How to verify and install whonix?

auie · March 29, 2022, 1:17pm

whonix looks great.
This is why I would like to install it.

But I beg your pardon in
/VirtualBox/Verify_the_virtual_machine_images_using_the_command_line

I don’t find how to import the whonix key, even if I think that I succeeded to import it thanks to an old topic about verifying.
I don’t know how to Download the cryptographic (OpenPGP) signature corresponding to the virtual machine image I want to verify.

As expected, when I write
gpg --verify-options show-notations --verify Whonix-.ova.asc Whonix-.ova

an error appears, first because it should be on the screen
gpg --verify-options show-notations --verify derivative.asc Whonix-*.ova

Secondly because I have to put
gpg --verify-options show-notations --verify derivative.asc Whonix-16.0.4.2.ova

Anyway I don’t succeed to verify or I always download an unverifiable file.

I also don’t know how to install.
When I install, I have the error:
Die Appliance /home/auie/Downloads/Whonix-XFCE-16.0.4.2.ova konnte nicht importiert werden:
Fehlercode: NS_ERROR_INVALID_ARG (0x80070057)

Please can someone help me to verify and install?

Patrick · March 29, 2022, 2:57pm

Conceptually you cannot learn instructions how to verify digital software signatures from the same website that is offering the digital software signatures.

This is elaborated here:

(Whonix is based on Kicksecure.)

As for learning digital software verification, you are independent from Whonix. It is a general skill. Unspecific to Whonix. See also:

Without a deep understanding of the digital software verification threat model you won’t be able to profit from it.

Digital software signatures can increase security but this requires knowledge. Learn more about digital software signature verification.

VirtualBox/Verify the virtual machine images using Linux - Whonix says quote:

1. Import the signing key.

Refer the the more secure, detailed Whonix ™ Signing Key instructions.

From documentation:

Do not continue if verification fails! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity.

Also please 1 issue = 1 forum thread. Please do not mix multiple different topics into the same forum topic.

Also:

→ E_INVALIDARG (0x80070057)

auie · March 29, 2022, 4:51pm

Thank you very much Patrick for your answer.
When you download Ubuntu, you just have to paste
echo "f92f7dca5bb6690e1af0052687ead49376281c7b64fbe4179cc44025965b7d1c *ubuntu-20.04.4-desktop-amd64.iso" | shasum -a 256 --check in the terminal to know if your file is correct. I find this way much more simple.
I already read the webpage that you show me.We can see an example with the verification of firefox. I made with whonix what has been done with firefox.
I wrote:
gpg --import derivative.asc

and
gpg --verify-options show-notations --verify derivative.asc Whonix-XFCE-16.0.4.2.ova

I had the answers
auie@ThinkPad-L570:~/Downloads$ gpg --import derivative.asc
gpg: key 8D66066A2EEACCDA: 104 Beglaubigungen wegen fehlender Schlüssel nicht geprüft
gpg: /home/auie/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: Schlüssel 8D66066A2EEACCDA: Öffentlicher Schlüssel “Patrick Schleizer adrelanos@kicksecure.com”
importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg: importiert: 1
gpg: keine ultimativ vertrauenswürdigen Schlüssel gefunden
auie@ThinkPad-L570:~/Downloads$

and
auie@ThinkPad-L570:~/Downloads$ gpg --verify-options show-notations --verify derivative.
asc Whonix-XFCE-16.0.4.2.ova
gpg: Keine gültigen OpenPGP-Daten gefunden.
gpg: verify signatures failed: Unerwarteter Fehler
auie@ThinkPad-L570:~/Downloads$

Please do you understand that I don’t understand why it is so simple to verify an Ubuntu download and so complicate to verify a whonix download?

nyxnor · March 29, 2022, 8:08pm

Because with Ubuntu you are not verifying the authenticity of the image, just the checksum. If anyone hacks their webserver and change the image and the message digest, you would be prone to this attack.
By verifying that the software was signed by the author, you are sure that the image was made by the developer.

auie@ThinkPad-L570:~/Downloads$ gpg --verify-options show-notations --verify derivative.
asc Whonix-XFCE-16.0.4.2.ova

This line is wrong and it is not present on the documentation, it is a user mistake.

The correct line is on this page.
gpg --verify-options show-notations --verify Whonix-*.ova.asc Whonix-*.ova

therefore use:
gpg --verify-options show-notations --verify Whonix-XFCE-16.0.4.2.ova.asc Whonix-XFCE-16.0.4.2.ova

auie · March 30, 2022, 7:48am

Thank you very much nyxnor for your answer.
I’m sorry, when you go to your linked page and when you click on “download the signing key”, you receive the derivative.asc file and not the file which you and the website indicate.

Patrick · March 30, 2022, 2:11pm

Don’t make this about Whonix. Don’t rely on Whonix for this one. Since Whonix instructions are confusing…

verify any file on the internet. anything whatsoever. But not Whonix.
re-try with Whonix.

auie · April 5, 2022, 4:56pm

Thank you Patrick for your piece of advice.