Verify VirtualBox VM Images with KGpg

From Whonix

< VirtualBox

notice Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

It is necessary to have the KGpg package installed. To install it in Debian, Ubuntu or Whonix ™, issue the following commands.

Update the package lists.

sudo apt-get update

Install KGpg.

sudo apt-get install kgpg

1. First, download the Whonix Signing Key.

2. Open patrick.asc with KGpg.

The following message is notified.

KGpg Key Import Patrick's key.png

Or this message appears if you previously imported the key.

KGpg Import Patricks's previously imported key .png

3. Download the cryptographic signature corresponding to the virtual machine image (ova archive) you want to verify and store it in the same folder as the virtual machine image.

4. Start KGpg.

Go to kgpgFileOpen EditorSignatureVerify Signature...Choose the downloaded cryptographic signature (.asc)

Note: This process will take a while and there is no progress meter. Please wait patiently for a few moments.

If the virtual machine image is correct, the notification will provide a good signature message.

KGpg Verify Signature good signature Patrick.png

warning Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2019 and now see a signature from 2018, then this might be a targeted rollback (downgrade) or indefinite freeze attack. [1]

The first line in the notification includes the signature creation timestamp.

Click on Details. See the example below.

[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2018-05-12

warning Note: OpenPGP signatures sign files, but not file names. [2]

To help verify that the file name has not been tampered with, beginning with Whonix version 9.6 the file@name OpenPGP notation routinely includes the file name.

Click on Details. See the example below.

Note: The version shown in the example ( corresponds to the current release version at the time this wiki was written. This notation should match the file name that is being verified.


If the virtual machine image is not correct, the notification will provide a bad signature message.

KGpg Verify Signature bad signature Patrick.png


When a GPG error is encountered, first try a web search for the relevant error. The security stackexchange website [archive] can also help to resolve GPG problems. Describe the problem thoroughly, but be sure it is GPG-related and not specific to Whonix ™.

More help resources are available on the Support page.


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Please help in testing new features and bug fixes in Whonix ™.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.