Verify the Whonix ™ Windows Installer

From Whonix
Jump to navigation Jump to search

Ambox warning pn.svg.png Whonix ™ Windows Installer currently unavailable. Stay Tuned for news. See VirtualBox instead.

Info This page is archived.

notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

Download Whonix ™ Windows Installer and Digital Signature[edit]

The Whonix ™ Windows Installer was developed with design goals focused on provide users with an fast and easy method to install Whonix ™ in Microsoft Windows. When whonix-installer.exe is executed the Recommended VirtualBox version and both Whonix ™ VMs are seamlessly installed on the Windows machine. Once Whonix ™ is installed, users only need to click the start button in the Whonix ™ GUI for both Whonix-Gateway ™ and Whonix-Workstation ™ VMs to start.

Download the Whonix ™ Installer for Microsoft Windows.

Ambox warning pn.svg.png By downloading, you acknowledge that you have read, understood and agreed to our Terms of Service and License Agreement.

Currently unavailable. See VirtualBox instead.

Before continuing, download both Whonix ™ Windows Installer and corresponding OpenPGP signature in the above download table. Then continue with the steps needed to install of the software digital signature verification tools. Then verify the Whonix ™ digital software signatures.

Users that are familiar with OpenPGP verification can go straight to download the signing key and verify the Whonix ™ Windows installer.

Software Digital Signature Verification Tools Installation[edit]

Introduction[edit]

Due to Conceptual Challenges in Digital Signatures Verification and impracticality, unpopularity of digital software signature verification on the Windows platform, this is a cumbersome process. None of these issues are specific to Whonix ™ to caused by Whonix ™. [1]

To keep a system secure and free of malware it is strongly recommended to always verify software signatures. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world.

Most other vendors of software on the Windows platform are either unaware or ignore this issue. The Whonix ™ project makes an effort to document and cope up with the mess on the Windows platform.

This page includes documentation on how to securely acquire Gpg4win - an application which can be used to verify digital software signatures provided by the Whonix ™ project and other software.

Option A) The following guide provides steps to:

  1. Download and installation of SignTool.
  2. Download Gpg4win.
  3. Verify Gpg4win using SignTool.
  4. Import the developer's GPG signing key into Gpg4win.
  5. Verify the Whonix ™ Windows Installer using Gpg4win.

SignTool is a Windows platform focused tool provided by Microsoft which can be used to verify software digital signatures.

GnuPGarchive.org is a complete and free implementation OpenPGP that allows users to encrypt and sign data and communications. Popular on Windows, macOS and Linux platform. Gpg4winarchive.org is a graphical front end for GnuPG that is used to for file and email encryption in Windows. The verification process for the Whonix ™ Windows Installer includes securely downloading an verifying the gpg4win package. Once completed GPG can be used from the command-line to verify the Whonix ™ Windows Installer.

Download and installation of SignTool (from the Microsoft website over TLS) and verification of Gpg4win using SignTool might be considered optional. This is because both, SignTool and Gpg4win (downloaded from the Gpg4win website over TLS) are only downloaded over TLS, a very basic form of authentication. The argument for that is debatable. "It would be much more unlikely for a massive company like Microsoft to be compromised and serve malicious software than gpg4win server." [2]

Option B) Therefore optionally the user might decide to skip the SignTool step and simplify as follows.

  1. Download and install Gpg4win.
  2. Import the developer's GPG signing key into Gpg4win.
  3. Verify the Whonix ™ Windows Installer using Gpg4win.

The Gpg4win documentation also covers subject.

Install SignTools[edit]

The following instructions install SignTool in Windows 10 (stable release). For earlier Windows releases (Windows XP, Vista, 7 and 8) users can install SignTool by substituting the corresponding SDK Installer found in the Windows SDK archivesarchive.org for the Windows 10 SDK installer in the below instructions.

SignToolsarchive.org is a Windows command-line tool that uses Authenticodearchive.org to digitally sign files and verify both signatures in files and time stamp files. SignTool is available as part of Mirosoft Windows SDKarchive.org, which can be can be installed in just a few easy steps. Once installed it can be used to verify the gpg4win package before installation.

1. Browse to https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdkarchive.org

  • Right-click Downloading The InstallerRight-click SaveRight-click Run.

2. Set the correct path.

After the the installer finishes loading:

  • Right-click Continuechoose PATHC:\Users\<user_name>\Downloads\Windows Kits\<windows_version>\WindowsSDKRight-click Next.

Figure: Choose SDK Installation Path

Sdk installer specify download path.png

3. Install the necessary SDK package.

The Windows SDK installer provides a number of different packages that can be installed. The only package needed for gpg4win verification is Windows SDK Signing Tools for Desktop Apps (SignTools). Be mindful that earlier SDK version packages may be named differently from later SDK versions. For example, the package that contains SignTool in SDK for Windows 8.1 is named Windows Software Developmental Kit. This differs from the corresponding package in Windows 10.

Figure: Select SignTools Package

Select sdk features for download.png

Once the box to the corresponding package is "checked", right-click Download. Once installation is complete, close the installer.

Figure: Finalized SDK Download

Sdk installer download complete.png

Download and Verify Gpg4win[edit]

SignTool can be used to verify the authenticity of the gpg4win package itself.

Note: To simplify the SignTool verification process be sure to download the gpg4win package to the Downloads directory.

