How to verify the Monero binaries that are shipped with Whonix?

Qubes-Whonix
1

Whonix gets shipped with Monero binaries by default. This is provided to whonix users as per the monero community crowdfunding: ccs dot getmonero dot org/proposals/adrelanos-debian-package.html

Is there a way to verify the binaries that get shipped with whonix against the corresponding monero hashes/signatures that get published on monero github?

2

Thank you for your question. Such verification processes are probably done extremely much too infrequently for all Open Source projects.

No special instructions should be required but documented just now for educational purposes:
monero-gui package audit

Does this help?

related:

1 Like
3

I quickly read the whonix wiki page you linked. It seems like it is concerned about verifying the git repo that whonix uses to build the deb packages. Correct me if I am wrong in that.

While that is good, I would like to know if there is a way to verify the binaries located under /usr/bin/ directory:

$ ls -la /usr/bin/monero*
-rwxr-xr-x 1 root root  13M Oct 21  2015 /usr/bin/monero-blockchain-ancestry
-rwxr-xr-x 1 root root  12M Oct 21  2015 /usr/bin/monero-blockchain-depth
-rwxr-xr-x 1 root root  12M Oct 21  2015 /usr/bin/monero-blockchain-export
-rwxr-xr-x 1 root root  13M Oct 21  2015 /usr/bin/monero-blockchain-import
-rwxr-xr-x 1 root root 9.2M Oct 21  2015 /usr/bin/monero-blockchain-mark-spent-outputs
-rwxr-xr-x 1 root root  12M Oct 21  2015 /usr/bin/monero-blockchain-prune
-rwxr-xr-x 1 root root  12M Oct 21  2015 /usr/bin/monero-blockchain-prune-known-spent-data
-rwxr-xr-x 1 root root  12M Oct 21  2015 /usr/bin/monero-blockchain-stats
-rwxr-xr-x 1 root root  12M Oct 21  2015 /usr/bin/monero-blockchain-usage
-rwxr-xr-x 1 root root  22M Oct 21  2015 /usr/bin/monerod
-rwxr-xr-x 1 root root 8.2M Oct 21  2015 /usr/bin/monero-gen-ssl-cert
-rwxr-xr-x 1 root root  25M Oct 21  2015 /usr/bin/monero-gen-trusted-multisig
-rwxr-xr-x 1 root root  26M Oct 21  2015 /usr/bin/monero-wallet-cli
-rwxr-xr-x 1 root root 112M Oct 21  2015 /usr/bin/monero-wallet-gui
-rwxr-xr-x 1 root root   20 Oct 21  2015 /usr/bin/monero-wallet-gui.AppImage
-rwxr-xr-x 1 root root  27M Oct 21  2015 /usr/bin/monero-wallet-rpc

So, I would like to verify these binaries, if possible.

4

Ah, I should’ve read more closely!
I think this part directly addresses my concern:

Binaries in the monero-gui git repository provided by Kicksecure / Whonix should be compared to have the same cryptographic hash as files provided by upstream mondero-gui.

sha512sum ./usr/bin/*
sha512sum ./usr/share/doc/monero-gui/*

These hashsums should match the the hashsums provided by binaries in the upstream mondero-gui download.

I will read it and follow the guide and report back on my verification endeavor.

1 Like
5

Here’s how I verified the Monero binaries that are shipped with Whonix, for Monero v0.18.1.2

The verification consists of 3 major steps.
The first step is to check the sha512sum values of the existing monero binaries that are shipped with the Whonix:

