gpg verification on the windows platform

I am new to Whonix and gpgwin4 so I need some help I am going to tackle one issue at a time as needed.

My first issue is getting the secure version of gpgwin4, following whonix’s referred instructions here

I imported the certificate and downloaded the most recent version however the program won’t install even though it says it has.

Remove and re-download? or is this broken?

I am on windows 10, help is greatly appreciated!

One issue at a time is great. Please also use descriptive, concise forum subjects.

Please ask the gpg4win developers since gpg4win is not maintained by Whonix and since this is not an issue caused by Whonix. Let us know how that went.

I understand, however I am also not sure how to use the command line on gpg4win as given in you instructions here

using this code: cd [the directory in which you downloaded the .ova and the .asc]

again I am on windows 10 so any help understanding this would be great! Thank you for your time

Excuse me for starting a discussion of principles rather than answering your question. I am wondering this is worth the trouble to bother with verification of if not a hash check should be sufficient on the Windows platform. Allow me to explain…

The threat model in mind here is “always verify software signatures”. See:

Whonix ™ and Tor Limitations

Not a Whonix specific thing. General security advice. If you skipped that once for any software you ever installed, under that threat model you are under a very high risk. Only going the secure way for installing Whonix has very little gain in security.

In other words, did yo verify all programs you installed on Windows? I.e. perhaps firefox, chrome, vlc, office, whatever you might be using.

See also our chapter on Windows hosts, why I wonder if verification on the Windows platform is worth the trouble.
Computer Security Education - Whonix

So should I uninstall all the downloaded software? and re-verify with the hash ( I haven’t downloaded a lot only a few softwares)

so hash is sufficient on windows?

I just want to make sure whonix is installed as securely as possible as I don’t have a spare computer to put whonix on.

Another thought double VM? ( Debian in a vm with whonix on that)

Just a thought thanks for your help

If you already installed it previously, that would not undo any system compromise that may have happened during earlier execution.

If you keep downloading and installing applications such as firefox etc. without gpg verification, which is probably what most users do, then gpg verification of Whonix adds little benefit. In the case, that you have not already been compromised by installing unverified software but Whonix server was compromised and you figured out you got the right signing key, and verified Whonix, then this would prevent compromise.

So you tell me.

No amount of nested VMs or otherwise can help to defeat host compromise.

Verify Whonix. Might as well control what you can. Plus Whonix would be a more attractive target for well-armed adversaries than say Minesweeper, or even MS Office (which might compromise too many false positive targets, including perhaps lawmakers). Who would cry foul if a bunch of Whonix users got compromised?

Just download from the main site (or any site - if you’re going to verify the signature anyway). gpg4win has comprehensive documentation including a walkthrough for novices (with screenshots).

Your real problem is what to do after you download it since you have no means of verifying the signature.

I can suggest 2 options assuming that you’ve already installed Virtualbox. (I don’t think Oracle even provides signed binaries - only unsigned checksums.) So that’s bad… but you’re using Windows anyway so… you’ve decided to accept some risks.

1 Make a Linux VM. Download gpg4win.exe in the VM and use gpg on Linux to verify the signature. [You’ll have to learn how to use gpg or some front-end on Linux. You’ll probably want to do this anyway so you can learn more about Linux and experiment with commands (Whonix is based on Debian). Linux also requires less disk space and computing resources than Windows (option #2). Actually if you do this, you don’t even need gpg4win, just use this VM for downloading everything you want to verify.]


2 Make a Windows VM. Download and install gpg4win.exe on your VM. Use gpg4win to verify gpg4win.exe after the fact. If signature checks out, install it to your host. (Or do this on your host without the VM. But if signature is bad, what will you do? Trash the host?)

You are going to have many questions while learning to use Whonix (most of them will not be Whonix-specific at all - meaning you’re going to need other resources to get them answered.) Search engine is a good start: what is cd? what is a directory?

cd (command) - Wikipedia
Path (computing) - Wikipedia
Directory (computing) - Wikipedia

1 Like