Could not OpenPGP verify authenticity of Whonix News!

Saw something similar to this addressed in the forums about a year ago. Sounds like it was fixed at one point. I’m persistently getting the following warning when running WhonixCheck. Using apt-get upgrade doesn’t seem to solve this issue.

ERROR: Whonix News Download Result: Could not OpenPGP verify authenticity of Whonix News !!! (gpg_bash_lib_output_gpg_verify_exit_code: 0 | gpg_bash_lib_output_validsig_status: true | gpg_bash_lib_output_alright_status: false | gpg_bash_lib_output_failure: ) This is either, - a Whonix Bug, - an attack on Whonix, - or Whonix News Keys might be outdated. Upgrading using apt-get might fix this. INFO: Whonix News gpg_bash_lib_output_diagnostic_message: gpg_bash_lib_internal_gpg_verify_status_fd_file: /tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_status_fd_file gpg_bash_lib_internal_gpg_verify_output_file: /tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_output_file gpg_bash_lib_output_gpg_import_output: gpg: keyring `/tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/secring.gpg' created gpg: keyring `/tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/pubring.gpg' created gpg: /tmp/tmp.s479JmXymw/news_verify_dir/news_gpg/trustdb.gpg: trustdb created gpg: key 2EEACCDA: public key "Patrick Schleizer " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found gpg_bash_lib_output_gpg_verify_output: gpg: Signature made Fri 23 Oct 2015 08:18:55 AM JST using RSA key ID 77BB3C48 gpg: Good signature from "Patrick Schleizer " gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 gpg: Signature notation: file@name=whonix_news.tar.xz Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48 gpg_bash_lib_output_gpg_verify_status_fd_output: [GNUPG:] SIG_ID 5nfHnoEfyvGZ7pyyfLJapb96B/A 2015-10-22 1445555935 [GNUPG:] GOODSIG CB8D50BB77BB3C48 Patrick Schleizer [GNUPG:] NOTATION_NAME issuer-fpr@notations.openpgp.fifthhorseman.net [GNUPG:] NOTATION_DATA 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 [GNUPG:] NOTATION_NAME file@name [GNUPG:] NOTATION_DATA whonix_news.tar.xz [GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2015-10-22 1445555935 0 4 0 1 10 00 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA [GNUPG:] TRUST_ULTIMATE

Using Whonix 11?

Please post the output of the following command.

Another year passed and I am getting the same error now. It was OK a few days ago.

[ERROR] [whonixcheck] Whonix News Download Result:Could not OpenPGP verify authenticity of Whonix News !!!
(gpg_bash_lib_output_gpg_verify_exit_code: 0 | gpg_bash_lib_output_validsig_status: false | gpg_bash_lib_output_alright_status: false | gpg_bash_lib_output_failure: )
This is either,
- a Whonix Bug,
- an attack on Whonix,
- or Whonix News Keys might be outdated. Upgrading using apt-get might fix this.
+++ return 0
+++ local 'MSG=<p><a href=https://www.whonix.org/wiki/Whonix_News>Whonix News</a> gpg_bash_lib_output_diagnostic_message:
<br></br>gpg_bash_lib_internal_gpg_verify_status_fd_file: /tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_status_fd_file<br />
gpg_bash_lib_internal_gpg_verify_output_file: /tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_output_file<br />
gpg_bash_lib_output_gpg_import_output:<br />
gpg: keyring `/tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/secring.gpg'\'' created<br />
gpg: keyring `/tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/pubring.gpg'\'' created<br />
gpg: /tmp/tmp.OPsFro4P8E/news/verify_dir/news_gpg/trustdb.gpg: trustdb created<br />
gpg: key 2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" imported<br />
gpg: Total number processed: 1<br />
gpg:               imported: 1  (RSA: 1)<br />
gpg: no ultimately trusted keys found<br />
gpg_bash_lib_output_gpg_verify_output:<br />
gpg: Signature made Wed 21 Sep 2016 08:30:49 PM UTC using RSA key ID 77BB3C48<br />
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>"<br />
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48<br />
gpg: Signature notation: file@name=whonix_news.tar.xz<br />
gpg: Note: This key has expired!<br />
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA<br />
     Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30  AFA1 CB8D 50BB 77BB 3C48<br />
gpg_bash_lib_output_gpg_verify_status_fd_output:<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630931<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630931<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] SIG_ID 9ty8LVftQpwsd5Y6JOXWKKKsCY4 2016-09-21 1474489849<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630931<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] EXPKEYSIG CB8D50BB77BB3C48 Patrick Schleizer <adrelanos@riseup.net><br />
[GNUPG:] NOTATION_NAME issuer-fpr@notations.openpgp.fifthhorseman.net<br />
[GNUPG:] NOTATION_DATA 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48<br />
[GNUPG:] NOTATION_NAME file@name<br />
[GNUPG:] NOTATION_DATA whonix_news.tar.xz<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630770<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] KEYEXPIRED 1475630931<br />
[GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead<br />
[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2016-09-21 1474489849 0 4 0 1 10 00 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA</p>'

