I am using Fedora 22 newly updated. I use the KVM manager “Virtual Machine Manager 1.2.1”. I never get as far as running the VM.
I downloaded the torrent files for both the workstation and gateway version 11.0.0.3.0 from whonix.org. The signature for the gateway torrent works OK. The signature for the workstation fails.
gpg --verify Whonix-Gateway-11.0.0.3.0.libvirt.xz.torrent.asc Whonix-Gateway-11.0.0.3.0.libvirt.xz.torrent
gpg: Signature made Tue 16 Jun 2015 04:03:27 BDT using RSA key ID 77BB3C48
gpg: Good signature from “Patrick Schleizer adrelanos@riseup.net”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48
gpg --verify Whonix-Workstation-11.0.0.3.0.libvirt.xz.torrent.asc Whonix-Workstation-11.0.0.3.0.libvirt.xz.torrent
gpg: Signature made Tue 16 Jun 2015 04:35:41 BDT using RSA key ID 77BB3C48
gpg: BAD signature from “Patrick Schleizer adrelanos@riseup.net”
I managed to download both of these torrents but I don’t want to touch them because of this signature issue. Where can I find the signature for the downloaded files so I can check those?
Can someone please run this check on these files? They are tiny and download in a second. The files are here
gpg --verify Whonix-Workstation-11.0.0.3.0.libvirt.xz.torrent.asc
gpg: assuming signed data in `Whonix-Workstation-11.0.0.3.0.libvirt.xz.torrent'
gpg: Signature made Tue 16 Jun 2015 12:35:41 AM CEST using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
gpg --verify Whonix-Workstation-11.0.0.3.0.libvirt.xz.torrent.asc Whonix-Workstation-11.0.0.3.0.libvirt.xz.torrent
gpg: Signature made Tue 16 Jun 2015 12:35:41 AM CEST using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [ultimate]
Can do. Torrent is not the safest way of verification. The torrent file will be well verified by gpg but the file itself is by torrent only protected by sha1. So checking against the usual file signature is a security plus.
What signature file do I use to check against the file itself? It was only the Workstation file which was a problem for me. I see a signature for the small .torrent file but not for the binary itself:
If I were subject to a “man in the middle” attack I guess that the whonix.org download page could be rewritten so that I downloaded a doctored torrent file. Then I’d end up with a doctored binary from the attacker’s web site.
I am sure I’ve just made a mistake in this case. But I will follow through and compare the binary I downloaded to whatever signature file you point me at.
I am being thicker than the big print version of the Encyclopedia Britannica. Do you mean for me to do this?: I would never expect this to work and it doesn’t. I thought I should be looking for a file called Whonix-Workstation-11.0.0.3.0.libvirt.xz.asc but I can not find that file.
gpg --verify patrick.asc Whonix-Workstation-11.0.0.3.0.libvirt.xz
gpg: no valid OpenPGP data found.
gpg: verify signatures failed: unexpected data