Verify the Whonix Windows Installer

From Whonix
Jump to navigation Jump to search

Digital software signature verification of Whonix using Gpg4win.

Info This page is archived.

Whonix Windows Installer currently unavailable. Stay Tuned for news. See VirtualBox instead.

  • Digital signatures: A tool enhancing download security. Commonly used across the internet.
  • Learn more: Curious? Learn more about digital software signatures.
  • Optional: Digital signatures are optional. If you've never used them before, there might be no need to start now.
  • No worries: New to digital software signatures? It's okay, no need to worry.
  • Not a requirement: Not mandatory for using Whonix, but an extra security measure for advanced users.

Download Whonix Windows Installer and Digital Signature[edit]

The Whonix Windows Installer was developed with design goals focused on provide users with an fast and easy method to install Whonix in Microsoft Windows. When whonix-installer.exe is executed the Recommended VirtualBox version and both Whonix VMs are seamlessly installed on the Windows machine. Once Whonix is installed, users only need to click the start button in the Whonix GUI for both Whonix-Gateway and Whonix-Workstation VMs to start.

Download the Whonix Installer for Microsoft Windows.

By downloading, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.

Currently unavailable. See VirtualBox instead.

Before continuing, download both Whonix Windows Installer and corresponding OpenPGP signature in the above download table. Then continue with the steps needed to install of the software digital signature verification tools. Then verify the Whonix digital software signatures.

Users that are familiar with OpenPGP verification can go straight to download the signing key and verify the Whonix Windows installer.

Software Digital Signature Verification Tools Installation[edit]

Introduction[edit]

Due to Conceptual Challenges in Digital Signatures Verification and impracticality, unpopularity of digital software signature verification on the Windows platform, this is a cumbersome process. None of these issues are specific to Whonix to caused by Whonix. [1]

To keep a system secure and free of malware it is strongly recommended to always verify software signatures. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world.

Most other vendors of software on the Windows platform are either unaware or ignore this issue. The Whonix project makes an effort to document and cope up with the mess on the Windows platform.

This page includes documentation on how to securely acquire Gpg4win - an application which can be used to verify digital software signatures provided by the Whonix project and other software.

Option A) The following guide provides steps to:

  1. Download and installation of SignTool.
  2. Download Gpg4win.
  3. Verify Gpg4win using SignTool.
  4. Import the developer's GPG signing key into Gpg4win.
  5. Verify the Whonix Windows Installer using Gpg4win.

SignTool is a Windows platform focused tool provided by Microsoft which can be used to verify software digital signatures.

GnuPGarchive.org is a complete and free implementation OpenPGP that allows users to encrypt and sign data and communications. Popular on Windows, macOS and Linux platform. Gpg4winarchive.org is a graphical front end for GnuPG that is used to for file and email encryption in Windows. The verification process for the Whonix Windows Installer includes securely downloading an verifying the gpg4win package. Once completed GPG can be used from the command-line to verify the Whonix Windows Installer.

Download and installation of SignTool (from the Microsoft website over TLS) and verification of Gpg4win using SignTool might be considered optional. This is because both, SignTool and Gpg4win (downloaded from the Gpg4win website over TLS) are only downloaded over TLS, a very basic form of authentication. The argument for that is debatable. "It would be much more unlikely for a massive company like Microsoft to be compromised and serve malicious software than gpg4win server." [2]

Option B) Therefore optionally the user might decide to skip the SignTool step and simplify as follows.

  1. Download and install Gpg4win.
  2. Import the developer's GPG signing key into Gpg4win.
  3. Verify the Whonix Windows Installer using Gpg4win.

The Gpg4win documentation also covers subject.


Install SignTools[edit]

The following instructions install SignTool in Windows 10 (stable release). For earlier Windows releases (Windows XP, Vista, 7 and 8) users can install SignTool by substituting the corresponding SDK Installer found in the Windows SDK archivesarchive.org for the Windows 10 SDK installer in the below instructions.

SignToolsarchive.org is a Windows command-line tool that uses Authenticodearchive.org to digitally sign files and verify both signatures in files and time stamp files. SignTool is available as part of Mirosoft Windows SDKarchive.org, which can be can be installed in just a few easy steps. Once installed it can be used to verify the gpg4win package before installation.

1. Browse to https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdkarchive.org

  • Right-click Downloading The InstallerRight-click SaveRight-click Run.

2. Set the correct path.

After the the installer finishes loading:

  • Right-click Continuechoose PATHC:\Users\<user_name>\Downloads\Windows Kits\<windows_version>\WindowsSDKRight-click Next.

Figure: Choose SDK Installation Path

3. Install the necessary SDK package.

The Windows SDK installer provides a number of different packages that can be installed. The only package needed for gpg4win verification is Windows SDK Signing Tools for Desktop Apps (SignTools). Be mindful that earlier SDK version packages may be named differently from later SDK versions. For example, the package that contains SignTool in SDK for Windows 8.1 is named Windows Software Developmental Kit. This differs from the corresponding package in Windows 10.

Figure: Select SignTools Package

Once the box to the corresponding package is "checked", right-click Download. Once installation is complete, close the installer.

Figure: Finalized SDK Download

Download and Verify Gpg4win[edit]

SignTool can be used to verify the authenticity of the gpg4win package itself.

