{{Header}} {{Title|title= Verify Virtual Machine Images on Linux }} {{#seo: |description=Instructions for OpenPGP and Signify Verification of {{project_name_long}} ISO, VirtualBox and KVM on the Command Line |image=Approved-29149640.png }} [[File:Approved-29149640.png|250px|thumbnail]] {{intro| Instructions for OpenPGP and Signify Verification of {{project_name_short}} ISO, VirtualBox and KVM on the Command Line }} <!-- Copyright: Kicksecure Verify_the_images_using_Linux wiki page Copyright (C) Amnesia <amnesia at boum dot org> Kicksecure Verify_the_images_using_Linux wiki page Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@kicksecure.com> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to: Free Software Foundation, Inc. 51 Franklin St, Fifth Floor Boston, MA 02110-1301, USA. On Debian GNU/Linux systems, the complete text of the GNU General Public License can be found in the /usr/share/common-licenses' directory. The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in Kicksecure virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <https://github.com/{{project_name_short}}/derivative-maker/blob/master/GPLv3>. --> <!-- The Kicksecure Verify_the_images_using_Linux wiki page is forked from the Tails Verify the ISO image using the command line page, from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/doc/get/verify_the_iso_image_using_the_command_line.html;hb=ec769a098398fc009b617d9f0aef56310497e518>. --> = Introduction = {{always_verify_signatures_reminder}} {{Tab |type=controller |content= {{Tab |title= = OpenPGP = |image=[[File:GnuPG-Logo.svg|25px]] |active=true |addToClass=info-box |content= {{gpg_verification_introduction}} '''1.''' Choose your platform. {{Tab |type=controller |linkid=virtualizer_openpgp |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO}} |image=[[File:Cd-rom-icon.png|25px]] |type=section |addToClass=info-box |active=true |content= '''2.''' Import the signing key. Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions. {{signing_key_main}} '''3.''' Download the cryptographic (OpenPGP) signature corresponding to the image you want to verify. '''4.''' Save the signature in the same folder as the image. {{Download_image_and_signature |text_image=ISO image |text_signature=ISO signature |flavor=Xfce |extension=Intel_AMD64.iso |after_slash=iso |version={{VersionNew}} }} }} <!-- close tab: {{project_name_short}} OpenPGP key --> {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |type=section |addToClass=info-box |content= Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions. {{signing_key_main}} '''3.''' Download the cryptographic (OpenPGP) signature corresponding to the image you want to verify. '''4.''' Save the signature in the same folder as the image. Select Xfce or CLI version. {{Tab |type=controller |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} VirtualBox Xfce}} |image=[[File:Clipart-gui.svg|25px]] |addToClass=info-box |content= {{Download_image_and_signature |text_image=VirtualBox Xfce image |text_signature=VirtualBox Xfce signature |flavor=Xfce |extension=Intel_AMD64.ova |after_slash=ova |version={{VersionNew}} }} }} <!-- close tab: {{project_name_short}} VirtualBox Xfce --> {{Tab |title={{Headline|h=2|content={{project_name_short}} VirtualBox CLI}} |image=[[File:Utilities-terminal.png|25px]] |addToClass=info-box |content= {{Download_image_and_signature |text_image=VirtualBox CLI image |text_signature=VirtualBox CLI signature |flavor=CLI |extension=Intel_AMD64.ova |after_slash=ova |version={{VersionNew}} }} }} <!-- close tab: {{project_name_short}} VirtualBox CLI --> }} <!-- close tab controller: {{project_name_short}} VirtualBox XFCE and CLI --> }} <!-- close tab: VirtualBox OpenPGP --> {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content= Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions. {{signing_key_main}} '''3.''' Download the cryptographic (OpenPGP) signature corresponding to the image you want to verify. '''4.''' Save the signature in the same folder as the image. Select Xfce or CLI version. {{Tab |type=controller |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} KVM Xfce}} |image=[[File:Clipart-gui.svg|25px]] |addToClass=info-box |content= {{Download_image_and_signature |text_image=KVM Xfce image |text_signature=KVM Xfce signature |flavor=Xfce |extension=Intel_AMD64.qcow2.libvirt.xz |after_slash=libvirt |version={{Version_KVM}} }} }} <!-- close tab: {{project_name_short}} VirtualBox Xfce --> {{Tab |title={{Headline|h=2|content={{project_name_short}} KVM CLI}} |image=[[File:Utilities-terminal.png|25px]] |addToClass=info-box |content= {{Download_image_and_signature |text_image=KVM CLI image |text_signature=KVM CLI signature |flavor=CLI |extension=Intel_AMD64.qcow2.libvirt.xz |after_slash=libvirt |version={{Version_KVM}} }} }} <!-- close tab: {{project_name_short}} VirtualBox CLI --> }} <!-- close tab controller: {{project_name_short}} VirtualBox XFCE and CLI --> }} <!-- close tab: KVM OpenPGP --> }} <!-- close tab controller: VirtualBox and KVM OpenPGP --> '''5.''' Change directory. <pre> cd [the directory in which you downloaded the image and the signature] </pre> '''6.''' Start the cryptographic verification. This process can take several minutes. {{Tab |type=controller |linkid=virtualizer_openpgp |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO}} |image=[[File:Cd-rom-icon.png|25px]] |addToClass=info-box |content= {{CodeSelect|code= gpg --verify-options show-notations --verify {{project_name_short}}-*.Intel_AMD64.iso.asc {{project_name_short}}-*.Intel_AMD64.iso }} }} <!-- close tab Verify ISO --> {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |addToClass=info-box |content= {{CodeSelect|code= gpg --verify-options show-notations --verify {{project_name_short}}-*.ova.asc {{project_name_short}}-*.ova }} }} <!