1 Like

I am considering to sign Whonix releases to provide an alternative to gnupg for verification. However, signify does not allow to embed time stamps or files names directly. It does not have a trusted comment feature.

minisign (compatible with signify) has a trusted comment feature, but it’s not available from packages.debian.org:
RFP: minisign – A dead simple tool to sign files and verify signatures

Therefore it’s not trivial to protect from rollback attacks / file name changes. It would require to create a text file that describes the file (filename, hash, time stamp) that is actually to be verified. (Similar to verifying a sha512 file to then using sha512sums to verify the actual file.) However, that is usability wise a cumbersome process so not much gained from that.

We could tell users to check the version number before importing VMs.

  • That is easy with Whonix VirtualBox since it shows Whonix build version before importing.
  • For Whonix KVM? We could ship a text file inside the libvirt.xz archive which states its version number.

And then when an old version was downloaded, simply abort.

User documentation (generally, not Whonix verification):


1 Like

Signify is great. It doesn’t have some of the problems GPG does and is also used by GrapheneOS (the project hardened_malloc was created for).

1 Like

Direct signing of files is implemented but untested.

Even if its working, it won’t be released/documented before the next release.


1 Like

signify-openbsd -S -s /home/user/.signify/keyname.sec -m /home/user/whonix_binary/Whonix-XFCE-

signify-openbsd: msg too large in /home/user/whonix_binary/Whonix-XFCE-

Cannot sign releases directly.

1 Like

This is now possible and documented:

Related poll:

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]