On 2014-02-16, I downloaded the Gateway-7 image, adrelanos.asc key, and the .ova.asc signature using the download links on the Whonix wiki page.
Attempted to verify the image using gpg4win which I downloaded just before the gateway image (I did read the some of the wiki).
The key is dated 2014-02-16, gpg4win said the gateway image was signed 2013-10-10 by an unavailable public certificate.
At about 0630 UTC 2014-02-18, I downloaded the signature again hoping that it had been updated; no joy.
Are the signatures incorrect for the version 7 images or an I doing something wrong? And yes, I understand the problems with Windows - just wanted to try out the software. If it works for me, it will be hosted on Solaris or Linux.
I am apparently missing something important out of ignorance. The first time I visited the Whonix site was 2/16 when I downloaded the version 7 image, image signatures, and adrenalos key(dated2/16). How does a new user download and verify the images linked on the wiki download page?
I’m assuming the key used to sign the images is no longer valid, but in any case, it doesn’t appear available to new visitors.
I showed up at the site based upon a LinuxFormat article so you may have several new visitors like me.
What am I missing? From my limited understanding, it makes no sense to present signatures that can’t be verified by the available key.
Is the new key somehow linked to the old key?
There is a key transition message (https://www.whonix.org/wiki/Adrelanos#Key_Transition) signed by both, my old key and my new key, i.e. there is a message signed with my old key, that I've now got a new key. So there is proof, that it's the same person.