$ sha512sum /usr/bin/monero*
$ sha512sum /usr/bin/monero*               
6e3bad94a675a761a64c9e2cb4b8d541674376b941fe7470da894b6293d6898a6f70602d0c62782120fbd4da9655dbbd8c2222800637e8405ec0ec440dc32c26  /usr/bin/monero-blockchain-ancestry
ebe32a4e5b4e5a51a95cdc595edecf8b73c60e472f1e472cb5e0a98418f48a637a387956b67c4b3177d2f5ebcc9a786c0bd5a5cd72171f1cb21f82954b0195c5  /usr/bin/monero-blockchain-depth
12161becc3734a70f5e0b4629b173c6706a4ebff0ca018a6e8a04d9176a012d83908102c1a7f512780325a23c2d960dac67fd3ac600f9f7f0e5e1fa996f6f4c4  /usr/bin/monero-blockchain-export
f0c492158d72cb1a4f2f6603b9356f5623b6ba5cf0441b072d2068c2ce32c11d7db7d2fc86441dabda1c34036b03bf6aabd3282430ebcf53a4e3d0786e3bfb2c  /usr/bin/monero-blockchain-import
6bf864727dad4ce35a5778778be64fcf8a11f62333697a4ce014b5786ef458927b575b61ff6ceff8d5cd7fcffe8786595be2751139a5d9d4c29eeb1f6b126717  /usr/bin/monero-blockchain-mark-spent-outputs
e7a8a9dee886cf0388e06e29d47f98d57a2e86e65ec967078c6e1d57211ce59fc14ced93437074a0fee86b62c1dc01ffe57543c0de64f779114696d8dc1a86e2  /usr/bin/monero-blockchain-prune
6472118f8a2eace8bf30c0acab01ec139a425577e2f831b00d948daa4cbaa37809fdc2c4fa5237255f4b176f246510052e8d65ab2373a168c3a96fac8de346a0  /usr/bin/monero-blockchain-prune-known-spent-data
fed2bfe8fae1f96af07dc54ceb456b1cd5c82857679d8106bd86e88448ba2d73ad0da1b462292190a8c449a02bfcabc4669d157ed713a6eb71de81141e9d2330  /usr/bin/monero-blockchain-stats
3a59195bbf8d362b8e630cf0193d31b4465e9c60d81892161645fe754b9f6380712e98ae6151daf9cd323e0d439c90a70c71774903d03f20e0fbedd7bf859eb6  /usr/bin/monero-blockchain-usage
fb7c9f2ef75c73bc2e985126c04e3f331fbfba5eb4ad0f02db95fbdd91a7a1afb481a9d343ccb5f95093181cb573f8df5a9c311f226e4e9e569ee221e07a84f0  /usr/bin/monerod
58ff75c29509e0ad3f0bcd452129e05566bcf0374cf3d7b675953a39a84b6f54b6f6948607e1f9edacc8244e773aa65da46c318097ec76c7392b0f0155081e0d  /usr/bin/monero-gen-ssl-cert
8ca745091b7721baf5cb40f7212dce84cd5dc5be5d2eb64deb1a4a5ac1931b71eedb49294d64b1c15f2350927995daccc54b9fc92f492f5beaa20060197dec16  /usr/bin/monero-gen-trusted-multisig
2441c31b9cb04cffaa5d820e9668088e4427b4a193d3f539f5bf65970f76e17aad0ae5a2a2ae5762e2f7a1ef878981b7952ba18a0eafc4c2a4b0f2d863305b4d  /usr/bin/monero-wallet-cli
b1dd3a0d3fbefe6fe42a35a0f38303763905c200b542844c29f634baf9d6f38ab9482d8540aed46c088b9c160ab53a8055a0a512a6768ea058538df5e7cdba45  /usr/bin/monero-wallet-gui
281eb133f624e6cb746567f1159409ac5e10d648a6cc43009b9b6a824a11afeadf55b0168c3d60fb2ab31f907648f674e3393b159c2dad89b59af1788415958b  /usr/bin/monero-wallet-gui.AppImage
c6d6efe1119cd9e6250286c30a0f6fb9111c274e73109c3bca6683acd6c53093e24a9f0e6054c9810650ec4dffd95723548e55be1470a14ec778b08aadc7050b  /usr/bin/monero-wallet-rpc

The second step is to compare these existing installed binaries with the ones that Whonix repo online. In this step, we are going to establish that the existing monero binaries indeed come from the Whonix’s existing online repository for monero binaries.