Note: To simplify the SignTool verification process be sure to download the gpg4win package to the Downloads directory.

1. Download the gpg4win package.

  • Navigate to https://files.gpg4win.orgarchive.org
  • Scroll down and download the latest version of gpg4win and the corresponding signature. At the time of writing (August 2020) gpg4win-3.1.12.exe was the latest version.

2. Verify the gpg4win package by running SignTool from the command prompt.

To open a command prompt, in the Windows Start Menu, run.

cmd.exe

From the command prompt, change to the Downloads directory.

cd C:\Users\<your_user_name>\Downloads

Verify the gpg4win package using SignTool.

signtool verify /pa gpg4win-3-1.12.exe

The following output shows a successful gpg4win verification.

Figure: Successful Verification

Warning: if verification fails, delete the gpg4win package and repeat the download and verification process again.


Verify the Whonix Windows Installer[edit]

It is important to check the integrity of the downloaded Whonix Windows Installer to ensure that neither a man-in-the-middle attack or file corruption occurred; (see Download Security).

Do not continue if verification fails! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity. This page is strongly related to the pages Placing Trust in Whonix and Verifying Software Signatures.

1. If not already completed, have GnuPG initialize your user data folder.

gpg --fingerprint

2. Download the signing key.

3. Store the key as C:\Users\<user_name>\Downloads\derivative.asc

4. Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint derivative.asc

5. Verify the output. The output should be identical to the following.

TODO

If the key was successfully imported, the following message will appear.

TODO

6. Import the key.

gpg --import derivative.asc

The output should confirm the key was imported.

TODO

Output already imported.

If the signing key was already imported in the past, the output should confirm the key is unchanged.

TODO

4. Start the cryptographic verification, which can take several minutes.

In Windows command prompt, change to the directory with the whonix-installer.exe package and corresponding signature file.

cd C:\Users\<user_name>\<directory_name>

Next, verify the Whonix Windows Installer.

gpg --verify-options show-notations --verify whonix-installer.exe.asc whonix-installer.exe

If the Whonix Installer image is correct the output will tell you that the signature is good.

TODO


This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This message does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the Whonix signing key and the web of trust. To remove this warning, the Whonix signing key must be personally signed with your own key.

warning Remember to check the GPG signature timestamp. For instance, if you previously saw a signature from 2023 and now see one from 2022, this could indicate a potential rollback (downgrade) or indefinite freeze attack.[3]

The first line includes the signature creation timestamp. Example.

gpg: Signature made Sun 18 Aug 2019 08:31:41 PM EDT

warning Remember: OpenPGP signatures sign the contents of files, not the file names themselves. [4]

Install Whonix[edit]

Note: When the Whonix Windows Installer is executed, the currently installed VirtualBox package -- if there is one installed on the system -- is removed and the latest VirtualBox package is installed. [5]

Whonix can be installed by simply running whonix-installer.exe. When installation is complete, users will be greeted with the Whonix GUI which can then be used to start the VMs. Keep in mind that installation could take can up to 15 minutes to complete depending on your hardware configuration.

In the folder you downloaded the Whonix Windows Installer:

  • Double "click" whonix-installer.exeLicense agreement "click" Install → Finish


Figure: Whonix Windows Installer


Figure: Install Whonix


Figure: License agreement


Figure: Extracting files


Figure: Whonix installation complete

Start Whonix[edit]

Whonix Desktop Starter

  • Double "click" Whonix desktop starter"click" Start Whonix.

VirtualBox interface

  • Double "click" Whonix desktop starter "click" Advanced in Whonix GUI.

When the Advanced button is pressed, the VirtualBox user interface will open and the VMs can be started.

The VirtualBox interface will provide a more granular control of the VMs. From there users can manage the Whonix VMs or modify VirtualBox settings.

Figure: Whonix desktop starter


Figure: Whonix user interface


Figure: Start Whonix VM

Shutdown Whonix[edit]

From the Whonix GUI

  • Both Whonix VMs can be shutdown simultaneously by clicking the Stop Whonix button.

Figure: Stop Whonix VMs

First Time Users[edit]

First Time User / Questions and Answers

First Time User / Questions and Answers[edit]

Whonix default admin password is: changeme

  • Default username: user
  • Default password: changeme

Whonix first time users warning Warning:

  • If you do not know what metadata or a man-in-the-middle attack is.
  • If you think nobody can eavesdrop on your communications because you are using Tor.
  • If you have no idea how Whonix works.

Then read the Design and Goals, Whonix and Tor Limitations and Tips on Remaining Anonymous pages to decide whether Whonix is the right tool for you based on its limitations.

Footnotes

Footnotes[edit]

  1. This is being stated to avoid Whonix of getting blamed for this mess. Previously users put it this way:

    I never had to verify any software. Why Whonix makes this more complicated than everyone else?

  2. https://forums.whonix.org/t/testing-whonix-installer-for-windows/2987/217archive.org
  3. As defined by TUF: Attacks and Weaknesses:
  4. https://lists.gnupg.org/pipermail/gnupg-users/2015-January/052185.htmlarchive.org
  5. At the time of writing (AUG 19 2019) VirtualBox 6.0.10 was the latest stable release version.


Footnotes[edit]

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!