Here’s how I verified the Monero binaries that are shipped with Whonix, for Monero v0.18.1.2
The verification consists of 3 major steps.
The first step is to check the sha512sum values of the existing monero binaries that are shipped with the Whonix:
$ sha512sum /usr/bin/monero*
$ sha512sum /usr/bin/monero*
6e3bad94a675a761a64c9e2cb4b8d541674376b941fe7470da894b6293d6898a6f70602d0c62782120fbd4da9655dbbd8c2222800637e8405ec0ec440dc32c26 /usr/bin/monero-blockchain-ancestry
ebe32a4e5b4e5a51a95cdc595edecf8b73c60e472f1e472cb5e0a98418f48a637a387956b67c4b3177d2f5ebcc9a786c0bd5a5cd72171f1cb21f82954b0195c5 /usr/bin/monero-blockchain-depth
12161becc3734a70f5e0b4629b173c6706a4ebff0ca018a6e8a04d9176a012d83908102c1a7f512780325a23c2d960dac67fd3ac600f9f7f0e5e1fa996f6f4c4 /usr/bin/monero-blockchain-export
f0c492158d72cb1a4f2f6603b9356f5623b6ba5cf0441b072d2068c2ce32c11d7db7d2fc86441dabda1c34036b03bf6aabd3282430ebcf53a4e3d0786e3bfb2c /usr/bin/monero-blockchain-import
6bf864727dad4ce35a5778778be64fcf8a11f62333697a4ce014b5786ef458927b575b61ff6ceff8d5cd7fcffe8786595be2751139a5d9d4c29eeb1f6b126717 /usr/bin/monero-blockchain-mark-spent-outputs
e7a8a9dee886cf0388e06e29d47f98d57a2e86e65ec967078c6e1d57211ce59fc14ced93437074a0fee86b62c1dc01ffe57543c0de64f779114696d8dc1a86e2 /usr/bin/monero-blockchain-prune
6472118f8a2eace8bf30c0acab01ec139a425577e2f831b00d948daa4cbaa37809fdc2c4fa5237255f4b176f246510052e8d65ab2373a168c3a96fac8de346a0 /usr/bin/monero-blockchain-prune-known-spent-data
fed2bfe8fae1f96af07dc54ceb456b1cd5c82857679d8106bd86e88448ba2d73ad0da1b462292190a8c449a02bfcabc4669d157ed713a6eb71de81141e9d2330 /usr/bin/monero-blockchain-stats
3a59195bbf8d362b8e630cf0193d31b4465e9c60d81892161645fe754b9f6380712e98ae6151daf9cd323e0d439c90a70c71774903d03f20e0fbedd7bf859eb6 /usr/bin/monero-blockchain-usage
fb7c9f2ef75c73bc2e985126c04e3f331fbfba5eb4ad0f02db95fbdd91a7a1afb481a9d343ccb5f95093181cb573f8df5a9c311f226e4e9e569ee221e07a84f0 /usr/bin/monerod
58ff75c29509e0ad3f0bcd452129e05566bcf0374cf3d7b675953a39a84b6f54b6f6948607e1f9edacc8244e773aa65da46c318097ec76c7392b0f0155081e0d /usr/bin/monero-gen-ssl-cert
8ca745091b7721baf5cb40f7212dce84cd5dc5be5d2eb64deb1a4a5ac1931b71eedb49294d64b1c15f2350927995daccc54b9fc92f492f5beaa20060197dec16 /usr/bin/monero-gen-trusted-multisig
2441c31b9cb04cffaa5d820e9668088e4427b4a193d3f539f5bf65970f76e17aad0ae5a2a2ae5762e2f7a1ef878981b7952ba18a0eafc4c2a4b0f2d863305b4d /usr/bin/monero-wallet-cli
b1dd3a0d3fbefe6fe42a35a0f38303763905c200b542844c29f634baf9d6f38ab9482d8540aed46c088b9c160ab53a8055a0a512a6768ea058538df5e7cdba45 /usr/bin/monero-wallet-gui
281eb133f624e6cb746567f1159409ac5e10d648a6cc43009b9b6a824a11afeadf55b0168c3d60fb2ab31f907648f674e3393b159c2dad89b59af1788415958b /usr/bin/monero-wallet-gui.AppImage
c6d6efe1119cd9e6250286c30a0f6fb9111c274e73109c3bca6683acd6c53093e24a9f0e6054c9810650ec4dffd95723548e55be1470a14ec778b08aadc7050b /usr/bin/monero-wallet-rpc
The second step is to compare these existing installed binaries with the ones that Whonix repo online. In this step, we are going to establish that the existing monero binaries indeed come from the Whonix’s existing online repository for monero binaries.
