gpg: verify signatures failed: Unexpected error

nurmagoz · June 27, 2020, 4:45am

Downloaded Whonix-XFCE-15.0.1.3.9.libvirt.xz + hulahoop.asc

i checked every command in the verify section and all were going good until i reached to this command:

gpg --verify Whonix*.libvirt.xz.asc Whonix*.libvirt.xz

will give:

gpg: can't open 'Whonix*.libvirt.xz.asc': No Such file or directory
gpg: verify signatures failed: No such file or directory

I switched the naming of the key to the downloaded name which is hulahoop.asc:

gpg --verify hulahoop.asc Whonix*.libvirt.xz

will give:

gpg verify signatures failed: Unexpected error

This is happened because instructions wasnt for hulahoop.asc but it was for Whonix-XFCE-15.0.1.3.9.libvirt.xz.asc

so as a user this is confusion either give 2 instructions or ask to download both keys or fix commands or remove one of the keys.

another thing to be added is instructions to check sha512sums

HulaHoop · June 27, 2020, 11:42am

This happens if you are not in the same directory the tarball and sig are in.

This is incorrect. You import the key and you verify the code, both in separate commands.

Everything works from my tests so there is some mistake on your end.

Redundant as any corrupted download will fail to give a good signature when verifying.

nurmagoz · June 27, 2020, 12:23pm

same directory with hulahoop.asc or Whonix-XFCE-15.0.1.3.9.libvirt.xz.asc?

whonix-kvm version is 15.0.1.3.9

ah i see, but isnt that as well good sign for the user to reset the download instead of using corrupted image?

HulaHoop · June 27, 2020, 1:53pm

Whonix-XFCE-15.0.1.3.9.libvirt.xz.asc

whoever bothers to check the sig will know about the corruption problem. Those who won’t, won’t bother with checksums either and so it’s not worth complicating the setup process over.

nurmagoz · June 30, 2020, 5:58pm

yeah that what i meant when i said

So may i suggest to you to make the table of the keys similar for example to the qubes one:

http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/downloads/

they add all of the keys into one side, no up and down.

for user what he will do is download all keys available then follow the instructions, so what is the different on our side then?

This line:

1. Download HulaHoop [archive]'s OpenPGP key from the website.

can be added with:

OpenPGP Signature ( sha512 , sig )

can be renamed to (or anything as you like):

HulaHoop [archive]'s , Whonix*.libvirt.xz.asc ( sha512 , sig )

and this line:

1. Download HulaHoop [archive]'s OpenPGP key from the website.

can be replaced with for e.g:

After you have downloaded whonix and the keys in the same path follow these commands