Some GPG error also when doing apt-get update:

Reading package lists... Done
W: GPG error: http://mirror.whonix.de jessie InRelease: The following signatures were invalid: KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630931 KEYEXPIRED 1475630931 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630931 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630770 KEYEXPIRED 1475630931

What’s wrong?

My mistake, forgot to resign. Please try again.

The error is still there - signature date is newer, but still says that the key is expired:

[ERROR] [whonixcheck] Whonix News Download Result:Could not OpenPGP verify authenticity of Whonix News !!!
(gpg_bash_lib_output_gpg_verify_exit_code: 0 | gpg_bash_lib_output_validsig_status: false | gpg_bash_lib_output_alright_status: false | gpg_bash_lib_output_failure: )
This is either,
- a Whonix Bug,
- an attack on Whonix,
- or Whonix News Keys might be outdated. Upgrading using apt-get might fix this.
+++ return 0
+++ local 'MSG=<p><a href=https://www.whonix.org/wiki/Whonix_News>Whonix News</a> gpg_bash_lib_output_diagnostic_message:
<br></br>gpg_bash_lib_internal_gpg_verify_status_fd_file: /tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_status_fd_file<br />
gpg_bash_lib_internal_gpg_verify_output_file: /tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_output_file<br />
gpg_bash_lib_output_gpg_import_output:<br />
gpg: keyring `/tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/secring.gpg'\'' created<br />
gpg: keyring `/tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/pubring.gpg'\'' created<br />
gpg: /tmp/tmp.yYtYXo2nE0/news/verify_dir/news_gpg/trustdb.gpg: trustdb created<br />
gpg: key 2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" imported<br />
gpg: Total number processed: 1<br />
gpg:               imported: 1  (RSA: 1)<br />
gpg: no ultimately trusted keys found<br />
gpg_bash_lib_output_gpg_verify_output:<br />
gpg: Signature made Wed 05 Oct 2016 09:16:40 PM UTC using RSA key ID 77BB3C48<br />
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>"<br />
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48<br />
gpg: Signature notation: file@name=whonix_news.tar.xz<br />
gpg: Note: This key has expired!<br />
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA<br />
     Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30  AFA1 CB8D 50BB 77BB 3C48<br />

You probably did not upgrade to Whonix 13?

Easiest: get Whonix 13.

Harder: upgrade to Whonix 13 if that still works.

Hello,

I use Whonix on Virtualbox everyday, and today, I have this error when running WhonixCheck:

[quote]ERROR: Whonix News Download Result:
Could not OpenPGP verify authenticity of Whonix News !!!
(gpg_bash_lib_output_gpg_verify_exit_code: 0 | gpg_bash_lib_output_validsig_status: true | gpg_bash_lib_output_alright_status: false | gpg_bash_lib_output_failure: )
This is either,

  • a Whonix Bug,
  • an attack on Whonix,
  • or Whonix News Keys might be outdated. Upgrading using apt-get might fix this.