$ git clone https://gitlab.com/kicksecure/monero-gui.git
$ cd monero-gui
$ $ sha512sum usr/bin/monero* 
6e3bad94a675a761a64c9e2cb4b8d541674376b941fe7470da894b6293d6898a6f70602d0c62782120fbd4da9655dbbd8c2222800637e8405ec0ec440dc32c26  usr/bin/monero-blockchain-ancestry
ebe32a4e5b4e5a51a95cdc595edecf8b73c60e472f1e472cb5e0a98418f48a637a387956b67c4b3177d2f5ebcc9a786c0bd5a5cd72171f1cb21f82954b0195c5  usr/bin/monero-blockchain-depth
12161becc3734a70f5e0b4629b173c6706a4ebff0ca018a6e8a04d9176a012d83908102c1a7f512780325a23c2d960dac67fd3ac600f9f7f0e5e1fa996f6f4c4  usr/bin/monero-blockchain-export
f0c492158d72cb1a4f2f6603b9356f5623b6ba5cf0441b072d2068c2ce32c11d7db7d2fc86441dabda1c34036b03bf6aabd3282430ebcf53a4e3d0786e3bfb2c  usr/bin/monero-blockchain-import
6bf864727dad4ce35a5778778be64fcf8a11f62333697a4ce014b5786ef458927b575b61ff6ceff8d5cd7fcffe8786595be2751139a5d9d4c29eeb1f6b126717  usr/bin/monero-blockchain-mark-spent-outputs
e7a8a9dee886cf0388e06e29d47f98d57a2e86e65ec967078c6e1d57211ce59fc14ced93437074a0fee86b62c1dc01ffe57543c0de64f779114696d8dc1a86e2  usr/bin/monero-blockchain-prune
6472118f8a2eace8bf30c0acab01ec139a425577e2f831b00d948daa4cbaa37809fdc2c4fa5237255f4b176f246510052e8d65ab2373a168c3a96fac8de346a0  usr/bin/monero-blockchain-prune-known-spent-data
fed2bfe8fae1f96af07dc54ceb456b1cd5c82857679d8106bd86e88448ba2d73ad0da1b462292190a8c449a02bfcabc4669d157ed713a6eb71de81141e9d2330  usr/bin/monero-blockchain-stats
3a59195bbf8d362b8e630cf0193d31b4465e9c60d81892161645fe754b9f6380712e98ae6151daf9cd323e0d439c90a70c71774903d03f20e0fbedd7bf859eb6  usr/bin/monero-blockchain-usage
fb7c9f2ef75c73bc2e985126c04e3f331fbfba5eb4ad0f02db95fbdd91a7a1afb481a9d343ccb5f95093181cb573f8df5a9c311f226e4e9e569ee221e07a84f0  usr/bin/monerod
58ff75c29509e0ad3f0bcd452129e05566bcf0374cf3d7b675953a39a84b6f54b6f6948607e1f9edacc8244e773aa65da46c318097ec76c7392b0f0155081e0d  usr/bin/monero-gen-ssl-cert
8ca745091b7721baf5cb40f7212dce84cd5dc5be5d2eb64deb1a4a5ac1931b71eedb49294d64b1c15f2350927995daccc54b9fc92f492f5beaa20060197dec16  usr/bin/monero-gen-trusted-multisig
2441c31b9cb04cffaa5d820e9668088e4427b4a193d3f539f5bf65970f76e17aad0ae5a2a2ae5762e2f7a1ef878981b7952ba18a0eafc4c2a4b0f2d863305b4d  usr/bin/monero-wallet-cli
b1dd3a0d3fbefe6fe42a35a0f38303763905c200b542844c29f634baf9d6f38ab9482d8540aed46c088b9c160ab53a8055a0a512a6768ea058538df5e7cdba45  usr/bin/monero-wallet-gui
281eb133f624e6cb746567f1159409ac5e10d648a6cc43009b9b6a824a11afeadf55b0168c3d60fb2ab31f907648f674e3393b159c2dad89b59af1788415958b  usr/bin/monero-wallet-gui.AppImage
c6d6efe1119cd9e6250286c30a0f6fb9111c274e73109c3bca6683acd6c53093e24a9f0e6054c9810650ec4dffd95723548e55be1470a14ec778b08aadc7050b  usr/bin/monero-wallet-rpc

