Whonix Linux Installer bash script signature verification failure

n30 · February 6, 2024, 10:50am

I am verifying the Whonix Linux Installer bash script. I imported the GPG key first following the instructions from the wiki using the Debian procedure. I could successfully verify the Virtualbox image. Although when verifying the dist-installer-cli using option B with

gpg --verify-options show-notations --verify dist-installer-cli.asc dist-installer-cli

I get a bad signature:

gpg: Signatur vom Do 11 Jän 2024 11:57:15 CET
gpg:                mittels RSA-Schlüssel 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: FALSCHE Signatur von "Patrick Schleizer <adrelanos@kicksecure.com>" [unbekannt]

I tried to download multiple times on different days - no success.

I also tried to verify with signify (installed the package and downloaded the appropriate signify key)

signify-openbsd -C -p derivative.pub -x dist-installer-cli.sig dist-installer-cli

Again, I get a bad signature:

signify-openbsd: signature verification failed

Am I missing something?

Patrick · February 9, 2024, 12:15pm

Signature was outdated on the server due to a bug in the upload script as a result of very few people using this method of verification not noticed. Now fixed.

Signify command is wrong. This works now:

signify-openbsd -Vp keyname.pub -m dist-installer-cli

n30 · February 9, 2024, 2:19pm

Thank you! Verifying the signature with GPG shows correct signature now with the correct fingerprint.