[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Could not OpenPGP verify authenticity of Whonix News!


#1

Saw something similar to this addressed in the forums about a year ago. Sounds like it was fixed at one point. I’m persistently getting the following warning when running WhonixCheck. Using apt-get upgrade doesn’t seem to solve this issue.

ERROR: Whonix News Download Result: Could not OpenPGP verify authenticity of Whonix News !!! (gpg_bash_lib_output_gpg_verify_exit_code: 0 | gpg_bash_lib_output_validsig_status: true | gpg_bash_lib_output_alright_status: false | gpg_bash_lib_output_failure: ) This is either, - a Whonix Bug, - an attack on Whonix, - or Whonix News Keys might be outdated. Upgrading using apt-get might fix this. INFO: Whonix News gpg_bash_lib_output_diagnostic_message: gpg_bash_lib_internal_gpg_verify_status_fd_file: /tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_status_fd_file gpg_bash_lib_internal_gpg_verify_output_file: /tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_output_file gpg_bash_lib_output_gpg_import_output: gpg: keyring `/tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/secring.gpg' created gpg: keyring `/tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/pubring.gpg' created gpg: /tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/trustdb.gpg: trustdb created gpg: key 2EEACCDA: public key "Patrick Schleizer " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found gpg_bash_lib_output_gpg_verify_output: gpg: Signature made Fri 23 Oct 2015 08:18:55 AM JST using RSA key ID 77BB3C48 gpg: Good signature from "Patrick Schleizer " gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 gpg: Signature notation: file@name=whonix_news.tar.xz Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48 gpg_bash_lib_output_gpg_verify_status_fd_output: [GNUPG:] SIG_ID 5nfHnoEfyvGZ7pyyfLJapb96B/A 2015-10-22 1445555935 [GNUPG:] GOODSIG CB8D50BB77BB3C48 Patrick Schleizer [GNUPG:] NOTATION_NAME issuer-fpr@notations.openpgp.fifthhorseman.net [GNUPG:] NOTATION_DATA 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 [GNUPG:] NOTATION_NAME file@name [GNUPG:] NOTATION_DATA whonix_news.tar.xz [GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2015-10-22 1445555935 0 4 0 1 10 00 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA [GNUPG:] TRUST_ULTIMATE

Could not OpenPGP verify authenticity of Whonix News - Help
#2

Using Whonix 11?

Please post the output of the following command.


#3

Another year passed and I am getting the same error now. It was OK a few days ago.

[ERROR] [whonixcheck] Whonix News Download Result:Could not OpenPGP verify authenticity of Whonix News !!!
(gpg_bash_lib_output_gpg_verify_exit_code: 0 | gpg_bash_lib_output_validsig_status: false | gpg_bash_lib_output_alright_status: false | gpg_bash_lib_output_failure: )
This is either,
- a Whonix Bug,
- an attack on Whonix,
- or Whonix News Keys might be outdated. Upgrading using apt-get might fix this.
+++ return 0
+++ local 'MSG=<p><a href=https://www.whonix.org/wiki/Whonix_News>Whonix News</a> gpg_bash_lib_output_diagnostic_message:
<br></br>gpg_bash_lib_internal_gpg_verify_status_fd_file: /tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_status_fd_file<br />
gpg_bash_lib_internal_gpg_verify_output_file: /tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_output_file<br />
gpg_bash_lib_output_gpg_import_output:<br />
gpg: keyring `/tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/secring.gpg'\'' created<br />
gpg: keyring `/tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/pubring.gpg'\'' created<br />
gpg: /tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/trustdb.gpg: trustdb created<br />
gpg: key 2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" imported<br />
gpg: Total number processed: 1<br />
gpg:               imported: 1  (RSA: 1)<br />
gpg: no ultimately trusted keys found<br />
gpg_bash_lib_output_gpg_verify_output:<br />
gpg: Signature made Wed 21 Sep 2016 08:30:49 PM UTC using RSA key ID 77BB3C48<br />
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>"<br />
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48<br />
gpg: Signature notation: file@name=whonix_news.tar.xz<br />
gpg: Note: This key has expired!<br />
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA<br />
     Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30  AFA1 CB8D 50BB 77BB 3C48<br />
gpg_bash_lib_output_gpg_verify_status_fd_output:<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630931<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630931<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] SIG_ID 9ty8LVftQpwsd5Y6JOXWKKKsCY4 2016-09-21 1474489849<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630931<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer <adrelanos@riseup.net><br />
[GNUPG:] NOTATION_NAME issuer-fpr@notations.openpgp.fifthhorseman.net<br />
[GNUPG:] NOTATION_DATA 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48<br />
[GNUPG:] NOTATION_NAME file@name<br />
[GNUPG:] NOTATION_DATA whonix_news.tar.xz<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630931<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2016-09-21 1474489849 0 4 0 1 10 00 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA</p>'

Some GPG error also when doing apt-get update:

Reading package lists... Done
W: GPG error: http://mirror.whonix.de jessie InRelease: The following signatures were invalid: KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630931 KEYEXPIRED 1475630931 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630931 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630931

What’s wrong?


