Whonix Warrant Canary

Actually it looks good now. +1

1 Like

Can something be learned from…


Related: riseup.net likely compromised

At time of writing, Whonix warrant canary is valid. However, it’s time to address some issues that recently came to mind.

Problem: Potential Maintenance Lapses:

  • Re-signing the canary might happen too late. Didn’t happen yet. Pretty unlikely as I usually do this whenever I resign the repository. And re-signing can be done during any point within the 4 weeks period to restart the 4 weeks period.
  • There is no indication at the moment whatsoever that this might happen, but it’s possible that in future due to medical issues, an accident, being unable to re-sign the canary for a period of 4 weeks or longer. Should that ever happen, that should not forever shed doubt on the project. At least no more than unavoidable.

Solution: Healing Warrant Canary

  • The warrant canary could get added a passage that future signatures can heal previous maintenance lapses.

Recommended User Action in Case of Warrant Canary Issues:

Warrant Canary Issues could be:

  • Canary signature expired. (No new signature was created within 4 weeks after the last signature.)
  • Canary disappeared.

Recommended User Action in Case of Warrant Canary Issues:

  • Disable Whonix repository.
  • Stop downloading Whonix releases.
  • Monitor situation.
  • Organize community in another place.
1 Like



Enumerating Whonix project infrastructure we care about and in what circumstances its trustworthiness would be necessary:

1) whonix.org server related:

However, even if whonix.org server was under complete surveillance, that would not wreck the functionality of the Whonix software.

2) Whonix software related:

  • Users downloading Whonix images, not doing digital signature verification. These should not get compromised.
  • Users downloading Whonix images, doing digital signature verification. These should not get compromised.
  • Users upgrading Whonix using the package manager. These should not get compromised.
  • Users downloading Whonix source code (doing or not doing digital signature verification). These should not get compromised.
  • That is, in case there was some legal order to backdoor Whonix, and/or to sign backdoored Whonix and/or to turn over signing keys.


  • Whonix software is much more important than whonix.org website.

Possible Solutions:

  • A) Either make two sections in the canary. One for whonix.org server
    and one for Whonix software. In case of a legal threat, drop one
    section. That however, seems very experimental legal wise.
  • B) Exclude whonix.org server as long as Whonix software is free of

Canary re-wording consideration:

Change from

  1. No warrants have ever been served on the Whonix Project;
    for example, to hand out the private signing keys or to introduce


Definition “artifact”: Whonix software, Whonix downloads, Whonix
source code

  • The Whonix Project has never added any backdoor to any artifact.
  • The Whonix Project has never turned over any signing key.
  • The Whonix Project has never knowingly signed any artifact containing any backdoor.
  • The Whonix Project has never weakened, compromised, or subverted any of its cryptography.
1 Like

Bad idea upon reflection.

Probably going for it.

Draft - https://www.whonix.org/wiki/Dev/Warrant_Canary_Draft

Was modified:

Giving more time for comments and if there are no major issues, going to change the actual canary.


Warrant Canary Draft wording was updated to include both, Kicksecure and Whonix.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]