Verify the virtual machine images using Linux

From Whonix

notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

It is necessary to have the KGpg package installed. To install it in Debian, Ubuntu or Whonix ™, issue the following commands.

Update the package lists.

sudo apt-get update

Install KGpg.

sudo apt-get install kgpg

1. First, download the Whonix Signing Key.

2. Open patrick.asc with KGpg.

The following message is notified.

KGpg Key Import Patrick's key.png

Or this message appears if you previously imported the key.

KGpg Import Patricks's previously imported key .png

3. Download the cryptographic signature corresponding to the virtual machine image ({{{file_extension}}}) you want to verify and store it in the same folder as the virtual machine image.

4. Start KGpg.

Go to kgpgFileOpen EditorSignatureVerify Signature...Choose the downloaded cryptographic signature (.asc)

Note: This process will take a while and there is no progress meter. Please wait patiently for a few moments.

If the virtual machine image is correct, the notification will provide a good signature message.

KGpg Verify Signature good signature Patrick.png

warning Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2019 and now see a signature from 2018, then this might be a targeted rollback (downgrade) or indefinite freeze attack. [1]

The first line in the notification includes the signature creation timestamp.

Click on Details. See the example below.

[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2018-05-12

warning Note: OpenPGP signatures sign files, but not file names. [2]

To help verify that the file name has not been tampered with, beginning with Whonix version 9.6 the file@name OpenPGP notation routinely includes the file name.

Click on Details. See the example below.

Note: The version shown in the example ( corresponds to the current release version at the time this wiki was written. This notation should match the file name that is being verified.

[GNUPG:] NOTATION_DATA Whonix-{{{file_ext}}}

If the virtual machine image is not correct, the notification will provide a bad signature message.

KGpg Verify Signature bad signature Patrick.png


When a GPG error is encountered, first try a web search for the relevant error. The security stackexchange website [archive] can also help to resolve GPG problems. Describe the problem thoroughly, but be sure it is GPG-related and not specific to Whonix ™.

More help resources are available on the Support page.