$ git clone https://gitlab.com/kicksecure/monero-gui.git
$ cd monero-gui
$ $ sha512sum usr/bin/monero*
6e3bad94a675a761a64c9e2cb4b8d541674376b941fe7470da894b6293d6898a6f70602d0c62782120fbd4da9655dbbd8c2222800637e8405ec0ec440dc32c26 usr/bin/monero-blockchain-ancestry
ebe32a4e5b4e5a51a95cdc595edecf8b73c60e472f1e472cb5e0a98418f48a637a387956b67c4b3177d2f5ebcc9a786c0bd5a5cd72171f1cb21f82954b0195c5 usr/bin/monero-blockchain-depth
12161becc3734a70f5e0b4629b173c6706a4ebff0ca018a6e8a04d9176a012d83908102c1a7f512780325a23c2d960dac67fd3ac600f9f7f0e5e1fa996f6f4c4 usr/bin/monero-blockchain-export
f0c492158d72cb1a4f2f6603b9356f5623b6ba5cf0441b072d2068c2ce32c11d7db7d2fc86441dabda1c34036b03bf6aabd3282430ebcf53a4e3d0786e3bfb2c usr/bin/monero-blockchain-import
6bf864727dad4ce35a5778778be64fcf8a11f62333697a4ce014b5786ef458927b575b61ff6ceff8d5cd7fcffe8786595be2751139a5d9d4c29eeb1f6b126717 usr/bin/monero-blockchain-mark-spent-outputs
e7a8a9dee886cf0388e06e29d47f98d57a2e86e65ec967078c6e1d57211ce59fc14ced93437074a0fee86b62c1dc01ffe57543c0de64f779114696d8dc1a86e2 usr/bin/monero-blockchain-prune
6472118f8a2eace8bf30c0acab01ec139a425577e2f831b00d948daa4cbaa37809fdc2c4fa5237255f4b176f246510052e8d65ab2373a168c3a96fac8de346a0 usr/bin/monero-blockchain-prune-known-spent-data
fed2bfe8fae1f96af07dc54ceb456b1cd5c82857679d8106bd86e88448ba2d73ad0da1b462292190a8c449a02bfcabc4669d157ed713a6eb71de81141e9d2330 usr/bin/monero-blockchain-stats
3a59195bbf8d362b8e630cf0193d31b4465e9c60d81892161645fe754b9f6380712e98ae6151daf9cd323e0d439c90a70c71774903d03f20e0fbedd7bf859eb6 usr/bin/monero-blockchain-usage
fb7c9f2ef75c73bc2e985126c04e3f331fbfba5eb4ad0f02db95fbdd91a7a1afb481a9d343ccb5f95093181cb573f8df5a9c311f226e4e9e569ee221e07a84f0 usr/bin/monerod
58ff75c29509e0ad3f0bcd452129e05566bcf0374cf3d7b675953a39a84b6f54b6f6948607e1f9edacc8244e773aa65da46c318097ec76c7392b0f0155081e0d usr/bin/monero-gen-ssl-cert
8ca745091b7721baf5cb40f7212dce84cd5dc5be5d2eb64deb1a4a5ac1931b71eedb49294d64b1c15f2350927995daccc54b9fc92f492f5beaa20060197dec16 usr/bin/monero-gen-trusted-multisig
2441c31b9cb04cffaa5d820e9668088e4427b4a193d3f539f5bf65970f76e17aad0ae5a2a2ae5762e2f7a1ef878981b7952ba18a0eafc4c2a4b0f2d863305b4d usr/bin/monero-wallet-cli
b1dd3a0d3fbefe6fe42a35a0f38303763905c200b542844c29f634baf9d6f38ab9482d8540aed46c088b9c160ab53a8055a0a512a6768ea058538df5e7cdba45 usr/bin/monero-wallet-gui
281eb133f624e6cb746567f1159409ac5e10d648a6cc43009b9b6a824a11afeadf55b0168c3d60fb2ab31f907648f674e3393b159c2dad89b59af1788415958b usr/bin/monero-wallet-gui.AppImage
c6d6efe1119cd9e6250286c30a0f6fb9111c274e73109c3bca6683acd6c53093e24a9f0e6054c9810650ec4dffd95723548e55be1470a14ec778b08aadc7050b usr/bin/monero-wallet-rpc
You can eyeball the sha512sum values in the first and the second steps, and you can see that they are identical.
To make sure the downloaded gitlab repo belongs to the whonix developer, Patrick Schleizer, we will import his GPG key and check the singatures on the gitlab repo commits:
Find Patrick’s key here.
Download the derivative.asc file linked on that page. And then do:
$ gpg --import derivative.asc
$ git log --show-signature
This should result in a list of commits on the whonix monero gitlab repo, with the message, Good signature from "Patrick Schleizer <adrelanos@kicksecure.com>" [unknown]
.
This proves that the gitlab whonix monero repo we downloaded belongs to Patrick. And thus, the sha512sum values we calculated on the second step above belongs to the binaries that are distributed by Patrick. The first step’s sha512sum values show the binaries that comes by default with whonix-ws-16 are the same as those of the step two.
The only remaining thing is to make sure these sha512sum values also are the same as the monero binaries that are distributed by the monero devs.
Third step we download the monero binaries from monero’s official github. It is here. Make sure the downloaded binaries belong to the monero binaries version existing in the whonix-ws-16. To check the existing monerod version you can do $ monerod --version
.