#4

My mistake, forgot to resign. Please try again.


#5

The error is still there - signature date is newer, but still says that the key is expired:

[ERROR] [whonixcheck] Whonix News Download Result:Could not OpenPGP verify authenticity of Whonix News !!!
(gpg_bash_lib_output_gpg_verify_exit_code: 0 | gpg_bash_lib_output_validsig_status: false | gpg_bash_lib_output_alright_status: false | gpg_bash_lib_output_failure: )
This is either,
- a Whonix Bug,
- an attack on Whonix,
- or Whonix News Keys might be outdated. Upgrading using apt-get might fix this.
+++ return 0
+++ local 'MSG=<p><a href=https://www.whonix.org/wiki/Whonix_News>Whonix News</a> gpg_bash_lib_output_diagnostic_message:
<br></br>gpg_bash_lib_internal_gpg_verify_status_fd_file: /tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_status_fd_file<br />
gpg_bash_lib_internal_gpg_verify_output_file: /tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_output_file<br />
gpg_bash_lib_output_gpg_import_output:<br />
gpg: keyring `/tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/secring.gpg'\'' created<br />
gpg: keyring `/tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/pubring.gpg'\'' created<br />
gpg: /tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/trustdb.gpg: trustdb created<br />
gpg: key 2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" imported<br />
gpg: Total number processed: 1<br />
gpg:               imported: 1  (RSA: 1)<br />
gpg: no ultimately trusted keys found<br />
gpg_bash_lib_output_gpg_verify_output:<br />
gpg: Signature made Wed 05 Oct 2016 09:16:40 PM UTC using RSA key ID 77BB3C48<br />
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>"<br />
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48<br />
gpg: Signature notation: file@name=whonix_news.tar.xz<br />
gpg: Note: This key has expired!<br />
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA<br />
     Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30  AFA1 CB8D 50BB 77BB 3C48<br />

#6

You probably did not upgrade to Whonix 13?

Easiest: get Whonix 13.

Harder: upgrade to Whonix 13 if that still works.


#7

Hello,

I use Whonix on Virtualbox everyday, and today, I have this error when running WhonixCheck:

[quote]ERROR: Whonix News Download Result:
Could not OpenPGP verify authenticity of Whonix News !!!
(gpg_bash_lib_output_gpg_verify_exit_code: 0 | gpg_bash_lib_output_validsig_status: true | gpg_bash_lib_output_alright_status: false | gpg_bash_lib_output_failure: )
This is either,

  • a Whonix Bug,
  • an attack on Whonix,
  • or Whonix News Keys might be outdated. Upgrading using apt-get might fix this.

INFO: Whonix News gpg_bash_lib_output_diagnostic_message:
gpg_bash_lib_internal_gpg_verify_status_fd_file: /tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_output_file
gpg_bash_lib_output_gpg_import_output:
gpg: keyring /tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/secring.gpg' created gpg: keyring/tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/pubring.gpg’ created
gpg: /tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/trustdb.gpg: trustdb created
gpg: key 2EEACCDA: public key "Patrick Schleizer " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made Thu 23 Jun 2016 09:59:01 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer "
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: Signature notation: file@name=whonix_news.tar.xz
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48
gpg_bash_lib_output_gpg_verify_status_fd_output:
[GNUPG:] SIG_ID g+xq+3RlQXGgn22QZ87j/OpElAc 2016-06-23 1466675941
[GNUPG:] GOODSIG CB8D50BB77BB3C48 Patrick Schleizer
[GNUPG:] NOTATION_NAME issuer-fpr@notations.openpgp.fifthhorseman.net
[GNUPG:] NOTATION_DATA 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
[GNUPG:] NOTATION_NAME file@name
[GNUPG:] NOTATION_DATA whonix_news.tar.xz
[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2016-06-23 1466675941 0 4 0 1 10 00 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
[GNUPG:] TRUST_ULTIMATE

WARNING: Debian Package Update Check Result: Could not check for software updates! (apt-get code: 100)
Please manually check:
(Open a terminal, Start Menu -> Applications -> System -> Terminal.)

sudo apt-get update && sudo apt-get dist-upgrade

[/quote]

And when I try to update with the command:

sudo apt-get update && sudo apt-get dist-upgrade

I have this error:

