Whonix 14 was released on August 6 but the signature was made much earlier, on May 12. Is everything correct here?

Question in the title.

Don’t know. Was it a good signature? You’re going to have to provide more information.

  • What command(s) did you run?
  • complete output of those command(s).
1 Like

Yes, it was a good signature.

I ran the command gpg --import patrick.asc and got the next output:

gpg: key 8D66066A2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

Then I ran the command gpg --verify-options show-notations --verify Whonix-Gateway-*.libvirt.xz.asc Whonix-Gateway-*.libvirt.xz and got this output:

gpg: Signature made Sat 12 May 2018 05:39:57 PM UTC                                                                                  
gpg:                using RSA key 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48                                                           
gpg: Good signature from "Patrick Schleizer <adrelanos@riseup.net>" [unknown]                                                        
gpg: Signature notation: issuer-fpr@notations.openpgp.fifthhorseman.net=6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48                     
gpg: Signature notation: file@name=Whonix-Gateway-14.0.0.7.4.libvirt.xz                                                              
gpg: WARNING: This key is not certified with a trusted signature!                                                                    
gpg:          There is no indication that the signature belongs to the owner.                                                        
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA                                                          
 Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30  AFA1 CB8D 50BB 77BB 3C48                                                          

And similar outputs for the Whonix-Workstation-*.libvirt.xz.asc, Whonix-Gateway-*.sha*.asc and Whonix-Workstation-*.sha*.asc.

Hi fwazwf4f8u

Everything looks good! Its a good signature and the fingerprint matches up.The Whonix images where created earlier than the release date. Nothing to worry about.

1 Like

These were released earlier as testers-only version. After long enough testing and after finishing up Qubes-Whonix, these Whonix VirtualBox / KVM 14.0.0.7.4 was blessed stable without new build and without new signature.

https://tor.stackexchange.com/questions/17830/who-use-whonix-warning