Whonix Signing Key

Angela · January 31, 2017, 3:35pm

Hey everyone,

i am actually trying to verify the whonix workstation image during the signing key. i am using this tutorial here (Whonix ™ Signing Key)

At point 4 it says

( Verify it shows the following.

pub  4096R/2EEACCDA 2014-01-16 Patrick Schleizer <adrelanos@riseup.net>
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
sub  4096R/CE998547 2014-01-16 [expires: 2021-04-17]
sub  4096R/119B3FD6 2014-01-16 [expires: 2021-04-17]
sub  4096R/77BB3C48 2014-01-16 [expires: 2021-04-17] )

If i import the patrick.asc with the command (gpg --with-fingerprint patrick.asc)

it shows this (

pub  4096R/0x8D66066A2EEACCDA 2014-01-16 Patrick Schleizer <adrelanos@riseup.net>
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
sub  4096R/0x3B1E6942CE998547 2014-01-16 [expires: 2021-04-17]
sub  4096R/0x10FDAC53119B3FD6 2014-01-16 [expires: 2021-04-17]
sub  4096R/0xCB8D50BB77BB3C48 2014-01-16 [expires: 2021-04-17])

As you can see it is not the same. is this a problem with the image?

Edit by Patrick:
added code tags

Patrick · January 31, 2017, 4:07pm

That’s fine. Just the full Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA needs to be the same. The difference is caused by different gpg versions being used, long vs short gpg key fingerprints.

Angela · January 31, 2017, 4:15pm

thank you for your fast reply. Now i have another question too.

Here (https://www.whonix.org/wiki/VirtualBox/Verify_the_virtual_machine_images_using_Linux) its says that i have to download the cryptographic signature corresponding to the virtual machine image (libvirt.xz archive) you want to verify and store it in the same folder as the virtual machine image. So which folder they mean? Something in the Workstation or out of it?

Patrick · January 31, 2017, 4:43pm

Your download folder. Up to you which one to use.

Angela · January 31, 2017, 4:52pm

Donwload Folder in Whonix Workstation or on for example Windows?

Patrick · January 31, 2017, 5:13pm

If you download Whonix store the image in one folder and store the
signature in the same folder. Which folder does not really matter as
long you know in which folder you are storing it.

There is no “in Whonix-Workstation” at that stage. The idea is:

start your computer
install VirtualBox
download Whonix from whonix.org
download signatures also
gpg verify
import Whonix

Angela · January 31, 2017, 6:15pm

ok, but at this point

Start kgpg, go to kgpg -> File -> Open Editor -> Signature
-> Verify Signature… -> Choose the downloaded cryptographic
signature (.asc).

i cannot choose the 2 files, which are on my harddrive through Whonix KGPG?

Patrick · January 31, 2017, 8:06pm

No, you cannot, because by the time you are doing the gpg verification, you do not have Whonix installed.

Also Whonix VMs do not have access to files outside of Whonix, nor would that be recommended.