You can eyeball the sha512sum values in the first and the second steps, and you can see that they are identical.
To make sure the downloaded gitlab repo belongs to the whonix developer, Patrick Schleizer, we will import his GPG key and check the singatures on the gitlab repo commits:
Find Patrick’s key here.
Download the derivative.asc file linked on that page. And then do:

$ gpg --import derivative.asc
$ git log --show-signature

This should result in a list of commits on the whonix monero gitlab repo, with the message, Good signature from "Patrick Schleizer <adrelanos@kicksecure.com>" [unknown].
This proves that the gitlab whonix monero repo we downloaded belongs to Patrick. And thus, the sha512sum values we calculated on the second step above belongs to the binaries that are distributed by Patrick. The first step’s sha512sum values show the binaries that comes by default with whonix-ws-16 are the same as those of the step two.

The only remaining thing is to make sure these sha512sum values also are the same as the monero binaries that are distributed by the monero devs.

Third step we download the monero binaries from monero’s official github. It is here. Make sure the downloaded binaries belong to the monero binaries version existing in the whonix-ws-16. To check the existing monerod version you can do $ monerod --version.

After the download completes, extract the tar.bz2 file:

$ 7z x monero-linux-x64-v0.18.1.2.tar.bz2
$ 7z x monero-linux-x64-v0.18.1.2.tar

Let’s also check the sha256sum of the tar.bz2 file we downloaded:

$ sha256sum monero-linux-x64-v0.18.1.2.tar.bz2
7d51e7072351f65d0c7909e745827cfd3b00abe5e7c4cc4c104a3c9b526da07e  monero-linux-x64-v0.18.1.2.tar.bz2

And compare this value to the hashes listed in the github link above. Once the sha256sum of the tar.bz2 checks correct, we can continue with calculating the sha512sum values of the binaries that comes with that tar.bz2 file:

$ sha512sum monero-x86_64-linux-gnu-v0.18.1.2/monero*
6e3bad94a675a761a64c9e2cb4b8d541674376b941fe7470da894b6293d6898a6f70602d0c62782120fbd4da9655dbbd8c2222800637e8405ec0ec440dc32c26  monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-ancestry
ebe32a4e5b4e5a51a95cdc595edecf8b73c60e472f1e472cb5e0a98418f48a637a387956b67c4b3177d2f5ebcc9a786c0bd5a5cd72171f1cb21f82954b0195c5  monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-depth
12161becc3734a70f5e0b4629b173c6706a4ebff0ca018a6e8a04d9176a012d83908102c1a7f512780325a23c2d960dac67fd3ac600f9f7f0e5e1fa996f6f4c4  monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-export
f0c492158d72cb1a4f2f6603b9356f5623b6ba5cf0441b072d2068c2ce32c11d7db7d2fc86441dabda1c34036b03bf6aabd3282430ebcf53a4e3d0786e3bfb2c  monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-import
6bf864727dad4ce35a5778778be64fcf8a11f62333697a4ce014b5786ef458927b575b61ff6ceff8d5cd7fcffe8786595be2751139a5d9d4c29eeb1f6b126717  monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-mark-spent-outputs
e7a8a9dee886cf0388e06e29d47f98d57a2e86e65ec967078c6e1d57211ce59fc14ced93437074a0fee86b62c1dc01ffe57543c0de64f779114696d8dc1a86e2  monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-prune
6472118f8a2eace8bf30c0acab01ec139a425577e2f831b00d948daa4cbaa37809fdc2c4fa5237255f4b176f246510052e8d65ab2373a168c3a96fac8de346a0  monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-prune-known-spent-data
fed2bfe8fae1f96af07dc54ceb456b1cd5c82857679d8106bd86e88448ba2d73ad0da1b462292190a8c449a02bfcabc4669d157ed713a6eb71de81141e9d2330  monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-stats
3a59195bbf8d362b8e630cf0193d31b4465e9c60d81892161645fe754b9f6380712e98ae6151daf9cd323e0d439c90a70c71774903d03f20e0fbedd7bf859eb6  monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-usage
fb7c9f2ef75c73bc2e985126c04e3f331fbfba5eb4ad0f02db95fbdd91a7a1afb481a9d343ccb5f95093181cb573f8df5a9c311f226e4e9e569ee221e07a84f0  monero-x86_64-linux-gnu-v0.18.1.2/monerod
58ff75c29509e0ad3f0bcd452129e05566bcf0374cf3d7b675953a39a84b6f54b6f6948607e1f9edacc8244e773aa65da46c318097ec76c7392b0f0155081e0d  monero-x86_64-linux-gnu-v0.18.1.2/monero-gen-ssl-cert
8ca745091b7721baf5cb40f7212dce84cd5dc5be5d2eb64deb1a4a5ac1931b71eedb49294d64b1c15f2350927995daccc54b9fc92f492f5beaa20060197dec16  monero-x86_64-linux-gnu-v0.18.1.2/monero-gen-trusted-multisig
2441c31b9cb04cffaa5d820e9668088e4427b4a193d3f539f5bf65970f76e17aad0ae5a2a2ae5762e2f7a1ef878981b7952ba18a0eafc4c2a4b0f2d863305b4d  monero-x86_64-linux-gnu-v0.18.1.2/monero-wallet-cli
c6d6efe1119cd9e6250286c30a0f6fb9111c274e73109c3bca6683acd6c53093e24a9f0e6054c9810650ec4dffd95723548e55be1470a14ec778b08aadc7050b  monero-x86_64-linux-gnu-v0.18.1.2/monero-wallet-rpc

