The hard part remains. Users would have to gpg verify your installer. There is nothing you can do to improve that situation on the Whonix installer level. [[Improvements are possible on operating system / browser level. For browser, metalink would help. Etc. off-topic]]
Maybe a good idea would be to, rather than bundle the verification and the installer together, thus making manipluation of both easier, delivering the two seperatley, while still being smpler than doing it yourself. What I mean by this is the following: The user first downloads the installer as usual. He then downloads a second, seperate .exe. This .exe would have to be put in the same folder as the “Install Whonix.exe” and once executed would run a portable version of GPG with the signed and verificated keys already bundled. It then outputs “OK!” or “File corrupted! Download again” giving the user a tangible and simple way to verify the installer.
That makes things more complicated. Defeats the purpose of the easy installer. And adds no security. Users who download the windows installer could receive a compromised version to begin with. So they have to verify that one. From there, there is no more need for Whonix image verifications that are integrated in the installer. If users received a compromised copy of the installer, that compromised installer could also fool the integrated verification.
Where the automated verification could make sense is within the Windows installer build process. But even then, perhaps have it verified automatically, but continue manually after reading gpg’s output. I’d say that is low priority if things work for you as they currently are.
For now however, I feel like I should finish designing the “UI/Launcher/whatever”. Will technically likely still use this old, functional code as a base though with a (slightly) better appearance: Creating a custom UI for VBox the fast way - Whonix Windows GUI - #3 by Ego
Looks good to me. We can use that as initial release to get the foot into the door. It’s a HUGE improvement so or so. And it can still be improved after initial testing and feedback.