Hello.When importing Whonix image to Virtualbox(windows), it says "Appliance is not signed"
This has been happening since sometime last year.
Virtulabox(linux) doesn’t say that.
Of course,I verified the OpenPGP signatures when I downloaded them.
Is this no problem?
Good day,
Could you perhaps provide a screenshot?
Have a nice day,
Ego
I came across this when searching the Vbox forum. Vbox “appliance not singed” . It simply states that its a information message. Its up to the user to decide weather to trust that the location the file was downloaded from is trustworthy.
I’m not sure if this applies to your situation though. @Ego will be able to answer this for you.
We’re providing gpg signatures (which are state of the art) and don’t use VirtualBox’s verification feature (which doesn’t matter if you did the provided gpg verification). We haven’t checked out VirtualBox’s VM signing feature yet, but let it mature, we might look into it later.
Thank you all for your answers.
In essence: if OpenPGP signature verification succeeded - it’s ok.
OpenPGP is a cross platform multi purpose signature/verification standard.
VirtualBox is Is a a supporting and additional alternative signature mechanism. Perhaps Authenticode which is only used on Windows, and Mac. Let’s not use that signature mechanism for now. Why?
- bad security practices
- requires paid developer certificate
- platform specific
- third-party (certificate authority which are itself flawed) dependent
- As far as I understand, it embeds the signature into the file. Thereby breaking OpenPGP signatures. To verify the OpenPGP signature one would have to remove the embedded signature beforehand.
Quote How can we help? | Tor Project | Support
If you want to verify a Windows Tor Browser package you need to first strip off the authenticode signature of it. Tools that can be used for this purpose are osslsigncode and delcert.exe. Assuming you have built e.g. osslsigncode on a Linux computer you can enter
/path/to/your/osslsigncode remove-signature \ /path/to/your/<TOR BROWSER FILE NAME>.exe <TOR BROWSER FILE NAME>.exe
https://twitter.com/Whonix/status/1097805887438241792
We might have to revisit this at a later point. Tor Project uses it for Tor Browser binaries but we don’t ship binaries, only VM images.
References:
- https://en.sklep.certum.pl/certum-ev-code-sigining.html
- Code Signing Certificates - K Software - Discount Code Signing Certificates & Web Server SSL Certificates - Download our FREE code signing tool, kSign
- Debian -- Package Search Results -- osslsigncode
- How can we help? | Tor Project | Support mentions
osslsigncode
keywords:
- osslsigncode
- Authenticode
related, virtualbox forum discussion:
related upstream bug report:
- VirtualBox 5.1.0 and 5.1.2 fails to import digitally signed appliance (OVA file)
- Ova/Ovf Signature Verification Issue
VirtualBox bug report written just now:
create appliance signing feature or deprecate the feature (Application is not signed.)