Verify Whonix Images Software Signatures
Download image verification instructions for Non-Qubes-Whonix with OpenPGP and Signify.
- Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
- Optional, not required: Digital signatures are optional and not mandatory for using Whonix, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
- Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.
OpenPGP Signature[edit]
Qubes[edit]
Qubes-Whonix™ templates are automatically verified when qubes-dom0-update
downloads and installs them; manual user verification is unnecessary.
VirtualBox[edit]
Steps to verify the virtual machine images depend on the operating system in use:
Also see: VirtualBox Appliance is not signed
Error Message.
KVM[edit]
Refer to the KVM Linux on the Command Line instructions.
Windows Installer[edit]
The Whonix Windows Installer is currently unavailable. (Verify the Whonix Windows Installer)
Signify Signatures[edit]
It is impossible to signify
sign images (.ova
/ libvirt.tar.xz
) directly. You can only verify the .sha512sums
hash sum file using signify-openbsd
and then verify the image against the sha512
sum.
1. Download the signify Key and save it as keyname.pub
.
2. Install signify-openbsd
.
Install package(s) signify-openbsd
following these instructions
1 Platform specific notice.
- Non-Qubes-Whonix: No special notice.
- Qubes-Whonix: In Template.
2 Update the package lists and upgrade the system .
sudo apt update && sudo apt full-upgrade
3 Install the signify-openbsd
package(s).
Using apt
command line
--no-install-recommends
option
is in most cases optional.
sudo apt install --no-install-recommends signify-openbsd
4 Platform specific notice.
- Non-Qubes-Whonix: No special notice.
- Qubes-Whonix: Shut down Template and restart App Qubes based on it as per Qubes Template Modification .
5 Done.
The procedure of installing package(s) signify-openbsd
is complete.
3. Download the .sha512sums
and .sha512sums.sig
files.
4. Verify the .sha512sums
file with signify-openbsd
.
signify-openbsd -Vp keyname.pub -m Whonix-*.sha512sums
If the file is correct, it will output:
Signature Verified
If the file is not correct, it will output an error.
5. Compare the hash of the image file with the hash in the .sha512sums
file.
sha512sum -c Whonix-*.sha512sums
If the file is correct, it will output:
Whonix-Xfce-17.2.8.5.ova: OK
If you are using signify for software signature verification, please consider making a report in the signify-openbsd forum thread. This will help developers decide whether to continue supporting this method or deprecate it.
Table: Whonix VirtualBox Files
Whonix Version | Files |
---|---|
Whonix VirtualBox CLI | |
Whonix VirtualBox Xfce |
Forum discussion: signify-openbsd.
Codecrypt Signatures[edit]
Codecrypt signatures are not yet available, but are planned long term.
Volunteer contributions are happily considered! If you were to contribute codecrypt
signature creation to the Whonix dm-prepare-release
script, then this feature could be provided much sooner.
If you would like to use codecrypt for software signature verification, please consider making a report in the codecrypt forum thread. This method might be supported sooner if there is sufficient interest.
Forum discussion:
use codecrypt to sign releases.
See Also[edit]
- Download the Whonix Signing Key
- Verifying Software Signatures
- Placing Trust in Whonix
- OpenPGP key distribution strategies
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!