I am verifying the Whonix Linux Installer bash script. I imported the GPG key first following the instructions from the wiki using the Debian procedure. I could successfully verify the Virtualbox image. Although when verifying the dist-installer-cli
using option B with
gpg --verify-options show-notations --verify dist-installer-cli.asc dist-installer-cli
I get a bad signature:
gpg: Signatur vom Do 11 Jän 2024 11:57:15 CET
gpg: mittels RSA-Schlüssel 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: FALSCHE Signatur von "Patrick Schleizer <adrelanos@kicksecure.com>" [unbekannt]
I tried to download multiple times on different days - no success.
I also tried to verify with signify (installed the package and downloaded the appropriate signify key)
signify-openbsd -C -p derivative.pub -x dist-installer-cli.sig dist-installer-cli
Again, I get a bad signature:
signify-openbsd: signature verification failed
Am I missing something?