@name OpenPGP notation routinely includes the file name.

Click on Details. See the example below.

{{{signature_notation_gw}}}

If the virtual machine image is not correct, the notification will provide a bad signature message. Note: The email address displayed below has changed to adrelanos at riseup dot net, but this doesn't affect the process since the key fingerprint remains the same.

Kgpg verification failed.png

Troubleshooting[edit]

When a GPG error is encountered, first try a web search for the relevant error. The security stackexchange website can also help to resolve GPG problems. Describe the problem thoroughly, but be sure it is GPG-related and not specific to Whonix.

More help resources are available on the Support page.
  1. As defined by TUF: Attacks and Weaknesses:
  2. http://lists.gnupg.org/pipermail/gnupg-users/2015-January/052185.html