[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Version 8.2 Bad Signature

Attempted to verify both gateway and workstation for version 8.2 on the whonix website, claims both are bad? Are the signatures old?

The signatures in this specific case do not have set an expiration date, so can’t be old.

Just downloaded and verified myself - no error.

Perhaps you have a host antivirus software that disrupted the download? Host hdd failure? Mirror error? Transmission error? Could be anything. I suggest to download and try again.

Also posting the error message would be helpful should this error persist.

No antivirus software disrupt, I downloaded both again and checked in both GNU and Kleopatra. In gnu is simply says the signature is bad. In Kleopatra it says not enough information to check signature validity, the validity of the signature cannot be verified.

I guess you’re best of by copying and pasting the exact error message / screenshot. Otherwise we’re likely talking past each other.

These are quite different things.

This…

In Kleopatra it says not enough information to check signature validity, the validity of the signature cannot be verified.
Equals https://www.whonix.org/w/images/d/d9/Kleopatra_not_enough_information_to_check_signature_validity.png ?

If yes, it would equal.

gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.

On https://www.whonix.org/wiki/Verify_the_virtual_machine_images_using_Linux it says:

This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in Whonix signing key and the web of trust. To remove this warning you would have to personally sign Whonix signing key with your own key.

The gateway image (Whonix-Gateway-8.2.ova) can not be verified with the provided key (patrick.asc) and neither can it be verified with the old key (adrelanos.asc) that was used for previous versions, e.g. Whonix-Gateway-7.ova.

I’ve downloaded on different machines on different networks. Always the same result:

“Signed on 2014-04-13 15:52 with unknown certificate 0x6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48. The validity of the signature cannot be verified.”

MITM or bad files on the server? Location: http://mirror.whonix.de/8.2/Whonix-Gateway-8.2.ova

File: Whonix-Gateway-8.2.ova
CRC-32: 3c3c11a8
MD4: 23ab7d1938577bf2cd3e8037e7d584b3
MD5: 711c12170521202ebe6bb2cd6a530b0d
SHA-1: b249d73bc04753f7a75475ebe2f0a545448461cf

Anyone?

Equals

?

If yes, it would equal.

gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.

On https://www.whonix.org/wiki/Verify_the_virtual_machine_images_using_Linux it says:

This doesn't alter the validity of the signature according to the key you downloaded. This warning rather has to do with the trust that you put in Whonix signing key and the web of trust. To remove this warning you would have to personally sign Whonix signing key with your own key.

And if you do not believe me, good! Try to verify some other gpg signed messages and/or files that have nothing to do with Whonix. I guess you always get the same warning. And you will stop getting this warning as soon you understood how gpg trusts keys and how to add trust to a key.

0x6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48

This is exactly my key.

gpg --fingerprint 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48 pub 4096R/2EEACCDA 2014-01-16 [expires: 2015-01-16] Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA uid [ unknown] Patrick Schleizer <adrelanos@riseup.net> sub 4096R/CE998547 2014-01-16 [expires: 2015-01-16] sub 4096R/119B3FD6 2014-01-16 [expires: 2015-01-16] sub 4096R/77BB3C48 2014-01-16 [expires: 2015-01-16]

SHA-1: b249d73bc04753f7a75475ebe2f0a545448461cf[
This is correct.

sha1sum Whonix-Gateway-8.2.ova b249d73bc04753f7a75475ebe2f0a545448461cf Whonix-Gateway-8.2.ova

So why doesn’t it say “Signed on xxxx-xx-xx xx:xx by (Key ID: xxxxxxxxxx)” as it usually always does? The key was previously imported into Kleopatra hence it can’t be an “unknown certificate”. Untrusted yes, but not unknown.

It’s not about the warning (“Not enough information to check signature validity”). It’s about the unusual “Signed by” message.

What I always got so far (not only Whonix):
“Signed on xxxx-xx-xx xx:xx by (Key ID: xxxxxxxxxx)”

What I got now with Whonix 8.2 (and with no other package previously including Whonix 7 and 8 ):
“Signed on 2014-04-13 15:52 with unknown certificate 0x6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48”

If that’s the fingerprint of your key, fine. Unfortunately Kleopatra doesn’t show this under “Certificate Details”. It gives the fingerprint as 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA.

Most likely because the key is not known to kleopatra? You sure you have it imported? kleopatra seems to cause more confusion than gain. With command line tools, you can copy and paste commands to diagnose the situation, then make conclusions about the cause. With GUI applications it’s difficult without seeing screenshots of the relevant parts.

I guess gpg command line tools is still the most usable tool of awful general gpg usability.

We could use some better documentation for https://www.whonix.org/wiki/Verify_the_virtual_machine_images_using_other_operating_systems - perhaps with screenshots for each step.

The certificate from patrick.asc was imported into Kleopatra and is visible under “Other Certificates”. Same as all other untrusted ones. Therefore the unusual “signed by” message claiming an “unknown certificate” and not showing the email address raised a flag.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]