Verify Whonix Virtual Machine Images in Windows
Instructions for OpenPGP Verification of Whonix Images using Windows
Context[edit]
- Optional: Digital signatures are optional. If you've never used them before, it might be overwhelming to look into them at this stage. You may want to explore this topic later, after becoming more familiar with advanced computer security concepts.
- Digital signatures: A tool enhancing download security. Commonly used across the internet.
- No worries: New to digital software signatures? It's okay, no need to worry.
- Not a requirement: Not mandatory for using Whonix, but an extra security measure for advanced users.
- Learn more: Curious? Learn more about digital software signatures.
Usability[edit]
Due to Conceptual Challenges in Digital Signatures Verification and impracticality, unpopularity of digital software signature verification on the Windows platform, this is a cumbersome process. None of these issues are specific to Whonix to caused by Whonix. [1]
To keep a system secure and free of malware it is strongly recommended to always verify software signatures. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world.
Most other vendors of software on the Windows platform are either unaware or ignore this issue. The Whonix project makes an effort to document and cope up with the mess on the Windows platform.
Introduction[edit]
This page includes documentation on how to securely acquire Gpg4win - an application which can be used to verify digital software signatures provided by the Whonix project and other software.
Use either option A) or B).
A) Using SignTool to verify Gpg4win:
The following guide provides steps to:
- Download and installation of SignTool.
- Download Gpg4win.
- Verify Gpg4win using SignTool.
- Import the developer's GPG signing key into Gpg4win.
- Verify the Whonix Windows Installer using Gpg4win.
SignTool is a Windows platform focused tool provided by Microsoft which can be used to verify software digital signatures.
GnuPG is a complete and free implementation OpenPGP that allows users to encrypt and sign data and communications. Popular on Windows, macOS and Linux platform. Gpg4win is a graphical front end for GnuPG that is used to for file and email encryption in Windows. The verification process for the Whonix Windows Installer includes securely downloading an verifying the gpg4win
package. Once completed GPG can be used from the command-line to verify the Whonix Windows Installer.
Download and installation of SignTool (from the Microsoft website over TLS) and verification of Gpg4win using SignTool might be considered optional. This is because both, SignTool and Gpg4win (downloaded from the Gpg4win website over TLS) are only downloaded over TLS, a very basic form of authentication. The argument for that is debatable. "It would be much more unlikely for a massive company like Microsoft to be compromised and serve malicious software than gpg4win server." [2] Some browser might use Key Pinning for microsoft.com but unfortunately for gpg4win.org would not be eligible.
Therefore optionally the user might decide to skip the SignTool step and simplify as follows.
B) Not using SignTool to verify Gpg4win:
- Download and install Gpg4win.
- Import the developer's GPG signing key into Gpg4win.
- Verify the Whonix Windows Installer using Gpg4win.
The Gpg4win documentation also covers subject.
- Check integrity of Gpg4win packages - Gpg4win website
- Check integrity of Gpg4win packages - Gpg4win wiki
Verify Whonix Images in Windows using Gpg4win[edit]
Install SignTools
The following instructions install SignTool in Windows 10 (stable release). For earlier Windows releases (Windows XP, Vista, 7, and 8), users can install SignTool by substituting the corresponding SDK Installer found in the Windows SDK archives for the Windows 10 SDK installer in the instructions below.
SignTools is a Windows command-line tool that uses Authenticode to digitally sign files and verify both signatures in files and timestamp files. SignTool is available as part of Microsoft Windows SDK, which can be installed in just a few easy steps. Once installed, it can be used to verify the gpg4win
package before installation.
1. Browse to https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
Right-click Downloading The Installer
→Right-click Save
→Right-click Run
.
2. Set the correct path.
After the installer finishes loading:
Right-click Continue
→choose PATH
→C:\Users\<user_name>\Downloads\Windows Kits\<windows_version>\WindowsSDK
→Right-click Next
.
