Jump to: navigation, search

Whonix Signing Key


Since all Whonix releases are signed with the same key, you will not have to verify the key every time and the trust you might progressively build in it will be built once and for all. Still, you will have to verify the signatures of the images every time you download a new release.

This page is strongly related to the Trust page.

Download the key[edit]

Optional, if you have not already done this, if you are new to gnupg, to fix eventual gpg: WARNING: unsafe ownership warnings, it is recommended to run the following two commands.

Have GnuPG's initialize your user data folder.

gpg --fingerprint

Set warning free permissions.

chmod --recursive og-rwx ~/.gnupg

1. Download Patrick Schleizer's (adrelanos') OpenPGP key:

2. Store it as ~/patrick.asc.

3. Check fingerprints/owners without importing anything.

gpg --with-fingerprint patrick.asc

4. Verify it shows the following.

pub  4096R/2EEACCDA 2014-01-16 Patrick Schleizer <adrelanos@riseup.net>
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
sub  4096R/CE998547 2014-01-16 [expires: 2021-04-17]
sub  4096R/119B3FD6 2014-01-16 [expires: 2021-04-17]
sub  4096R/77BB3C48 2014-01-16 [expires: 2021-04-17]

5. Import the key.

gpg --import patrick.asc

The output should tell you that the key was imported:

gpg: key 2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

If you had already imported Whonix signing key in the past, the output should tell you that the key was not changed:

gpg: key 2EEACCDA: "Patrick Schleizer <adrelanos@riseup.net>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

If you are shown the following message at the end of the output:

gpg: no ultimately trusted keys found

Analyse the other messages as usual: this extra message doesn't relate to the Whonix signing key that you downloaded and usually means that you didn't create an OpenPGP key for yourself yet, which is of no importance to verify the virtual machine images.

6. Advanced users can check #Web of Trust below for better security.

7. Don't forget to head back to the verification pages to finish the process (if that's where you're coming from):

Advanced Users[edit]

Web of Trust[edit]

A few people signed Patrick Schleizer's (adrelanos') OpenPGP key in The OpenPGP Web of Trust.

Jan Dittberner[1] (Debian Developer[2]) signed Patrick's key. So did intrigeri (Tails developer, Debian Developer); Peter Palfrader (Debian Developer); Richard King; Michael Carbone (accessnow.org).

If you are a user of Debian or many Debian derivatives, such as Ubuntu, you already trust apt-get, the APT repository of your distribution. So you can install Debian keyring to have a trusted source to obtain Jan's, intrigeri's or Peter's key, to check their signature on Patrick's key.

Install the Debian keyring.

sudo apt-get update
sudo apt-get install debian-keyring

Extract a signer's key from Debian keyring and import it into your own keyring. Here is an example using Jan's key.

gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --armor --export B2FF1D95CE8F7A22DF4CF09BA73E0055558FB8DD

Optionally try to establish a better trust path to the signer by checking signatures on the signer's key.

Check signatures on Patrick's key.

gpg --check-sigs 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

The output of the above command should show signatures on Patrick's key, which should include the signer's signature.

Further reading on OpenPGP[edit]

See Also[edit]


Whonix Trusting Whonix Signing Key wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Trusting Whonix Signing Key wiki page Copyright (C) 2012 -2014 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

There are 5 different options to subscribe to Whonix source code changes.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.
  1. http://www.dittberner.info/de/content/jan-dittberner
  2. https://qa.debian.org/developer.php?login=Jan+Dittberner