whonix looks great.
This is why I would like to install it.
But I beg your pardon in
/VirtualBox/Verify_the_virtual_machine_images_using_the_command_line
I don’t find how to import the whonix key, even if I think that I succeeded to import it thanks to an old topic about verifying.
I don’t know how to Download the cryptographic (OpenPGP) signature corresponding to the virtual machine image I want to verify.
As expected, when I write
gpg --verify-options show-notations --verify Whonix-.ova.asc Whonix-.ova
an error appears, first because it should be on the screen
gpg --verify-options show-notations --verify derivative.asc Whonix-*.ova
Secondly because I have to put
gpg --verify-options show-notations --verify derivative.asc Whonix-16.0.4.2.ova
Anyway I don’t succeed to verify or I always download an unverifiable file.
I also don’t know how to install.
When I install, I have the error:
Die Appliance /home/auie/Downloads/Whonix-XFCE-16.0.4.2.ova konnte nicht importiert werden:
Fehlercode: NS_ERROR_INVALID_ARG (0x80070057)
Conceptually you cannot learn instructions how to verify digital software signatures from the same website that is offering the digital software signatures.
This is elaborated here:
(Whonix is based on Kicksecure.)
As for learning digital software verification, you are independent from Whonix. It is a general skill. Unspecific to Whonix. See also:
Without a deep understanding of the digital software verification threat model you won’t be able to profit from it.
Thank you very much Patrick for your answer.
When you download Ubuntu, you just have to paste echo "f92f7dca5bb6690e1af0052687ead49376281c7b64fbe4179cc44025965b7d1c *ubuntu-20.04.4-desktop-amd64.iso" | shasum -a 256 --check in the terminal to know if your file is correct. I find this way much more simple.
I already read the webpage that you show me.We can see an example with the verification of firefox. I made with whonix what has been done with firefox.
I wrote:
gpg --import derivative.asc
and
gpg --verify-options show-notations --verify derivative.asc Whonix-XFCE-16.0.4.2.ova
I had the answers
auie@ThinkPad-L570:~/Downloads$ gpg --import derivative.asc
gpg: key 8D66066A2EEACCDA: 104 Beglaubigungen wegen fehlender Schlüssel nicht geprüft
gpg: /home/auie/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: Schlüssel 8D66066A2EEACCDA: Öffentlicher Schlüssel “Patrick Schleizer adrelanos@kicksecure.com”
importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg: importiert: 1
gpg: keine ultimativ vertrauenswürdigen Schlüssel gefunden
auie@ThinkPad-L570:~/Downloads$
Because with Ubuntu you are not verifying the authenticity of the image, just the checksum. If anyone hacks their webserver and change the image and the message digest, you would be prone to this attack.
By verifying that the software was signed by the author, you are sure that the image was made by the developer.
Thank you very much nyxnor for your answer.
I’m sorry, when you go to your linked page and when you click on “download the signing key”, you receive the derivative.asc file and not the file which you and the website indicate.