[quote]Get:1 http://security.debian.org jessie/updates InRelease [63.1 kB]
Ign http://ftp.us.debian.org jessie InRelease
Hit http://ftp.us.debian.org jessie Release.gpg
Get:2 http://security.debian.org jessie/updates/main i386 Packages [305 kB]
Hit http://ftp.us.debian.org jessie Release
Get:3 http://www.whonix.org jessie InRelease [263 B]
Ign http://www.whonix.org jessie InRelease
Get:4 http://security.debian.org jessie/updates/contrib i386 Packages [2,526 B]
Get:5 http://security.debian.org jessie/updates/non-free i386 Packages [14 B]
Get:6 http://www.whonix.org jessie Release.gpg [265 B]
Ign http://www.whonix.org jessie Release.gpg
Get:7 http://security.debian.org jessie/updates/contrib Translation-en [1,211 B]
Get:8 http://security.debian.org jessie/updates/main Translation-en [163 kB]
Get:9 http://www.whonix.org jessie Release [261 B]
Ign http://www.whonix.org jessie Release
Get:10 http://security.debian.org jessie/updates/non-free Translation-en [14 B]
Get:11 http://www.whonix.org jessie/main i386 Packages/DiffIndex [290 B]
Ign http://www.whonix.org jessie/main i386 Packages/DiffIndex
Get:12 http://www.whonix.org jessie/main Translation-en_US [285 B]
Hit http://ftp.us.debian.org jessie/main i386 Packages
Get:13 http://www.whonix.org jessie/main Translation-en [282 B]
Hit http://ftp.us.debian.org jessie/contrib i386 Packages
Get:14 http://www.whonix.org jessie/main i386 Packages [283 B]
Hit http://ftp.us.debian.org jessie/non-free i386 Packages
Get:15 http://www.whonix.org jessie/main Translation-en_US [285 B]
Hit http://ftp.us.debian.org jessie/contrib Translation-en
Get:16 http://www.whonix.org jessie/main Translation-en [282 B]
Get:17 http://www.whonix.org jessie/main i386 Packages [283 B]
Hit http://ftp.us.debian.org jessie/main Translation-en
Get:18 http://www.whonix.org jessie/main Translation-en_US [285 B]
Hit http://ftp.us.debian.org jessie/non-free Translation-en
Get:19 http://www.whonix.org jessie/main Translation-en [282 B]
Get:20 http://www.whonix.org jessie/main i386 Packages [283 B]
Get:21 http://www.whonix.org jessie/main Translation-en_US [285 B]
Get:22 http://www.whonix.org jessie/main Translation-en [282 B]
Get:23 http://www.whonix.org jessie/main i386 Packages [283 B]
Get:24 http://www.whonix.org jessie/main Translation-en_US [285 B]
Ign http://www.whonix.org jessie/main Translation-en_US
Get:25 http://www.whonix.org jessie/main Translation-en [282 B]
Ign http://www.whonix.org jessie/main Translation-en
Get:26 http://www.whonix.org jessie/main i386 Packages [283 B]
Err http://www.whonix.org jessie/main i386 Packages
HttpError404
Fetched 535 kB in 21s (24.9 kB/s)
W: Failed to fetch http://www.whonix.org/download/whonixdevelopermetafiles/internal/dists/jessie/main/binary-i386/Packages HttpError404

E: Some index files failed to download. They have been ignored, or old ones used instead.
[/quote]

What can I do, please?

I have try to download Whonix 13 and install new VM’s on VirtualBox, but I have the same error on the new VM’s.

Thanks a lot for your attention.


#8

My mistake. Happened during getting up new Whonix homepage today. Link broke. Will likely be fixed soon.


#9

Should now be fixed.


#10

Thanks a lot for your fast answer!

It’s fixed!

Thanks really a lot for all!!! :slight_smile:


#11

просто удали whonix и установи все заново. все отлично будет работать и гараздо лучше.


#13

im getting the same error today…


#14

I got same problem guys, since yesterday.
Worked perfectly fine.

I tried install new VM of Whonix 13 on Virtualbox but didn’t help :frowning:
Hope somebody have solution.

Is Whonix under attack or just a bug?
A spitted out whole google, tried the command:

Updated Virtualbox 13.
Tried updating “sudo apt-get update && sudo apt-get dist-upgrade” but said no updates available.
But nothing worked.
I’m out of ideas bout fixin this problem.


#15

yea I think it’s a common problem at this point. Today is Sunday so much probably any admin/mod is gonna take a look. Let’s wait tomorrow for some update on the matter. Maybe the gpg key expired or they forgot to sign some package idk. We’ll see…


#16

Fixed.


#17

Having a similar issue today, is it a problem or just a little mistake during updates?


#18

I have same issue too since yesterday.
I see it sometimes happens, let’s wait for Patrick to login and fix it.


#19

Still down, I’ve just tried to update
Hit http://deb.whonix.org jessie InRelease
Hit http://security.debian.org jessie/updates InRelease
Ign http://ftp.us.debian.org jessie InRelease
E: Release file for http://deb.whonix.org/dists/jessie/InRelease is expired (invalid since 4h 16min 58s). Updates for this repository will not be applied.


#20

Yes, me too @5yn74x_3rr0r , I get the same output when updating, though my repositories are onionized, but I do get the same error specifically at the repo with /dists/jessie/InRelease .

I do not want to complain, I’m very thankful to whonix developers and everyone positively connected to it, but what? aren’t they making sufficient money to take a look at their own creature on a Monday?


#21

@7harry7 I switched to the Proposed Stable Update Repository, Minor update, Nothing major…I’m still getting this now
Get:1 http://deb.whonix.org jessie InRelease [13.2 kB]
Get:2 http://security.debian.org jessie/updates InRelease [63.1 kB]
E: Release file for http://deb.whonix.org/dists/jessie/InRelease is expired (invalid since 15h 51min 48s). Updates for this repository will not be applied.