Whonix Download Checksums and Archive

Support
1

Dear Patrick,

Could we get some checksums published for the Whonix download files (both vm images & signatures)?

Like sha256 or above checksums.

Maybe published in the Whonix blog release announcements and/or Whonix download page.

Yes, I know signatures are better, but checksums would just help at times with the workflow of verifying that I at least got the files downloaded fully (downloads often fail over tor) and that I’m using the same unmodified original source files later on with re-installs, etc.

Fast and easy to do (built into Linux command line) when publishing new downloads, so I thought I’d request it.

Thank you, Patrick.

Edited by Patrick:
Changed title.

2

I created this file:

(And automated this for further releases.)

Does this suffice?

3

Thanks Patrick. That works well.

Although, it would also be great if these checksums were published on a Whonix webpage or blog post.

The reason is that an official public historical record of these checksums could then be established by third party web archiving sites (like Archive.org, etc).

Then, for future integrity/security audits from the public, it would be a simple way to help establish that much more public trust, to verify that the source Whonix files aren’t being tampered with over time (either internally by you, or externally via third parties, or by bit rot data corruption, etc).

So publishing the checksums publicly on a Whonix HTML webpage would be the only other recommendation I’d have, so they could be publicly archived for any historical analysis in the future (like how the TrueCrypt project is being audited right now).

Thanks again, Patrick.

4

Thank you for caring about this.

For history analysis, wouldn’t the gpg be signatures enough?

Adding the checksums to a blog post makes the blog post unnecessarily bigger. Adding them to a wiki page would be another step, a burden, that has to be done every release. I need to keep the burden (anti motivation to make releases) low and need really good reasons for doing this extra work. In any case, if there is a volunteer who copies the contents of the checksums file to their own wiki page(s), I am fine with that.

Unless there is a really good reason, most times it’s best to stick with proven secure ways of doing things. Are there any other security focused projects, that publish checksums in a blog post or archive them on a website?

Also history analysis is difficult with images that size. Sourceforge never complained yet about traffic or file sizes, but non-important releases such as the testers-only releases and old releases get purged and sourceforge prefers this. I don’t want to push it. whonix.org’s download mirrors also prefer not carrying obsolete releases around.

Each and every little change to Whonix’s source code is being recorded in Whonix’s git repository going back to TorBOX (old project name) 0.1.3. Releases are git tagged. Git tags are gpg signed as well. Once someone cloned Whonix’s git repository, all old tags will remain unchanged forever (unless deliberately deleting them oneself). It’s not within Whonix git administrators power to delete git tags someone already downloaded by changing the git repository. (That’s how git works by default.) And one can stay up to date by running “git fetch” every now and then. Since keeping history (and auditing) is better done by someone who isn’t affiliated with the project, I don’t think there is anything I could do about it. You’re encouraged to keep all versions of Whonix’s source code. (Ways to Contribute)

5

Dear Patrick,

I agree that unaffiliated personal copies of Whonix’s history are semi-important, which I personally do as well. However, having official original sources of information be archived by trustworthy public archiving systems, like Archive.org, is most important for establishing a better historical chain of public integrity and trust. Since, any private archive of Whonix information/files/source/etc could be modified by the private archiver.

I did some deeper checking throughout the Whonix website.

Things look pretty good since we have the following:

However, there are a couple issues that I’d note.

The Verifiable Builds page says:

“When building Whonix .ova’s from source code, for example /home/user/whonix_binary/Whonix-Gateway-7.ova also report /home/user/whonix_binary/Whonix-Gateway-7.report file will be created.”

“Anyone building Whonix.ova images will hopefully end up with the same report. We can then compare the reports using tools such as diff and/or meld. Those reports should be very similar. We can’t end up with the very same reports, because again, there are no deterministically built operating systems yet. However, we can manually review the few remaining differences. That should make it reasonable to believe, that the original Whonix.ova images have been build from the source code that has been published for that Whonix version.”

