History of Whonix Signing

whonix-supporter · March 7, 2014, 9:57am

Dear Patrick,

I wanted to confirm some history with you regarding the OpenPGP signing for past releases.

Question #1:

Looking at this following page, I see that there was a transition of signing keys between Whonix 7 and Whonix 8.

https://www.whonix.org/wiki/Adrelanos

I am wondering if there were ever any other versions of the signing keys for past releases of Whonix, aos, or TorBOX, for any official releases or any testers only releases? Or have past versions only ever been signed by the same two keys used for Whonix 7 and Whonix 8?

Question #2:

At what version did releases for Whonix, aos, TorBOX originally first start being signed and published?

Thanks Patrick!

Patrick · March 7, 2014, 1:32pm

Thank you for your interest in this topic!

I only had these two keys in public use in my life.

My personal project history can be found on the Trust page as well, search it for “named proper in past” and you see the whole chain.

Archived releases can be found here:
http://sourceforge.net/projects/whonixoldarchivedreleases/files/old-archived-releases/

Not all testers-only versions have been archived. Sourceforge never complained yet. Thanks to them! And to keep it that way, I asked how much they can carry around. They told me, they preferred if we still used their space for releases that have most value to our community and would waste as little space as possible.

Up to TorBOX 0.1.3 the binary releases (+TorBOX 0.2.0-debootstrap) were made by anonymous, higher releases were build by me.

Placing Trust in Whonix ™ says “beginning from Whonix 0.4.5 OpenPGP signatures are uploaded.”. Some versions below were only published together with strong hash sums. Those hash sums were published on a https/hsts enabled website, namely TorBOX · Wiki · Legacy / Trac · GitLab. The torproject wiki history is still available and could be interesting. Check it out as long is lasts. Torproject admins could decide to purge this remaining page fragments any moment. In torproject wiki, only the wiki history feature prevented forging published hash sums. Anyone could have edited them after publishing (while the wiki history could only be tampered by people with access to torproject.org, which never included TorBOX developres). This fortunately never happened. Later strong hash sums were uploaded to sourceforge and only available over https for users who were logged into sourceforge. My memory about these old versions begins to fade away.

A bit of Whonix’s history has been written down:

Please feel encouraged to work on this. Would be really great before it’s lost. Please feel also free to ask anything else.

whonix-supporter · March 10, 2014, 6:45pm

Thank you, Patrick, for your detailed response and position of openness towards this issue.

I have read through the linked pages and several other pages of the Whonix website. Good reading. Thank you.

Also, thank you for the heads up about the historical TorBOX pages on Tor Project wiki. I will personally work on getting those permanently archived.

I have also been working on the “Verification Assets” page. Should have the first draft ready to publish soon.

Thanks again, Patrick!