1. Download the gpg4win package.

  • Navigate to https://files.gpg4win.orgarchive.org
  • Scroll down and download the latest version of gpg4win and the corresponding signature. At the time of writing (August 2020) gpg4win-3.1.12.exe was the latest version.

2. Verify the gpg4win package by running SignTool from the command prompt.

To open a command prompt, in the Windows Start Menu, run.

cmd.exe

From the command prompt, change to the Downloads directory.

cd C:\Users\<your_user_name>\Downloads

Verify the gpg4win package using SignTool.

signtool verify /pa gpg4win-3-1.12.exe

The following output shows a successful gpg4win verification.

Figure: Successful Verification

Signtool verify gpg4win success.png

Ambox warning pn.svg.png Warning: if verification fails, delete the gpg4win package and repeat the download and verification process again.

Verify the Whonix ™ Windows Installer[edit]

It is important to check the integrity of the downloaded Whonix ™ Windows Installer to ensure that neither a man-in-the-middle attack or file corruption occurred; (see Download Security).

Ambox warning pn.svg.png Do not continue if verification fails! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity. This page is strongly related to the pages Placing Trust in Whonix ™ and Verifying Software Signatures.

1. If not already completed, have GnuPG initialize your user data folder.

gpg --fingerprint

2. Download the signing key.

3. Store the key as C:\Users\<user_name>\Downloads\derivative.asc

4. Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint derivative.asc

5. Verify the output. The output should be identical to the following.

TODO

If the key was successfully imported, the following message will appear.

TODO

6. Import the key.

gpg --import derivative.asc

The output should confirm the key was imported.

TODO

Output already imported.

If the signing key was already imported in the past, the output should confirm the key is unchanged.

TODO

4. Start the cryptographic verification, which can take several minutes.

In Windows command prompt, change to the directory with the whonix-installer.exe package and corresponding signature file.

cd C:\Users\<user_name>\<directory_name>

Next, verify the Whonix ™ Windows Installer.

gpg --verify-options show-notations --verify whonix-installer.exe.asc whonix-installer.exe

If the Whonix Installer image is correct the output will tell you that the signature is good.

TODO


This might be followed by a warning saying:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This message does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the Whonix ™ signing key and the web of trust. To remove this warning, the Whonix ™ signing key must be personally signed with your own key.

warning Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2020 and now see a signature from 2019, then this might be a targeted rollback (downgrade) or indefinite freeze attack. [3]

The first line includes the signature creation timestamp. Example.

gpg: Signature made Sun 18 Aug 2019 08:31:41 PM EDT

warning Note: OpenPGP signatures sign files, but not file names. [4]

Install Whonix[edit]

Note: When the Whonix ™ Windows Installer is executed, the currently installed VirtualBox package -- if there is one installed on the system -- is removed and the latest VirtualBox package is installed. [5]

Whonix ™ can be installed by simply running whonix-installer.exe. When installation is complete, users will be greeted with the Whonix ™ GUI which can then be used to start the VMs. Keep in mind that installation could take can up to 15 minutes to complete depending on your hardware configuration.

In the folder you downloaded the Whonix ™ Windows Installer:

  • Double "click" whonix-installer.exeLicense agreement "click" Install → Finish


Figure: Whonix Windows Installer

Whonix windows installer.png


Figure: Install Whonix

Whonix installer wizard.png


Figure: License agreement

Whonix windows installer license agreement.png


Figure: Extracting files

Installing whonix.png


Figure: Whonix installation complete

Whonix setup wizard complete.png

Start Whonix[edit]

Whonix Desktop Starter

  • Double "click" Whonix desktop starter"click" Start Whonix.

VirtualBox interface

  • Double "click" Whonix desktop starter "click" Advanced in Whonix GUI.

When the Advanced button is pressed, the VirtualBox user interface will open and the VMs can be started.

The VirtualBox interface will provide a more granular control of the VMs. From there users can manage the Whonix ™ VMs or modify VirtualBox settings.

Figure: Whonix desktop starter

Whonix desktop starter.png


Figure: Whonix user interface

Whonix User Interface start.png


Figure: Start Whonix VM

Virtualbox user interface.png

Shutdown Whonix[edit]

From the Whonix GUI

  • Both Whonix VMs can be shutdown simultaneously by clicking the Stop Whonix button.

Figure: Stop Whonix VMs

Whonix User Interface stop.png

First Time Users[edit]

First time user / Docs / Troubleshooting

First time users information

Whonix ™ default admin password is: changeme default username: user
default password: changeme

Whonix first time users warning Warning:

  • If you do not know what metadata or a man-in-the-middle attack is.
  • If you think nobody can eavesdrop on your communications because you are using Tor.
  • If you have no idea how Whonix ™ works.

Then read the Design and Goals, Whonix ™ and Tor Limitations and Tips on Remaining Anonymous pages to decide whether Whonix ™ is the right tool for you based on its limitations.

Footnotes → press Expand

Footnotes[edit]

  1. This is being stated to avoid Whonix ™ of getting blamed for this mess. Previously users put it this way:

    I never had to verify any software. Why Whonix makes this more complicated than everyone else?

  2. https://forums.whonix.org/t/testing-whonix-installer-for-windows/2987/217archive.org
  3. As defined by TUF: Attacks and Weaknesses:
  4. https://lists.gnupg.org/pipermail/gnupg-users/2015-January/052185.htmlarchive.org
  5. At the time of writing (AUG 19 2019) VirtualBox 6.0.10 was the latest stable release version.


Footnotes[edit]