It would be good to get a published copy of those .report files online with the binary image files that everyone is using. Again, preferably on an HTML/TXT Whonix page/post. so that it can be archived via public archiving sites. Maybe these .report files are already being published somewhere I missed? But, if I’m understanding correctly, it seems that these .report files are the key to ensuring verifiable builds. It’d be good to offer those publicly somehow then (ideally via an HTML/TXT archivable page).

Assuming their importance for verifying the source code integrity of the binary builds…

Are these .report files published already? Could they be?

Another minor issue is that the GPG Signatures are in Robots.txt blocked text files in the /download/ directory of the Whonix server. This Robots.txt condition causes Archive.org to fail when attempting to archive them…

https://web.archive.org/save/https://www.whonix.org/download/current/7-sig/Whonix-Gateway-7.ova.asc

https://web.archive.org/save/https://www.whonix.org/download/current/7-sig/Whonix-Workstation-7.ova.asc

Maybe making a signatures sub-directory and allowing Robots.txt access to it could be done, so that these important signatures could be publicly archived by Archive.org?

Also, to off-load most of these things from you, I would personally be willing to make some regular posts to the Wiki, in an appropriate place, of any important historical verification information like this, including signatures, checksums, .report files, etc, and then also ensure that it gets publicly archived. I’d just need to know the right place to publish it to.

Maybe a page like: Placing Trust in Whonix ™

Thanks Patrick.

6
The Verifiable Builds page says:

“When building Whonix .ova’s from source code, for example /home/user/whonix_binary/Whonix-Gateway-7.ova also report /home/user/whonix_binary/Whonix-Gateway-7.report file will be created.”

“Anyone building Whonix.ova images will hopefully end up with the same report. We can then compare the reports using tools such as diff and/or meld. Those reports should be very similar. We can’t end up with the very same reports, because again, there are no deterministically built operating systems yet. However, we can manually review the few remaining differences. That should make it reasonable to believe, that the original Whonix.ova images have been build from the source code that has been published for that Whonix version.”

It would be good to get a published copy of those .report files online with the binary image files that everyone is using. Again, preferably on an HTML/TXT Whonix page/post. so that it can be archived via public archiving sites. Maybe these .report files are already being published somewhere I missed? But, if I’m understanding correctly, it seems that these .report files are the key to ensuring verifiable builds. It’d be good to offer those publicly somehow then (ideally via an HTML/TXT archivable page).

Assuming their importance for verifying the source code integrity of the binary builds…

Are these .report files published already? Could they be?


That’s not how verifiable builds work. The auditor must create a report of official binary images and a report of an own image. If the Whonix official builder (currently me) would upload the report, you couldn’t be sure if it’s legit. In case of build machine compromise or malicious intend, the Whonix official builder would also upload a report that looks clean, therefore render the official report worthless. Think of the report as a detailed analysis, the auditor has to do to be able to catch backdoors.

Another minor issue is that the GPG Signatures are in Robots.txt blocked text files in the /download/ directory of the Whonix server. This Robots.txt condition causes Archive.org to fail when attempting to archive them...

https://web.archive.org/save/https://www.whonix.org/download/current/7-sig/Whonix-Gateway-7.ova.asc

https://web.archive.org/save/https://www.whonix.org/download/current/7-sig/Whonix-Workstation-7.ova.asc

Maybe making a signatures sub-directory and allowing Robots.txt access to it could be done, so that these important signatures could be publicly archived by Archive.org?


We don’t want the Whonix - Superior Internet Privacy link on search engines since we can’t publish images at that location for size and traffic reasons. However, all signatures are always mirrored on mirror.whonix.org. You could archive http://mirror.whonix.org/8/Whonix-Gateway-8.ova.asc. Does that suffice?

Also, to off-load most of these things from you, I would personally be willing to make some regular posts to the Wiki, in an appropriate place, of any important historical verification information like this, including signatures, checksums, .report files, etc, and then also ensure that it gets publicly archived. I'd just need to know the right place to publish it to.

Maybe a page like: Placing Trust in Whonix


That’d be good. Created an empty page. Please go ahead.

7

Ok, I will have to study this issue some more and re-check my assumptions.

Sounds good. That should be fine.

Great. I will get working on gathering and formatting the content for this page. Thanks Patrick!