Finally, you can eyeball-confirm that these sha512sum values are the same as the ones we calculated in the first and second steps.

This concludes:

  1. the monero binaries that comes with whonix-ws-16 are the same as those published on whonix/kicksecure gitlab
  2. the above gitlab repo belongs to the Patrick Schleizer, maintainer of whonix and the monero community crowdfunding applicant for maintaining the monero binaries in debian/whonix
  3. the monero binaries that get distributed by the monero developers are the same as those come with in the whonix-ws-16
6

documented just now:
monero-gui package audit

7

Alright thanks, @Patrick. Going forward, are you still going to maintain the whonix/debian package repository for Monero? When can we expect the new Monero version to be available in the Whonix?

8

I wrote a script to automatically compare the checksums of upstream to those that are installed on Whonix. This works today, but if anything changes in how Monero is packaged it will likely break.

Example of failed test by deliberately downloading a newer version than is installed on the system.

user@host:~$ ./verify_monero.sh
Downloading Monero (XMR) binaries from upstream.
monero-gui-linux-x64-v0.18.2 100%[============================================>] 116.67M 454KB/s in 5m 19s
Verifying download integrity…
Verification Successful: SHA256 checksum matches.

Extracting files…
Collecting SHA256 checksums of upstream and installed binaries.
Verification Failed: SHA256 checksums do not match.
The script may be broken, please verify manually.
Monero (XMR): A Reasonably Private Digital Currency

Example of running the script like normal, the script automatically detects the version installed.

user@host:~$ ./verify_monero.sh
Downloading Monero (XMR) binaries from upstream.
monero-gui-linux-x64-v0.18.1 100%[============================================>] 116.19M 636KB/s in 3m 53s
Verifying download integrity…
Verification Successful: SHA256 checksum matches.

Extracting files…
Collecting SHA256 checksums of upstream and installed binaries.
Verification Successful: SHA256 checksums match.
For more details see the log file in ~/monero-verification.log

Log file.

== Result of Monero (XMR) binary SHA256 checksum verification ==

Upstream Binaries SHA256 Checksums:
0db68dd1278cd…

Installed Binaries SHA256 Checksums:
0db68dd1278cd…

Log file created at Sat 11 Mar 2023 06:28:02 PM UTC
Documentation on auditing Monero packages:
Monero (XMR): A Reasonably Private Digital Currency

The script.

https://paste.openstack.org/show/819102/

Summary

Note that I have no knowledge of how scripts should be written, this is just what I could put together.

9

@nondescript cool script, thx.
@Patrick when can we expect the monero upgrade to v0.18.2.0 ?

10