Figure: Choose SDK Installation Path
3. Install the necessary SDK package.
The Windows SDK installer provides a number of different packages that can be installed. The only package needed for gpg4win
verification is Windows SDK Signing Tools for Desktop Apps (SignTools). Be mindful that earlier SDK version packages may be named differently from later SDK versions. For example, the package that contains SignTool in SDK for Windows 8.1 is named Windows Software Development Kit. This differs from the corresponding package in Windows 10.
Figure: Select SignTools Package
Once the box for the corresponding package is "checked", right-click Download. Once installation is complete, close the installer.
Figure: Finalized SDK Download
Troubleshooting: SignTool might not be immediately available as a command-line tool for you to use. In that case, you may need to manually locate signtool.exe
and run it as a normal *.exe
file. You will need to provide a path to your gpg4win-latest.exe
file. The prompt you'll have to use may look (in PowerShell) like the following: PS> C:\Program Files (x86)\Windows Kits\<windows_version>\bin\10.0.XXXXX.0\x64> .\signtool.exe verify /pa '..\..\..\..\..\..\Users\<user_name>\Downloads\gpg4win-latest.exe'
.
Download and Verify Gpg4win[edit]
SignTool
can be used to verify the authenticity of the gpg4win
package itself.
Note: To simplify the SignTool verification process, be sure to download the gpg4win
package to the Downloads directory.
1. Download the gpg4win
package.
- Navigate to https://files.gpg4win.org
- Scroll down and download the latest version of
gpg4win
and the corresponding signature (file ending in.sig
). At the time of writing (August 2024)gpg4win-4.3.1.exe
was the latest version. Alternatively, you can find that the latest version is namedgpg4win-latest.exe
.
2. Verify the gpg4win
package by running SignTool from the command prompt.
To open a command prompt, in the Windows Start Menu, run:
cmd.exe
From the command prompt, change to the Downloads directory.
cd C:\Users\<your_user_name>\Downloads
Verify the gpg4win
package using SignTool.
signtool verify /pa gpg4win-4-3.1.exe
The following output shows a successful gpg4win
verification.
Figure: Successful Verification
If verification passes, then you are ready to trust and install gpg using this file, i.e., gpg4win-latest.exe
.
Download the Whonix Signing Key[edit]
Since all Whonix releases are signed with the same key, it is unnecessary to verify the key every time a new release is announced. Trust in the key might gradually increase over time, but cryptographic signatures must still be verified every time a new release is downloaded.
Note: With the exception of step 1 all commands should be run from C:\Users\<user_name\Downloads
1. If not already completed, have GnuPG initialize your user data folder.
gpg --fingerprint
2. Download Patrick Schleizer's (adrelanos') OpenPGP key. [3]
Store the key as C:\Users\<user_name>\Downloads\derivative.asc
3. Change to the C:\Users\<user_name>\Downloads\
directory.
cd C:\Users\<user_name>\Downloads\
4. Check fingerprints/owners without importing anything.
gpg --keyid-format long --with-fingerprint derivative.asc
5. Verify the output.
The most important check is confirming the key fingerprint exactly matches the output below. [4]
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
The message gpg: key 8D66066A2EEACCDA: 104 signatures not checked due to missing keys
is related to the The OpenPGP Web of Trust. Advanced users can learn more about this here.
6. Import the key.
gpg --import derivative.asc
The output should include the key was imported.
gpg: Total number processed: 1 gpg: imported: 1
If the Whonix signing key was already imported in the past, the output should include the key is unchanged.
gpg: Total number processed: 1 gpg: unchanged: 1
If the following message appears at the end of the output.
gpg: no ultimately trusted keys found
This extra message does not relate to the Whonix signing key itself, but instead usually means the user has not created an OpenPGP key yet, which is of no importance when verifying virtual machine images.
Analyze the other messages as usual.
Verify the Whonix Images[edit]
1. If not already completed, download the Whonix.ova
image and the corresponding OpenGPG signature which will be used to verify the image.
