I am considering to sign Whonix releases to provide an alternative to gnupg for verification. However, signify does not allow to embed time stamps or files names directly. It does not have a trusted comment feature.
minisign (compatible with signify) has a trusted comment feature, but it’s not available from packages.debian.org:
RFP: minisign – A dead simple tool to sign files and verify signatures
Therefore it’s not trivial to protect from rollback attacks / file name changes. It would require to create a text file that describes the file (filename, hash, time stamp) that is actually to be verified. (Similar to verifying a sha512 file to then using sha512sums to verify the actual file.) However, that is usability wise a cumbersome process so not much gained from that.
We could tell users to check the version number before importing VMs.
- That is easy with Whonix VirtualBox since it shows Whonix build version before importing.
- For Whonix KVM? We could ship a text file inside the
libvirt.xzarchive which states its version number.
And then when an old version was downloaded, simply abort.
User documentation (generally, not Whonix verification):
Signify is great. It doesn’t have some of the problems GPG does and is also used by GrapheneOS (the project hardened_malloc was created for).
Direct signing of files is implemented but untested.
Even if its working, it won’t be released/documented before the next release.
signify-openbsd -S -s /home/user/.signify/keyname.sec -m /home/user/whonix_binary/Whonix-XFCE-184.108.40.206.6.ova
signify-openbsd: msg too large in /home/user/whonix_binary/Whonix-XFCE-220.127.116.11.6.ova
Cannot sign releases directly.