Introduction[edit]

Since all Whonix releases are signed with the same key, you will not have to verify the key every time and the trust you might progressively build in it will be built once and for all. Still, you will have to verify the signatures of the images every time you download a new release.

This page is strongly related to the Trust page.

Download the key[edit]

Optional: Complete the steps below if unfamiliar with GnuPG or if they haven't already been performed. This will fix eventual gpg: WARNING: unsafe ownership warnings.

Have GnuPG initialize your user data folder.

gpg --fingerprint

Set warning free permissions.

chmod --recursive og-rwx ~/.gnupg

1. Download Patrick Schleizer's (adrelanos') OpenPGP key:
patrick.asc

2. Store it as ~/patrick.asc.

3. Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint patrick.asc

4. Verify it shows the following.

pub  4096R/8D66066A2EEACCDA 2014-01-16 Patrick Schleizer <adrelanos@riseup.net>
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
sub  4096R/3B1E6942CE998547 2014-01-16 [expires: 2021-04-17]
sub  4096R/10FDAC53119B3FD6 2014-01-16 [expires: 2021-04-17]
sub  4096R/CB8D50BB77BB3C48 2014-01-16 [expires: 2021-04-17]

5. Import the key.

gpg --import patrick.asc

The output should tell you that the key was imported:

gpg: key 2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

If you had already imported Whonix signing key in the past, the output should tell you that the key was not changed:

gpg: key 2EEACCDA: "Patrick Schleizer <adrelanos@riseup.net>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

If you are shown the following message at the end of the output:

gpg: no ultimately trusted keys found

Analyse the other messages as usual: this extra message doesn't relate to the Whonix signing key that you downloaded and usually means that you didn't create an OpenPGP key for yourself yet, which is of no importance to verify the virtual machine images.

6. Advanced users can check #Web of Trust below for better security.

7. Don't forget to head back to the verification pages to finish the process (if that's where you're coming from):

• For Linux: Ubuntu, Debian, Whonix, etc. using kgpg
• For Linux: using the command line
• For Windows
• For Mac

Advanced Users[edit]

Web of Trust[edit]

A few people signed Patrick Schleizer's (adrelanos') OpenPGP key in The OpenPGP Web of Trust.

Jan Dittberner^[1] (Debian Developer^[2]) signed Patrick's key. So did intrigeri (Tails developer, Debian Developer); Peter Palfrader (Debian Developer); Richard King; Michael Carbone (accessnow.org).

If you are a user of Debian or many Debian derivatives, such as Ubuntu, you already trust apt-get, the APT repository of your distribution. So you can install Debian keyring to have a trusted source to obtain Jan's, intrigeri's or Peter's key, to check their signature on Patrick's key.

Install the Debian keyring.

sudo apt-get update

sudo apt-get install debian-keyring

Extract a signer's key from Debian keyring and import it into your own keyring. Here is an example using Jan's key.

gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --armor --export B2FF1D95CE8F7A22DF4CF09BA73E0055558FB8DD | gpg --import

Optionally try to establish a better trust path to the signer by checking signatures on the signer's key.

Check signatures on Patrick's key.

gpg --check-sigs 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

The output of the above command should show signatures on Patrick's key, which should include the signer's signature.

Further reading on OpenPGP[edit]

• GnuPG wikipedia, a free OpenPGP software
• Apache: How To OpenPGP
• Debian: Keysigning, a tutorial on signing keys of other people
• rubin.ch: Explanation of the web of trust of PGP

See Also[edit]

• Trust
• OpenPGP key distribution strategies

License[edit]

Whonix Trusting Whonix Signing Key wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Trusting Whonix Signing Key wiki page Copyright (C) 2012 - 2017 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

1. ↑ http://www.dittberner.info/de/content/jan-dittberner
2. ↑ https://qa.debian.org/developer.php?login=Jan+Dittberner