[archived] Previous, now Deprecated Whonix Windows Installer Testing

Could you try to import using the command line please? Hopefully that will give more debug output.

1 Like

Maybe a version mismatch? Windows installer VirtualBox version is outdated. And Kicksecure was created with latest stable version of VirtualBox.

Maybe updating VirtualBox would solve this?

1 Like

Command line import command from Whonix ™ for VirtualBox with Xfce footnotes (expanded):

eula show:

/path/to/vboxmanage import /path/to/ova --vsys 0 --eula show

eula accept

/path/to/vboxmanage import /path/to/ova --vsys 0 --eula accept

Perhaps --vsys 0 can or must be dropped since only a single VM and not two VMs in one ova.

#18343 (Unable to import OVA with error NS_ERROR_INVALID_ARG) – Oracle VM VirtualBox says this could be an out of disk space issue. Do [all] disks have enough disk space? Let’s say two or three times as much as ova size (even with VirtualBox VMs on drive D: VirtualBox might do extraction/temporary files on drive C:, dunno).

1 Like

Created a new Whonix Installer with the latest VirtualBox version (quick and dirty) and had no issues. Looks like a miss-match.

Still want me to try imporing Kicksecure (CLI) with older Whonix installer?

1 Like

We just have to know about this and tell users to upgrade VirtualBox.

No need.

1 Like

https://imgur.com/a/RHg2QaR

https://imgur.com/a/RHg2QaR

Can’t make head or tail of yet. Error message is here:

https://github.com/Whonix/Whonix-Windows-UI/blob/master/Whonix-UI/error.xaml#L11

You appear to execute this program from a folder which doesn’t contain the necessary files for it to operate properly. Please try reinstalling this program via the Whonix-Installer. If the program persists, please contact the developer at: https://forums.whonix.org

I’ve had this same issue when running the Whonix Installer.

To recap. This happened when:

  1. (after building from source) I ran the wrong executable (InstallWhonix.exe) which is built along side the Whonix Installer and can be found in \current_working_directory\InstallWhonix.exe

This is one of the reasons for changing the installer name from Install Whonix.exe to whonix-installer.exe . (to prevent confusion)

Not sure of the purpose of this executable?

  1. When Norton anti-virus qaurantines a needed file when the whonix-installer.exe is run. This has happen to me more than a few times…

Obviously there could be other reasons for this issue.

This is a common fix for Windows users. But I think we can do better…

When I start working on development again I plan on trying to resolve this issue and work on better error handling for the installer.

1 Like

If anyone is having issues with the Whonix installer you will likely receive a faster response by asking your question on the Whonix forum as opposed to emailing myself or Whonix developers directly.

I don’t mind answering questions via email, but when questions are asked in the Whonix public forums, all community members can benefit from the answers provided by the Whonix team and greater community.

1 Like

Very much agreed.

I personally usually refuse to help by e-mail, unless professional (paid) support requests. And link to Free Support for Whonix ™ (Unless something minor.)

(Needless to say: everyone is free to e-mail anyone of course.)

1 Like

Will be updating the following wiki pages to reflect the latest Whonix release,

Also updating (pull requests) where needed:

Should we also have a separate wiki page (For Testers)?

Looking forward, what information would be helpful for users to provide if anyone encounters the above?

1 Like

gpg4win website nowdays has a valid, CA signed TLS certificate / functional https. Therefore chapter for manual TLS certificate installation remove.d

Is there still any point of downloading SignTools from microsoft.com to use it to verify gpg4win? Connecting to microsoft.com over TLS only vs connecting to gpg4win.org over TLS only seems to be equally dangerous. There seems to be a bootstrapping problem of securely obtaining gpg4win on the Windows platform anyhow.

Or is initially downloading SignTools (which then will be used to verify gpg4win) from microsoft.com more secure because microsoft.com is on the TLS Static Public Key Pinning list?

TLS Public Key Pinning (HPKP) was deprecated but does TLS Static Public Key Pinning still exist?

References for TLS static pinning:

Can anyone find a TLS Static Public Key Pinning list?

However, I doubt it. curl --head https://www.microsoft.com does not even include a HSTS header.

//cc @madaidan

1 Like

It’s not just about the connection. It’d be much more unlikely for a massive company like Microsoft to be compromised and serve malicious software than gpg4win.

curl --head https://www.microsoft.com/en-us/ does though which is weird.

Whonix Windows installer might come back to live. Stay tuned for updates.


Alright. Pointed that out and extended that chapter just now.

Software Digital Signature Verification Tools Installation

Software Digital Signature Verification Tools Installation

Introduction

Due to Conceptual Challenges in Digital Signatures Verification and impracticality, unpopularity of digital software signature verification on the Windows platform, this is a cumbersome process. None of these issues are specific to Whonix ™ to caused by Whonix ™. [3]

To keep a system secure and free of malware it is strongly recommended to always verify software signatures. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world.

Most other vendors of software on the Windows platform are either unaware or ignore this issue. The Whonix ™ project makes an effort to document and cope up with the mess on the Windows platform.

This page includes documentation on how to securely acquire Gpg4win - an application which can be used to verify digital software signatures provided by the Whonix ™ project and other software.

Option A) The following guide provides steps to:

  1. Download and installation of SignTool.
  2. Download Gpg4win.
  3. Verify Gpg4win using SignTool.
  4. Import the developer’s GPG signing key into Gpg4win.
  5. Verify the Whonix ™ Windows Installer using Gpg4win.

SignTool is a Windows platform focused tool provided by Microsoft which can be used to verify software digital signatures.

GnuPG [archive] is a complete and free implementation OpenPGP that allows users to encrypt and sign data and communications. Popular on Windows, macOS and Linux platform. Gpg4win [archive] is a graphical front end for GnuPG that is used to for file and email encryption in Windows. The verification process for the Whonix ™ Windows Installer includes securely downloading an verifying the gpg4win package. Once completed GPG can be used from the command-line to verify the Whonix ™ Windows Installer.

Download and installation of SignTool (from the Microsoft website over TLS) and verification of Gpg4win using SignTool might be considered optional. This is because both, SignTool and Gpg4win (downloaded from the Gpg4win website over TLS) are only downloaded over TLS, a very basic form of authentication. The argument for that is debatable. “It would be much more unlikely for a massive company like Microsoft to be compromised and serve malicious software than gpg4win server.” [4]

Option B) Therefore optionally the user might decide to skip the SignTool step and simplify as follows.

  1. Download and install Gpg4win.
  2. Import the developer’s GPG signing key into Gpg4win.
  3. Verify the Whonix ™ Windows Installer using Gpg4win.

The Gpg4win documentation also covers subject.


[3]

This is being stated to avoid Whonix ™ of getting blamed for this mess. Previously users put it this way:

I never had to verify any software. Why Whonix makes this more complicated than everyone else?

1 Like

Even less sure now about this. microsoft.com has not even an HSTS header.

No CAA policy, DNSSEC, Expect-CT

1 Like

It does.

curl --head https://www.microsoft.com/en-us/ does

Also, Hardenize Report: microsoft.com

gpg4win doesn’t have one though.

Hardenize: Comprehensive web site configuration test is worse.

2 posts were split to a new topic: new wixl based Whonix Windows Installer 2022 Edition

Outdated forum thread. Newer discussion here:

Closing.