Verification

cbaker · February 18, 2014, 7:35am

On 2014-02-16, I downloaded the Gateway-7 image, adrelanos.asc key, and the .ova.asc signature using the download links on the Whonix wiki page.

Attempted to verify the image using gpg4win which I downloaded just before the gateway image (I did read the some of the wiki).

The key is dated 2014-02-16, gpg4win said the gateway image was signed 2013-10-10 by an unavailable public certificate.

At about 0630 UTC 2014-02-18, I downloaded the signature again hoping that it had been updated; no joy.

Are the signatures incorrect for the version 7 images or an I doing something wrong? And yes, I understand the problems with Windows - just wanted to try out the software. If it works for me, it will be hosted on Solaris or Linux.

Patrick · February 18, 2014, 8:18am

Sorry, we recently updated that page. The mistake has now been corrected. The needed key is now linked here:

(A new gpg key signed the message, but we forgot to link the old one.)

cbaker · February 18, 2014, 5:16pm

I believe there is a misunderstanding. The new key is present on the download page. The images appear to have been signed with the old key so the signatures are out of date.

Patrick · February 18, 2014, 5:55pm

Images are indeed signed with the old key. New images will be signed with the new key. I wouldn’t call that out of date.

Now, well, one could suggest to go back and resign existing releases. Not sure if that is a good use of time.

CoinMiner · February 18, 2014, 5:57pm

There are two keys, the OLD one from Adrelanos and the NEW one (Patrick Schleizer).
New: 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
Old: 9B157153925C303A42253AFB9C131AD3713AAEEF

But if you try to verify, you have to use cmd.exe to check it, only this will work fine.
If you use gpg4win Kleopatra, you will get an error, like below:

Signed by unknown zertificate.
0x6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48

I dont no why, I do not know the reason, but I tried it this way and in cmd.exe it works fine in Windows.

cbaker · February 18, 2014, 6:58pm

I am apparently missing something important out of ignorance. The first time I visited the Whonix site was 2/16 when I downloaded the version 7 image, image signatures, and adrenalos key(dated2/16). How does a new user download and verify the images linked on the wiki download page?

I’m assuming the key used to sign the images is no longer valid, but in any case, it doesn’t appear available to new visitors.

I showed up at the site based upon a LinuxFormat article so you may have several new visitors like me.

What am I missing? From my limited understanding, it makes no sense to present signatures that can’t be verified by the available key.
Is the new key somehow linked to the old key?

Patrick · February 19, 2014, 9:05am

[quote=“CoinMiner, post:5, topic:81”]If you use gpg4win Kleopatra, you will get an error, like below:

Signed by unknown zertificate.
0x6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48[/quote]
Please post a screenshot.

Patrick · February 19, 2014, 9:10am

The plan is 1) user sees Download Whonix ™ (FREE) 2) then clicks Whonix ™ Signing Key 3) then clicks https://www.whonix.org/wiki/Adrelanos 4) then sees “Old Key (Signed Whonix 7)” 5) copy and paste that key into a file 6) imports that key

I'm assuming the key used to sign the images is no longer valid

It hasn't been revoked.

but in any case, it doesn't appear available to new visitors.

It's here: https://www.whonix.org/wiki/Adrelanos#Old_Key_.28Signed_Whonix_7.29

Is the new key somehow linked to the old key?

There is a key transition message (https://www.whonix.org/wiki/Adrelanos#Key_Transition) signed by both, my old key and my new key, i.e. there is a message signed with my old key, that I've now got a new key. So there is proof, that it's the same person.