We can keep it even simpler for Windows users. XFCE version only. Everything else on a by search/by ask basis.
Btw Whonix VirtualBox images nowadays contain a manifest. Once imported, images should be fine. Non-malicious corrupted downloads are excluded due to integrated hash check by VirtualBox (manifest). (Maliciously modified downloads could have the hashsums in the manifest modified as well or somehow manifest hash check disabled.)
Haven’t herd of certutil but there is also signcode. (No preference yet. Little knowledge on Windows native digital signatures by me yet.)
(These tools can also be used on the Linux platform. If I was to figure out how to use these, I could automate creating such signatures during build of Whonix.)
(VirtualBox also has some kind of native signing but no one figured it out yet and we couldn’t use it since Whonix Windows Installer as a necessity wraps around it. References:
Just now remembered I did reserach Windows native software signatures a while ago and even tweet about it (also as note to self):
https://twitter.com/Whonix/status/1097805887438241792
story here:
Release Windows gifski.exe with a digital signature · ImageOptim/gifski · GitHub