Verify Whonix Images Software Signatures

From Whonix
Jump to navigation Jump to search

Download image verification instructions for Non-Qubes-Whonix with OpenPGP and Signify.

  • Digital signatures: A tool enhancing download security. Commonly used across the internet.
  • Learn more: Curious? Learn more about digital software signatures.
  • Optional: Digital signatures are optional. If you've never used them before, there might be no need to start now.
  • No worries: New to digital software signatures? It's okay, no need to worry.
  • Not a requirement: Not mandatory for using Whonix, but an extra security measure for advanced users.

OpenPGP Signature[edit]

Qubes[edit]

Qubes-Whonix templates are automatically verified when qubes-dom0-update downloads and installs them; manual user verification is unnecessary.

VirtualBox[edit]

Steps to verify the virtual machine images depend on the operating system in use:

Also see: VirtualBox Appliance is not signed Error Message.

KVM[edit]

Refer to the KVM Linux on the Command Line instructions.

Windows Installer[edit]

The Whonix Windows Installer is currently unavailable. (Verify the Whonix Windows Installer)

Signify Signatures[edit]

Info Advanced users only!

It is impossible to signify sign images (.ova / libvirt.tar.xz) directly.archive.org You can only verify the .sha512sums hash sum file using signify-openbsd and then verify the image against the sha512 sum.

1. Download the signify Key and save it as keyname.pub.

Download Whonix VirtualBox signify Key

2. Install signify-openbsd.

Install package(s) signify-openbsd.

A. Update the package lists and upgrade the systemarchive.org.

sudo apt update && sudo apt full-upgrade

B. Install the signify-openbsd package(s).

Using apt command line parameter --no-install-recommendsarchive.org is in most cases optional.

sudo apt install --no-install-recommends signify-openbsd

C. Done.

The procedure of installing package(s) signify-openbsd is complete.

3. Download the .sha512sums and .sha512sums.sig files.

4. Verify the .sha512sums file with signify-openbsd.

signify-openbsd -Vp keyname.pub -m Whonix-*.sha512sums

If the file is correct, it will output:

Signature Verified

If the file is not correct, it will output an error.

5. Compare the hash of the image file with the hash in the .sha512sums file.

sha512sum -c Whonix-*.sha512sums

If the file is correct, it will output:

Whonix-Xfce-17.1.3.1.ova: OK

Do not continue if verification fails! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity. This page is strongly related to the pages Placing Trust in Whonix and Verifying Software Signatures.

If you are using signify for software signature verification, please consider making a report in the signify-openbsd forum threadarchive.org. This will help developers decide whether to continue supporting this method or deprecate it.

Table: Whonix VirtualBox Files

Whonix Version Files
Whonix VirtualBox CLI
Whonix VirtualBox Xfce

Forum discussion: signify-openbsdarchive.org.

Codecrypt Signatures[edit]

Codecrypt signatures are not yet available, but are planned long term.

Volunteer contributions are happily considered! If you were to contribute codecrypt signature creation to the Whonix dm-prepare-release scriptarchive.org, then this feature could be provided much sooner.

If you would like to use codecrypt for software signature verification, please consider making a report in the codecrypt forum threadarchive.org. This method might be supported sooner if there is sufficient interest.

Forum discussion:
use codecrypt to sign releasesarchive.org.

See Also[edit]

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!