Verify the Whonix ™ Windows Installer
Digital software signature verification of Whonix ™ using Gpg4win.
Download Whonix ™ Windows Installer and Digital Signature[edit]
The Whonix ™ Windows Installer was developed with design goals focused on provide users with an fast and easy method to install Whonix ™ in Microsoft Windows. When whonix-installer.exe
is executed the Recommended VirtualBox version and both Whonix ™ VMs are seamlessly installed on the Windows machine. Once Whonix ™ is installed, users only need to click the start button in the Whonix ™ GUI for both Whonix-Gateway ™ and Whonix-Workstation ™ VMs to start.
Download the Whonix ™ Installer for Microsoft Windows.
Currently unavailable. See VirtualBox instead.
Before continuing, download both Whonix ™ Windows Installer and corresponding OpenPGP signature in the above download table. Then continue with the steps needed to install of the software digital signature verification tools. Then verify the Whonix ™ digital software signatures.
Users that are familiar with OpenPGP verification can go straight to download the signing key and verify the Whonix ™ Windows installer.
Software Digital Signature Verification Tools Installation[edit]
Introduction[edit]
Due to Conceptual Challenges in Digital Signatures Verification and impracticality, unpopularity of digital software signature verification on the Windows platform, this is a cumbersome process. None of these issues are specific to Whonix ™ to caused by Whonix ™. [1]
To keep a system secure and free of malware it is strongly recommended to always verify software signatures. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world.
Most other vendors of software on the Windows platform are either unaware or ignore this issue. The Whonix ™ project makes an effort to document and cope up with the mess on the Windows platform.
This page includes documentation on how to securely acquire Gpg4win - an application which can be used to verify digital software signatures provided by the Whonix ™ project and other software.
Option A) The following guide provides steps to:
- Download and installation of SignTool.
- Download Gpg4win.
- Verify Gpg4win using SignTool.
- Import the developer's GPG signing key into Gpg4win.
- Verify the Whonix ™ Windows Installer using Gpg4win.
SignTool is a Windows platform focused tool provided by Microsoft which can be used to verify software digital signatures.
GnuPG is a complete and free implementation OpenPGP that allows users to encrypt and sign data and communications. Popular on Windows, macOS and Linux platform. Gpg4win
is a graphical front end for GnuPG that is used to for file and email encryption in Windows. The verification process for the Whonix ™ Windows Installer includes securely downloading an verifying the
gpg4win
package. Once completed GPG can be used from the command-line to verify the Whonix ™ Windows Installer.
Download and installation of SignTool (from the Microsoft website over TLS) and verification of Gpg4win using SignTool might be considered optional. This is because both, SignTool and Gpg4win (downloaded from the Gpg4win website over TLS) are only downloaded over TLS, a very basic form of authentication. The argument for that is debatable. "It would be much more unlikely for a massive company like Microsoft to be compromised and serve malicious software than gpg4win server." [2]
Option B) Therefore optionally the user might decide to skip the SignTool step and simplify as follows.
- Download and install Gpg4win.
- Import the developer's GPG signing key into Gpg4win.
- Verify the Whonix ™ Windows Installer using Gpg4win.
The Gpg4win documentation also covers subject.
- Check integrity of Gpg4win packages - Gpg4win website
- Check integrity of Gpg4win packages - Gpg4win wiki
Install SignTools[edit]
The following instructions install SignTool in Windows 10 (stable release). For earlier Windows releases (Windows XP, Vista, 7 and 8) users can install SignTool by substituting the corresponding SDK Installer found in the Windows SDK archives for the Windows 10 SDK installer in the below instructions.
SignTools is a Windows command-line tool that uses Authenticode
to digitally sign files and verify both signatures in files and time stamp files. SignTool is available as part of Mirosoft Windows SDK
, which can be can be installed in just a few easy steps. Once installed it can be used to verify the
gpg4win
package before installation.
1. Browse to https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
Right-click Downloading The Installer
→Right-click Save
→Right-click Run
.
2. Set the correct path.
After the the installer finishes loading:
Right-click Continue
→choose PATH
→C:\Users\<user_name>\Downloads\Windows Kits\<windows_version>\WindowsSDK
→Right-click Next
.
Figure: Choose SDK Installation Path
3. Install the necessary SDK package.
The Windows SDK installer provides a number of different packages that can be installed. The only package needed for gpg4win
verification is Windows SDK Signing Tools for Desktop Apps (SignTools). Be mindful that earlier SDK version packages may be named differently from later SDK versions. For example, the package that contains SignTool in SDK for Windows 8.1 is named Windows Software Developmental Kit. This differs from the corresponding package in Windows 10.
Figure: Select SignTools Package
Once the box to the corresponding package is "checked", right-click Download. Once installation is complete, close the installer.
Figure: Finalized SDK Download
Download and Verify Gpg4win[edit]
SignTool
can be used to verify the authenticity of the gpg4win
package itself.