INFO: Whonix News gpg_bash_lib_output_diagnostic_message:
gpg_bash_lib_internal_gpg_verify_status_fd_file: /tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_status_fd_file
gpg_bash_lib_internal_gpg_verify_output_file: /tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/gpg_bash_lib_internal_gpg_verify_output_file
gpg_bash_lib_output_gpg_import_output:
gpg: keyring /tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/secring.gpg' created gpg: keyring /tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/pubring.gpg’ created
gpg: /tmp/tmp.I2JYrkwSsK/news/verify_dir/news_gpg/trustdb.gpg: trustdb created
gpg: key 2EEACCDA: public key "Patrick Schleizer " imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
gpg_bash_lib_output_gpg_verify_output:
gpg: Signature made Thu 23 Jun 2016 09:59:01 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer "
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: Signature notation: file@name=whonix_news.tar.xz
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48
gpg_bash_lib_output_gpg_verify_status_fd_output:
[GNUPG:] SIG_ID g+xq+3RlQXGgn22QZ87j/OpElAc 2016-06-23 1466675941
[GNUPG:] GOODSIG CB8D50BB77BB3C48 Patrick Schleizer
[GNUPG:] NOTATION_NAME issuer-fpr@notations.openpgp.fifthhorseman.net
[GNUPG:] NOTATION_DATA 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
[GNUPG:] NOTATION_NAME file@name
[GNUPG:] NOTATION_DATA whonix_news.tar.xz
[GNUPG:] VALIDSIG 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 2016-06-23 1466675941 0 4 0 1 10 00 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
[GNUPG:] TRUST_ULTIMATE

WARNING: Debian Package Update Check Result: Could not check for software updates! (apt-get code: 100)
Please manually check:
(Open a terminal, Start Menu → Applications → System → Terminal.)

sudo apt-get update && sudo apt-get dist-upgrade

[/quote]

And when I try to update with the command:

sudo apt-get update && sudo apt-get dist-upgrade

I have this error:

[quote]Get:1 http://security.debian.org jessie/updates InRelease [63.1 kB]
Ign http://ftp.us.debian.org jessie InRelease
Hit http://ftp.us.debian.org jessie Release.gpg
Get:2 http://security.debian.org jessie/updates/main i386 Packages [305 kB]
Hit http://ftp.us.debian.org jessie Release
Get:3 http://www.whonix.org jessie InRelease [263 B]
Ign http://www.whonix.org jessie InRelease
Get:4 http://security.debian.org jessie/updates/contrib i386 Packages [2,526 B]
Get:5 http://security.debian.org jessie/updates/non-free i386 Packages [14 B]
Get:6 http://www.whonix.org jessie Release.gpg [265 B]
Ign http://www.whonix.org jessie Release.gpg
Get:7 http://security.debian.org jessie/updates/contrib Translation-en [1,211 B]
Get:8 http://security.debian.org jessie/updates/main Translation-en [163 kB]
Get:9 http://www.whonix.org jessie Release [261 B]
Ign http://www.whonix.org jessie Release
Get:10 http://security.debian.org jessie/updates/non-free Translation-en [14 B]
Get:11 http://www.whonix.org jessie/main i386 Packages/DiffIndex [290 B]
Ign http://www.whonix.org jessie/main i386 Packages/DiffIndex
Get:12 http://www.whonix.org jessie/main Translation-en_US [285 B]
Hit http://ftp.us.debian.org jessie/main i386 Packages
Get:13 http://www.whonix.org jessie/main Translation-en [282 B]
Hit http://ftp.us.debian.org jessie/contrib i386 Packages
Get:14 http://www.whonix.org jessie/main i386 Packages [283 B]
Hit http://ftp.us.debian.org jessie/non-free i386 Packages
Get:15 http://www.whonix.org jessie/main Translation-en_US [285 B]
Hit http://ftp.us.debian.org jessie/contrib Translation-en
Get:16 http://www.whonix.org jessie/main Translation-en [282 B]
Get:17 http://www.whonix.org jessie/main i386 Packages [283 B]
Hit http://ftp.us.debian.org jessie/main Translation-en
Get:18 http://www.whonix.org jessie/main Translation-en_US [285 B]
Hit http://ftp.us.debian.org jessie/non-free Translation-en
Get:19 http://www.whonix.org jessie/main Translation-en [282 B]
Get:20 http://www.whonix.org jessie/main i386 Packages [283 B]
Get:21 http://www.whonix.org jessie/main Translation-en_US [285 B]
Get:22 http://www.whonix.org jessie/main Translation-en [282 B]
Get:23 http://www.whonix.org jessie/main i386 Packages [283 B]
Get:24 http://www.whonix.org jessie/main Translation-en_US [285 B]
Ign http://www.whonix.org jessie/main Translation-en_US
Get:25 http://www.whonix.org jessie/main Translation-en [282 B]
Ign http://www.whonix.org jessie/main Translation-en
Get:26 http://www.whonix.org jessie/main i386 Packages [283 B]
Err http://www.whonix.org jessie/main i386 Packages
HttpError404
Fetched 535 kB in 21s (24.9 kB/s)
W: Failed to fetch http://www.whonix.org/download/whonixdevelopermetafiles/internal/dists/jessie/main/binary-i386/Packages HttpError404