After the download completes, extract the tar.bz2 file:
$ 7z x monero-linux-x64-v0.18.1.2.tar.bz2
$ 7z x monero-linux-x64-v0.18.1.2.tar
Let’s also check the sha256sum of the tar.bz2 file we downloaded:
$ sha256sum monero-linux-x64-v0.18.1.2.tar.bz2
7d51e7072351f65d0c7909e745827cfd3b00abe5e7c4cc4c104a3c9b526da07e monero-linux-x64-v0.18.1.2.tar.bz2
And compare this value to the hashes listed in the github link above. Once the sha256sum of the tar.bz2 checks correct, we can continue with calculating the sha512sum values of the binaries that comes with that tar.bz2 file:
$ sha512sum monero-x86_64-linux-gnu-v0.18.1.2/monero*
6e3bad94a675a761a64c9e2cb4b8d541674376b941fe7470da894b6293d6898a6f70602d0c62782120fbd4da9655dbbd8c2222800637e8405ec0ec440dc32c26 monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-ancestry
ebe32a4e5b4e5a51a95cdc595edecf8b73c60e472f1e472cb5e0a98418f48a637a387956b67c4b3177d2f5ebcc9a786c0bd5a5cd72171f1cb21f82954b0195c5 monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-depth
12161becc3734a70f5e0b4629b173c6706a4ebff0ca018a6e8a04d9176a012d83908102c1a7f512780325a23c2d960dac67fd3ac600f9f7f0e5e1fa996f6f4c4 monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-export
f0c492158d72cb1a4f2f6603b9356f5623b6ba5cf0441b072d2068c2ce32c11d7db7d2fc86441dabda1c34036b03bf6aabd3282430ebcf53a4e3d0786e3bfb2c monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-import
6bf864727dad4ce35a5778778be64fcf8a11f62333697a4ce014b5786ef458927b575b61ff6ceff8d5cd7fcffe8786595be2751139a5d9d4c29eeb1f6b126717 monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-mark-spent-outputs
e7a8a9dee886cf0388e06e29d47f98d57a2e86e65ec967078c6e1d57211ce59fc14ced93437074a0fee86b62c1dc01ffe57543c0de64f779114696d8dc1a86e2 monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-prune
6472118f8a2eace8bf30c0acab01ec139a425577e2f831b00d948daa4cbaa37809fdc2c4fa5237255f4b176f246510052e8d65ab2373a168c3a96fac8de346a0 monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-prune-known-spent-data
fed2bfe8fae1f96af07dc54ceb456b1cd5c82857679d8106bd86e88448ba2d73ad0da1b462292190a8c449a02bfcabc4669d157ed713a6eb71de81141e9d2330 monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-stats
3a59195bbf8d362b8e630cf0193d31b4465e9c60d81892161645fe754b9f6380712e98ae6151daf9cd323e0d439c90a70c71774903d03f20e0fbedd7bf859eb6 monero-x86_64-linux-gnu-v0.18.1.2/monero-blockchain-usage
fb7c9f2ef75c73bc2e985126c04e3f331fbfba5eb4ad0f02db95fbdd91a7a1afb481a9d343ccb5f95093181cb573f8df5a9c311f226e4e9e569ee221e07a84f0 monero-x86_64-linux-gnu-v0.18.1.2/monerod
58ff75c29509e0ad3f0bcd452129e05566bcf0374cf3d7b675953a39a84b6f54b6f6948607e1f9edacc8244e773aa65da46c318097ec76c7392b0f0155081e0d monero-x86_64-linux-gnu-v0.18.1.2/monero-gen-ssl-cert
8ca745091b7721baf5cb40f7212dce84cd5dc5be5d2eb64deb1a4a5ac1931b71eedb49294d64b1c15f2350927995daccc54b9fc92f492f5beaa20060197dec16 monero-x86_64-linux-gnu-v0.18.1.2/monero-gen-trusted-multisig
2441c31b9cb04cffaa5d820e9668088e4427b4a193d3f539f5bf65970f76e17aad0ae5a2a2ae5762e2f7a1ef878981b7952ba18a0eafc4c2a4b0f2d863305b4d monero-x86_64-linux-gnu-v0.18.1.2/monero-wallet-cli
c6d6efe1119cd9e6250286c30a0f6fb9111c274e73109c3bca6683acd6c53093e24a9f0e6054c9810650ec4dffd95723548e55be1470a14ec778b08aadc7050b monero-x86_64-linux-gnu-v0.18.1.2/monero-wallet-rpc
Finally, you can eyeball-confirm that these sha512sum values are the same as the ones we calculated in the first and second steps.
This concludes:
- the monero binaries that comes with whonix-ws-16 are the same as those published on whonix/kicksecure gitlab
- the above gitlab repo belongs to the Patrick Schleizer, maintainer of whonix and the monero community crowdfunding applicant for maintaining the monero binaries in debian/whonix
- the monero binaries that get distributed by the monero developers are the same as those come with in the whonix-ws-16