[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Whonix Signing Key

Hey everyone,

i am actually trying to verify the whonix workstation image during the signing key. i am using this tutorial here (https://www.whonix.org/wiki/Whonix_Signing_Key#Download_the_key)

At point 4 it says

( Verify it shows the following.

pub  4096R/2EEACCDA 2014-01-16 Patrick Schleizer <adrelanos@riseup.net>
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
sub  4096R/CE998547 2014-01-16 [expires: 2021-04-17]
sub  4096R/119B3FD6 2014-01-16 [expires: 2021-04-17]
sub  4096R/77BB3C48 2014-01-16 [expires: 2021-04-17] )

If i import the patrick.asc with the command (gpg --with-fingerprint patrick.asc)

it shows this (

pub  4096R/0x8D66066A2EEACCDA 2014-01-16 Patrick Schleizer <adrelanos@riseup.net>
      Key fingerprint = 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
sub  4096R/0x3B1E6942CE998547 2014-01-16 [expires: 2021-04-17]
sub  4096R/0x10FDAC53119B3FD6 2014-01-16 [expires: 2021-04-17]
sub  4096R/0xCB8D50BB77BB3C48 2014-01-16 [expires: 2021-04-17])

As you can see it is not the same. is this a problem with the image?

Edit by Patrick:
added code tags

That’s fine. Just the full Key fingerprint = 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA needs to be the same. The difference is caused by different gpg versions being used, long vs short gpg key fingerprints.

thank you for your fast reply. Now i have another question too.

Here (https://www.whonix.org/wiki/VirtualBox/Verify_the_virtual_machine_images_using_Linux) its says that i have to download the cryptographic signature corresponding to the virtual machine image (libvirt.xz archive) you want to verify and store it in the same folder as the virtual machine image. So which folder they mean? Something in the Workstation or out of it?

Your download folder. Up to you which one to use.

Donwload Folder in Whonix Workstation or on for example Windows?

If you download Whonix store the image in one folder and store the
signature in the same folder. Which folder does not really matter as
long you know in which folder you are storing it.

There is no “in Whonix-Workstation” at that stage. The idea is:

  • start your computer
  • install VirtualBox
  • download Whonix from whonix.org
  • download signatures also
  • gpg verify
  • import Whonix

ok, but at this point

Start kgpg, go to kgpg -> File -> Open Editor -> Signature
-> Verify Signature… -> Choose the downloaded cryptographic
signature (.asc).

i cannot choose the 2 files, which are on my harddrive through Whonix KGPG?

No, you cannot, because by the time you are doing the gpg verification, you do not have Whonix installed.

Also Whonix VMs do not have access to files outside of Whonix, nor would that be recommended.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]