Appliance is not signed

Hello.When importing Whonix image to Virtualbox(windows), it says "Appliance is not signed"
This has been happening since sometime last year.
Virtulabox(linux) doesn’t say that.
Of course,I verified the OpenPGP signatures when I downloaded them.
Is this no problem?

Good day,

Could you perhaps provide a screenshot?

Have a nice day,

Ego

Thank you for replying.
Here’s screenshot.

Virtualboxscreenshot.jpg773×817 129 KB

I came across this when searching the Vbox forum. Vbox “appliance not singed” . It simply states that its a information message. Its up to the user to decide weather to trust that the location the file was downloaded from is trustworthy.

I’m not sure if this applies to your situation though. @Ego will be able to answer this for you.

We’re providing gpg signatures (which are state of the art) and don’t use VirtualBox’s verification feature (which doesn’t matter if you did the provided gpg verification). We haven’t checked out VirtualBox’s VM signing feature yet, but let it mature, we might look into it later.

Thank you all for your answers.

In essence: if OpenPGP signature verification succeeded - it’s ok.

OpenPGP is a cross platform multi purpose signature/verification standard.

VirtualBox is Is a a supporting and additional alternative signature mechanism. Perhaps Authenticode which is only used on Windows, and Mac. Let’s not use that signature mechanism for now. Why?

• bad security practices
• requires paid developer certificate
• platform specific
• third-party (certificate authority which are itself flawed) dependent
• As far as I understand, it embeds the signature into the file. Thereby breaking OpenPGP signatures. To verify the OpenPGP signature one would have to remove the embedded signature beforehand.

Quote How can we help? | Tor Project | Support

If you want to verify a Windows Tor Browser package you need to first strip off the authenticode signature of it. Tools that can be used for this purpose are osslsigncode and delcert.exe. Assuming you have built e.g. osslsigncode on a Linux computer you can enter

/path/to/your/osslsigncode remove-signature \ /path/to/your/<TOR BROWSER FILE NAME>.exe <TOR BROWSER FILE NAME>.exe

https://twitter.com/Whonix/status/1097805887438241792

We might have to revisit this at a later point. Tor Project uses it for Tor Browser binaries but we don’t ship binaries, only VM images.

References:

• https://en.sklep.certum.pl/certum-ev-code-sigining.html
• Code Signing Certificates - K Software - Discount Code Signing Certificates & Web Server SSL Certificates - Download our FREE code signing tool, kSign
• Debian -- Package Search Results -- osslsigncode
• How can we help? | Tor Project | Support mentions osslsigncode

keywords:

• osslsigncode
• Authenticode

related, virtualbox forum discussion:

https://forums.virtualbox.org/viewtopic.php?t=80888

How to sign ova appliance? - application is not signed.

related upstream bug report:

• VirtualBox 5.1.0 and 5.1.2 fails to import digitally signed appliance (OVA file)
• Ova/Ovf Signature Verification Issue

VirtualBox bug report written just now:
create appliance signing feature or deprecate the feature (Application is not signed.)