[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Appliance is not signed


#1

Hello.When importing Whonix image to Virtualbox(windows), it says "Appliance is not signed"
This has been happening since sometime last year.
Virtulabox(linux) doesn’t say that.
Of course,I verified the OpenPGP signatures when I downloaded them.
Is this no problem?


#2

Good day,

Could you perhaps provide a screenshot?

Have a nice day,

Ego


#3

Thank you for replying.
Here’s screenshot.


#4

I came across this when searching the Vbox forum. Vbox “appliance not singed” . It simply states that its a information message. Its up to the user to decide weather to trust that the location the file was downloaded from is trustworthy.

I’m not sure if this applies to your situation though. @Ego will be able to answer this for you.


#5

We’re providing gpg signatures (which are state of the art) and don’t use VirtualBox’s verification feature (which doesn’t matter if you did the provided gpg verification). We haven’t checked out VirtualBox’s VM signing feature yet, but let it mature, we might look into it later.


#6

Thank you all for your answers.


#7

In essence: if OpenPGP signature verification succeeded - it’s ok.

OpenPGP is a cross platform multi purpose signature/verification standard.

VirtualBox is Is a a supporting and additional alternative signature mechanism. Perhaps Authenticode which is only used on Windows, and Mac. Let’s not use that signature mechanism for now. Why?

  • bad security practices
  • requires paid developer certificate
  • platform specific
  • third-party (certificate authority which are itself flawed) dependent
  • As far as I understand, it embeds the signature into the file. Thereby breaking OpenPGP signatures. To verify the OpenPGP signature one would have to remove the embedded signature beforehand.

Quote https://www.torproject.org/docs/verifying-signatures.html.en

If you want to verify a Windows Tor Browser package you need to first strip off the authenticode signature of it. Tools that can be used for this purpose are osslsigncode and delcert.exe. Assuming you have built e.g. osslsigncode on a Linux computer you can enter

/path/to/your/osslsigncode remove-signature \ /path/to/your/<TOR BROWSER FILE NAME>.exe <TOR BROWSER FILE NAME>.exe

We might have to revisit this at a later point. Tor Project uses it for Tor Browser binaries but we don’t ship binaries, only VM images.

References:

keywords:

  • osslsigncode
  • Authenticode

related, virtualbox forum discussion:

https://forums.virtualbox.org/viewtopic.php?t=80888