"Bad Signature" - Verification Fails

Probably a user error, I’ve gone through all the old threads on this subject and googled a bunch of different help articles to no avail. Would appreciate some assistance, thanks!

I’ve downloaded the Workstation and Gateway (Easy) about 4 separate times, and once over Tor through the onion link. Between each attempt and subsequent delete of the files, I’ve rebooted my computer. Here is the message I’ve gotten every time:

gpg --verify-options show-notations --verify Whonix-Workstation-.ova.asc Whonix-Workstation-.ova
gpg: Signature made 11/16/1 11:12:18 Eastern Standard Time using RSA key ID 77BB3C48
gpg: BAD signature from “Patrick Schleizer adrelanos@riseup.net” [unknown]

And the same for the Gateway. This is my first foray into this type of thing. I’ve added the signature into my keyring and tried verifying it through GNU Privacy Assistant, still tells me it’s bad.

Thank you in advance.

(Edit: there are asterisks in between the - and .ova … It’s just changing into italics here I guess.)

Good day,

please try redownloading the signature from here: https://www.whonix.org/wiki/VirtualBox#Whonix_signature

Have a nice day,


Hi Ego,

Thanks for your help. Unfortunately, I just did what you suggested and I’m getting the same “BAD” response.


You mistyped. Please use copy and paste from the instructions. Or you were not in the folder where you stored the files. Check using ls.

Hello guys!

I’m having the same problems rclem is. I’ve exhausted my options searching google, reading forums. I keep coming back to this particular thread.

Here is what my terminal readout is…

shjen@ubuntu:~/Downloads$ gpg --verify-options show-notations --verify Whonix-Gateway-.ova.asc
gpg: Signature made Mon 16 Nov 2015 07:36:59 AM PST using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer adrelanos@riseup.net"
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: Signature notation: file@name=Whonix-Gateway-
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48

This is showing that the Gateway is finding the signature fine, and is working…however, I keep getting this message, claiming a BAD Signature.

shjen@ubuntu:~/Downloads$ gpg --verify-options show-notations --verify Whonix-Workstation-.ova.asc
gpg: Signature made Mon 16 Nov 2015 08:12:18 AM PST using RSA key ID 77BB3C48
gpg: BAD signature from “Patrick Schleizer adrelanos@riseup.net

I’ve removed and downloaded the Whonix-Workstation-
twice from the website Ego listed using GUI interface, and twice using the command line —
shjen@ubuntu:~/Downloads$ torsocks wget -c https://www.whonix.org/download/

I know I’m in the correct Directory, when I use ls it shows all the files that I am attempting to check the signature on.

Please help, and Thank YOU!

P.S. Just incase, I’ve tried to enter the full file name as well using this in the terminal –

gpg --verify-options show-notations -v Whonix-Workstation-

Tried redownloading the ova?


Reading Good signature now!

Thank you!

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]