gpg --verify-options show-notations --verify Whonix-XFCE-16.0.3.1.Intel_AMD64.qcow2.libvirt.xz.asc Whonix-XFCE-16.0.3.1.Intel_AMD64.qcow2.libvirt.xz
gpg: Signature made Mon 04 Oct 2021 12:13:34 AM GMT
gpg: using RSA key 66F46246C900707FF10DC1E4EB27D2F8CEE41ACC
gpg: Good signature from “HulaHoop” [unknown]
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=66F46246C900707FF10DC1E4EB27D2F8CEE41ACC
gpg: Signature notation: file@name=Whonix-XFCE-16.0.3.1.Intel_AMD64.qcow2.libvirt.xz
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 04EF 2F66 6D36 C354 058B 9DD4 50C7 8B6F 9FF2 EC85
Subkey fingerprint: 66F4 6246 C900 707F F10D C1E4 EB27 D2F8 CEE4 1ACC
“Signature made Mon 04 Oct 2021 12:13:34 AM GMT”
whoinix wiki said Check the GPG signature timestamp makes sense. For example, if you previously saw a signature from 2021 and now see a signature from 2020, then this might be a targeted rollback (downgrade) or indefinite freeze attack.
Everything checks out. this signature was made on the day the build was done. I don’t understand what your concern is. If you have Patrick’s key you could verify that he signed mine.
Please see: Download the Signing Key for Whonix ™ KVM
1 Like