Both the signature and the .ova
image should be downloaded into the same directory.
Download the Whonix VM image and signature from VirtualBox Table.
2. Start the cryptographic verification; this process can take several minutes.
At the Windows command prompt, change to the directory with the Whonix.ova
and corresponding signature file.
cd C:\Users\<user_name>\<directory_name>
3. Verify the Whonix.ova
image.
gpg --verify-options show-notations --verify Whonix*.*.asc Whonix*.*
If the Virtual Machine image is correct the output will tell you that the signature is good.
gpg: Signature made Mon 19 Jan 2015 11:45:41 PM CET using RSA key ID 77BB3C48 gpg: Good signature from "Patrick Schleizer <adrelanos@whonix.org>" [unknown] gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 gpg: Signature notation: file@name=Whonix-17.2.0.7.ova gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48
This might be followed by a warning saying:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
This message does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the Whonix signing key and the web of trust. To remove this warning, the Whonix signing key must be personally signed with your own key.
The first line includes the signature creation timestamp. Example.
gpg: Signature made Sun 18 Aug 2019 08:31:41 PM EDT
To help users confirm that the file name has not been tampered with, beginning with Whonix version 9.6 and above the file@name OpenPGP notation includes the file name.
4. When Whonix verification is complete, continue with the VirtualBox installation.
Troubleshooting[edit]
SignTool is not Recognized[edit]
Figure: SignTool not Recognized Error
This error means the SignTool executable is not accessible through cmd.exe
. A common cause for this error is SignTool was not installed in the user's PATH. To fix this issue add signtool.exe
to your system PATH. [7]
Note: This solution is temporary and works only until the command prompt is closed. When the command prompt is restarted signtool.exe
must be added to the system PATH again.
1. Open a command prompt.
In the Windows Start menu, run.
cmd.exe
2. Add the path to signtool.exe
to your system PATH.
The default installation path for signtool.exe
:
x86 systems: C:\Program Files (x86)\Windows Kits\<windows_version>\bin\x86 x64 systems: C:\Program Files (x86)\Windows Kits\<windows_version>\bin\x64
Run the following command to add "path\to\signtool.exe" to your system PATH. Also be sure to add the Windows version to the path.
set PATH="path to signtool.ext";%PATH%
For example, the following command adds the path for an x64
system.
set PATH="C:\Program Files (x86)\Windows Kits\<windows_version>\bin\x64";%PATH%
SignTool Certificate Chain Error[edit]
Figure: Root Certificate Error
This error message occurs if the /pa
switch is not used with SignTool. This is because the default SignTool verify some_file.exe
command uses the Windows Driver Verification Policy. [8] In order for the file to verify properly the /pa
switch must be used so SignTool uses the Default Authentication Verification Policy.
Encountering GPG Errors[edit]
When a GPG error is encountered, first try a web search for the relevant error. The security stackexchange website can also help to resolve GPG problems. Describe the problem thoroughly, but be sure it is GPG-related and not specific to Whonix.
More help resources are available on the Support page.
Footnotes[edit]
- ↑
This is being stated to avoid Whonix of getting blamed for this mess. Previously users put it this way:
I never had to verify any software. Why Whonix makes this more complicated than everyone else?
- ↑ https://forums.whonix.org/t/testing-whonix-installer-for-windows/2987/217
- ↑ curl --tlsv1.3 --proto =https --max-time 180 --output derivative.asc whonix.org/keys/derivative.asc
- ↑ Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
- ↑ As defined by TUF: Attacks and Weaknesses:
- ↑ https://lists.gnupg.org/pipermail/gnupg-users/2015-January/052185.html
- ↑ https://www.godaddy.com/help/windows-cmd-signtool-is-not-recognized-as-an-internal-or-external-command-operable-program-or-batch-file-19987
- ↑ See stackoverflow for further information: Why's My Root Certificate Not Trusted?
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!