Note: To simplify the SignTool verification process be sure to download the gpg4win
package to the Downloads directory.
1. Download the gpg4win
package.
- Navigate to https://files.gpg4win.org
- Scroll down and download the latest version of
gpg4win
and the corresponding signature. At the time of writing (August 2020)gpg4win-3.1.12.exe
was the latest version.
2. Verify the gpg4win
package by running SignTool from the command prompt.
To open a command prompt, in the Windows Start Menu, run.
cmd.exe
From the command prompt, change to the Downloads directory.
cd C:\Users\<your_user_name>\Downloads
Verify the gpg4win
package using SignTool.
signtool verify /pa gpg4win-3-1.12.exe
The following output shows a successful gpg4win
verification.
Figure: Successful Verification
Verify the Whonix ™ Windows Installer[edit]
It is important to check the integrity of the downloaded Whonix ™ Windows Installer to ensure that neither a man-in-the-middle attack or file corruption occurred; (see Download Security).
1. If not already completed, have GnuPG initialize your user data folder.
gpg --fingerprint
2. Download the signing key.
3. Store the key as C:\Users\<user_name>\Downloads\derivative.asc
4. Check fingerprints/owners without importing anything.
gpg --keyid-format long --with-fingerprint derivative.asc
5. Verify the output. The output should be identical to the following.
TODO
If the key was successfully imported, the following message will appear.
TODO
6. Import the key.
gpg --import derivative.asc
The output should confirm the key was imported.
TODO
Output already imported.
If the signing key was already imported in the past, the output should confirm the key is unchanged.
TODO
4. Start the cryptographic verification, which can take several minutes.
In Windows command prompt, change to the directory with the whonix-installer.exe
package and corresponding signature file.
cd C:\Users\<user_name>\<directory_name>
Next, verify the Whonix ™ Windows Installer.
gpg --verify-options show-notations --verify whonix-installer.exe.asc whonix-installer.exe
If the Whonix Installer image is correct the output will tell you that the signature is good.
TODO
This might be followed by a warning saying:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
This message does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the Whonix ™ signing key and the web of trust. To remove this warning, the Whonix ™ signing key must be personally signed with your own key.
The first line includes the signature creation timestamp. Example.
gpg: Signature made Sun 18 Aug 2019 08:31:41 PM EDT
Install Whonix[edit]
Note: When the Whonix ™ Windows Installer is executed, the currently installed VirtualBox package -- if there is one installed on the system -- is removed and the latest VirtualBox package is installed. [5]
Whonix ™ can be installed by simply running whonix-installer.exe
. When installation is complete, users will be greeted with the Whonix ™ GUI which can then be used to start the VMs. Keep in mind that installation could take can up to 15 minutes to complete depending on your hardware configuration.
In the folder you downloaded the Whonix ™ Windows Installer:
Double "click" whonix-installer.exe
→License agreement
→"click" Install → Finish
Figure: Whonix Windows Installer
Figure: Install Whonix
Figure: License agreement
Figure: Extracting files
Figure: Whonix installation complete
Start Whonix[edit]
Whonix Desktop Starter
Double "click" Whonix desktop starter
→"click" Start Whonix.
VirtualBox interface
Double "click" Whonix desktop starter
→"click" Advanced in Whonix GUI
.
When the Advanced button is pressed, the VirtualBox user interface will open and the VMs can be started.
The VirtualBox interface will provide a more granular control of the VMs. From there users can manage the Whonix ™ VMs or modify VirtualBox settings.
Figure: Whonix desktop starter
Figure: Whonix user interface
Figure: Start Whonix VM
Shutdown Whonix[edit]
From the Whonix GUI
- Both Whonix VMs can be shutdown simultaneously by clicking the Stop Whonix button.
Figure: Stop Whonix VMs
First Time Users[edit]
First Time User / Questions and Answers[edit]
- Can I combine Whonix-Gateway ™ CLI with Whonix-Workstation ™ Xfce? Yes, you can! Learn more.
- Why use VirtualBox over KVM?
- Why use VirtualBox over Qubes?
- FAQ
See Also[edit]
- Documentation
- Follow Whonix ™ Developments
- In case of issues, see VirtualBox Troubleshooting.
For additional VirtualBox guides and information, please press on expand on the right.
Footnotes[edit]
- ↑
This is being stated to avoid Whonix ™ of getting blamed for this mess. Previously users put it this way:
I never had to verify any software. Why Whonix makes this more complicated than everyone else?
- ↑
https://forums.whonix.org/t/testing-whonix-installer-for-windows/2987/217
- ↑ As defined by TUF: Attacks and Weaknesses:
- ↑
https://lists.gnupg.org/pipermail/gnupg-users/2015-January/052185.html
- ↑ At the time of writing (AUG 19 2019) VirtualBox 6.0.10 was the latest stable release version.
Footnotes[edit]

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!