-- close tab Verify VirtualBox --> {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content= {{CodeSelect|code= gpg --verify-options show-notations --verify {{project_name_short}}-*.libvirt.xz.asc {{project_name_short}}-*.libvirt.xz }} }} <!-- close tab: Verify KVM --> }} <!-- close tab controller: Verify VirtualBox and KVM --> '''7.''' Check the output of the verification step. {{GnuPG-Success}} {{Tab |type=controller |linkid=virtualizer_openpgp |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO}} |image=[[File:Cd-rom-icon.png|25px]] |type=section |addToClass=info-box |active=true |content= <pre> gpg: Good signature </pre> }} <!-- close tab: ISO Good Signature --> {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |addToClass=info-box |content= <pre> gpg: Good signature </pre> }} <!-- close tab: VirtualBox Good Signature --> {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content= <pre> gpg: Good signature </pre> }} <!-- close tab: VirtualBox Good Signature --> }} <!-- close tab controller: VirtualBox and KVM Good Signature --> This output might be followed by a warning as follows. {{GnuPG-Warning}} {{gpg_signature_timestamp}} Example of signature creation timestamp; see below. <pre> gpg: Signature made Mon 19 Jan 2023 11:45:41 PM CET using RSA key ID ... </pre> {{GnuPG_file_names}} {{gpg_file_name_notation}} {{Tab |type=controller |linkid=virtualizer_openpgp |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO}} |image=[[File:Cd-rom-icon.png|25px]] |type=section |addToClass=info-box |active=true |content= <div class="pre">gpg: Signature notation: file@name={{project_name_short}}-{{VersionNew}}.Intel_AMD64.iso</div> }} <!-- close tab: VirtualBox Signature Notation --> {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |addToClass=info-box |content= <div class="pre">gpg: Signature notation: file@name={{project_name_short}}-{{VersionNew}}.Intel_AMD64.ova</div> }} <!-- close tab: VirtualBox Signature Notation --> {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content= <div class="pre">gpg: Signature notation: file@name={{project_name_short}}-{{Version_KVM}}.libvirt.xz</div> }} <!-- close tab: KVM Signature Notation --> }} <!-- close tab controller: VirtualBox and KVM Signature Notation --> <u>If the digital software signature verification failed</u>, the output will inform that the signature is bad: <pre> gpg: BAD signature </pre> {{do_not_continue_on_gpg_verification_errors}} '''8.''' Done. Digital software signature verification using OpenPGP has been completed. {{Template:GnuPG-Troubleshooting}} }} <!-- close tab: OpenPGP --> {{Tab |title= = Signify = |image=[[File:Signify_Logo.svg|25px]] |addToClass=info-box |content= {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Advanced users only! }} '''1.''' Choose your platform. {{Tab |type=controller |linkid=virtualizer_signify |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO Signify}} |image=[[File:Cd-rom-icon.png|25px]] |type=section |addToClass=info-box |active=true |content= '''2.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as <code>derivative.pub</code>. {{signing_key_main_signify}} }} <!-- close tab: VirtualBox Signify --> {{Tab |title={{Headline|h=2|content=VirtualBox Signify}} |image=[[File:Virtualbox_logo.png|25px]] |type=section |addToClass=info-box |active= |content= '''2.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as <code>derivative.pub</code>. {{signing_key_main_signify}} }} <!-- close tab: VirtualBox Signify --> {{Tab |title={{Headline|h=2|content=KVM Signify}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content= '''2.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as <code>derivative.pub</code>. {{signing_key_main_signify}} }} <!-- close tab: KVM Signify --> }} <!-- close tab controller: VirtualBox and KVM signify tabs --> '''3.''' Install <code>signify-openbsd</code>. {{Install Package| package=signify-openbsd }} '''4.''' Note. [https://forums.whonix.org/t/signify-openbsd/7842/5 It is impossible to <code>signify</code> sign images (<code>.ova</code> / <code>libvirt.tar.xz</code>) directly.] You can only verify the <code>.sha512sums</code> hash sum file using <code>signify-openbsd</code> and then verify the image against the <code>sha512</code> sum. '''5.''' Download the <code>.sha512sums</code> and <code>.sha512sums.sig</code> files. '''6.''' Verify the <code>.sha512sums</code> file with <code>signify-openbsd</code>. {{CodeSelect|code= signify-openbsd -Vp derivative.pub -m {{project_name_short}}-*.sha512sums }} If the signature is valid, it will output: <pre> Signature Verified </pre> If the signature is invalid, it will output an error. '''7.''' Compare the hash of the image file with the hash in the <code>.sha512sums</code> file. {{CodeSelect|code= sha512sum --strict --check {{project_name_short}}-*.sha512sums }} If the hash is correct, it will output: <div class="pre">{{project_name_short}}-Xfce-{{VersionNew}}.ova: OK</div> {{do_not_continue_on_gpg_verification_errors}} '''8.''' Done. Digital signature verification using signify has been completed. If you are using signify for software signature verification, please consider making a report in the [https://forums.whonix.org/t/signify-openbsd/7842 signify-openbsd forum thread]. This will help developers decide whether to continue supporting this method or deprecate it. Forum discussion: [https://forums.whonix.org/t/signify-openbsd/7842 signify-openbsd]. }} <!-- close tab: Signify --> }} <!-- closing tabs: OpenPGP and Signify --> = Footnotes = {{reflist|close=1}} = License = {{License_Amnesia|{{FULLPAGENAME}}}} {{Footer}} [[Category:Documentation]] [[Category:MultiWiki]]