[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Verifying the Downloaded .ova Files

Atm i am experiencing errors verifying the whonix downloads on a Windows 7 PC.
I am doing it following the instructions using Cleopatra but am getting the error message that there is not enough information to correctly verify the files.
Are there any other windows users in here experiencing the same problems?
Other distros i am downloading using md5sum verifications are working fine so i thought maybe there is something wrong with the signatures?

Then you most likely did not import Whonix’s signing key.

See also:
https://www.whonix.org/wiki/Verify_the_virtual_machine_images_using_other_operating_systems

Other distros i am downloading using md5sum verifications are working fine so i thought maybe there is something wrong with the signatures?
md5 is not very safe.

Patrick, I’m having the same problem: I imported the Whonix key; after issuing the command
gpg --fingerprint 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
I get
pub 4096R/2EEACCDA 2014-01-16 [expires: 2015-01-16]
Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
uid Patrick Schleizer adrelanos@riseup.net
sub 4096R/CE998547 2014-01-16 [expires: 2015-01-16]
sub 4096R/119B3FD6 2014-01-16 [expires: 2015-01-16]
sub 4096R/77BB3C48 2014-01-16 [expires: 2015-01-16]

However, when doing Decript & Verify I get the same error

There is nothing to decrypt. Just verify.

And please post the exact error message should this persist.

Verify; so I right-click on Whonix-Gateway-8.2.ova.asc and I choose Verify; at the end, I get:
Whonix-Gateway-8.2.ova.asc: Not enough information to check signature validity.

Signed on 2014-04-13 06:52 with unknown certificate
0x63979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
The validity of the signature cannot be verified.

Is there a way to send you a zip file containing a recording of my steps? I don’t seem to have the rights to add an attachment…
Thanks!

Using kleopatra is really cumbersome. As long as the signing key is only listed under “other certificates” in kleopatra you will get this warning. It needs to be moved to “trusted certificates”. To do that, you need to create your own OpenPGP key first (kleopatra -> File -> New Certificate). To sign the singing key, right click on the signing key and click “Certify Certificate”. A local signature suffices.

Rather than.

Signed on 2014-04-13 06:52 with unknown certificate 0x63979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 The validity of the signature cannot be verified.

You’ll then get.

Signature valid. Signed on 2014-04-13 06:52 with unknown certificate 0x63979B28A6F37C43BE30AFA1CB8D50BB77BB3C48

Which is a bug in kleopatra which they have not fixed since 2011:
https://bugs.kde.org/show_bug.cgi?id=287145

Long story short:
due to the cumbersomeness of kleopatra, I do not recommend using it.

I think you’re better off using gpg command line. Instructions similar to:

Hi, I have used kleopatra quite a bit and can navigate it fine. I am having trouble verifying the OpenPGP signatures with patrick’s key. I have imported aand certified it multiple times. I have also redownloaded the openpgp signatures multiple times using each method, and even different browsers. Every time I right click patrick.asc, then follow it with the Whonix-Gateway-9.6.ova.asc I get an error with a yellow bar rather than green/red that says: Verification failed: General error. Can you tell me how to get around this?

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]