E: Some index files failed to download. They have been ignored, or old ones used instead.
[/quote]

What can I do, please?

I have try to download Whonix 13 and install new VM’s on VirtualBox, but I have the same error on the new VM’s.

Thanks a lot for your attention.

My mistake. Happened during getting up new Whonix homepage today. Link broke. Will likely be fixed soon.

Should now be fixed.

Thanks a lot for your fast answer!

It’s fixed!

Thanks really a lot for all!!! :slight_smile:

1 Like

просто удали whonix и установи все заново. все отлично будет работать и гараздо лучше.

im getting the same error today…

I got same problem guys, since yesterday.
Worked perfectly fine.

I tried install new VM of Whonix 13 on Virtualbox but didn’t help :frowning:
Hope somebody have solution.

Is Whonix under attack or just a bug?
A spitted out whole google, tried the command:

Updated Virtualbox 13.
Tried updating “sudo apt-get update && sudo apt-get dist-upgrade” but said no updates available.
But nothing worked.
I’m out of ideas bout fixin this problem.

yea I think it’s a common problem at this point. Today is Sunday so much probably any admin/mod is gonna take a look. Let’s wait tomorrow for some update on the matter. Maybe the gpg key expired or they forgot to sign some package idk. We’ll see…

Fixed.

Having a similar issue today, is it a problem or just a little mistake during updates?

I have same issue too since yesterday.
I see it sometimes happens, let’s wait for Patrick to login and fix it.

Still down, I’ve just tried to update
Hit http://deb.whonix.org jessie InRelease
Hit http://security.debian.org jessie/updates InRelease
Ign http://ftp.us.debian.org jessie InRelease
E: Release file for http://deb.whonix.org/dists/jessie/InRelease is expired (invalid since 4h 16min 58s). Updates for this repository will not be applied.

1 Like

Yes, me too @5yn74x_3rr0r , I get the same output when updating, though my repositories are onionized, but I do get the same error specifically at the repo with /dists/jessie/InRelease .

I do not want to complain, I’m very thankful to whonix developers and everyone positively connected to it, but what? aren’t they making sufficient money to take a look at their own creature on a Monday?

@7harry7 I switched to the Proposed Stable Update Repository, Minor update, Nothing major…I’m still getting this now
Get:1 http://deb.whonix.org jessie InRelease [13.2 kB]
Get:2 http://security.debian.org jessie/updates InRelease [63.1 kB]
E: Release file for http://deb.whonix.org/dists/jessie/InRelease is expired (invalid since 15h 51min 48s). Updates for this repository will not be applied.