{{Header}}
{{Title|title=
Verify {{project_name_long}} Images Software Signatures
}}
{{#seo:
|description=Download image verification instructions for {{non_q_project_name_short}} with OpenPGP and Signify.
|image=Verifywhoniximages.png
}}
[[File:Verifywhoniximages.png|250px|thumb]]
{{intro|
Download image verification instructions for {{non_q_project_name_short}} with OpenPGP and Signify.
}}
{{always_verify_signatures_reminder}}
__FORCETOC__
= OpenPGP Signature =
== Qubes ==
[[File:qubes-logo-blue.png|15px|link=Qubes]] [[Qubes|{{q_project_name_long}}]] templates are automatically verified when <code>qubes-dom0-update</code> [[Qubes/Install|downloads and installs them]]; manual user verification is unnecessary.

== VirtualBox ==
[[File:Virtualbox_logo.png|15px|link=VirtualBox]] Steps to verify the virtual machine images depend on the operating system in use:

* [[File:logo-linux-500x500.png|15px|link=]] [[Verify_the_images_using_Linux|Linux]]
* [[File:Logo-windows-500x500.png|15px|link=]] [[Verify_the_images_using_Windows|Windows using Gpg4win]]
* [[File:logo-apple-500x500.png|15px]] [[Verify_the_images_using_macOS|macOS using GPGTools]]

Also see: [[VirtualBox/Appliance is not signed|VirtualBox <code>Appliance is not signed</code> Error Message]].

== KVM ==
[[File:Kvm-new-logo.png|30px|link=KVM]] Refer to the KVM [[File:logo-linux-500x500.png|15px|link=]] [[Verify_the_images_using_Linux|Linux on the Command Line]] instructions.

== Windows Installer ==
The [[Dev/Windows Installer|{{project_name_short}} Windows Installer]] is currently unavailable. ([[Verify_the_images_using_Windows|Verify the {{project_name_short}} Windows Installer]])

= Signify Signatures =
{{AdvancedUsersOnly}}

[https://forums.whonix.org/t/signify-openbsd/7842/5 It is impossible to <code>signify</code> sign images (<code>.ova</code> / <code>libvirt.tar.xz</code>) directly.] You can only verify the <code>.sha512sums</code> hash sum file using <code>signify-openbsd</code> and then verify the image against the <code>sha512</code> sum.
{{Box|text=
'''1.''' [[#Download_the_signify_Key|Download the signify Key]] and save it as <code>keyname.pub</code>.

{{signing_key_main_signify}}

'''2.''' Install <code>signify-openbsd</code>.
{{Box|text=
{{Install Package|
package=signify-openbsd
}}
}}

'''3.''' Download the <code>.sha512sums</code> and <code>.sha512sums.sig</code> files.

'''4.''' Verify the <code>.sha512sums</code> file with <code>signify-openbsd</code>.

{{CodeSelect|code=
signify-openbsd -Vp keyname.pub -m {{project_name_short}}-*.sha512sums
}}

If the file is correct, it will output:

{{CodeSelect|code=
Signature Verified
}}

If the file is not correct, it will output an error.

'''5.''' Compare the hash of the image file with the hash in the <code>.sha512sums</code> file.

{{CodeSelect|code=
sha512sum -c {{project_name_short}}-*.sha512sums
}}

If the file is correct, it will output:

{{CodeSelect|code=
{{project_name_short}}-Xfce-{{VersionNew}}.ova: OK
}}

{{do_not_continue_on_gpg_verification_errors}}

If you are using signify for software signature verification, please consider making a report in the [https://forums.whonix.org/t/signify-openbsd/7842 signify-openbsd forum thread]. This will help developers decide whether to continue supporting this method or deprecate it.
}}

'''Table:''' ''{{project_name_short}} VirtualBox Files''

{|   class="wikitable" style="margin-left: auto; margin-right: auto; border: none; text-align: center;"
!  align="center" | <b>{{project_name_short}} Version</b>
!  align="center" | <b>Files</b>
|-  class="odd"
|  align="center" | {{project_name_short}} VirtualBox CLI
|  align="center" |
* https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.ova
* https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.sha512sums
* https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.sha512sums.sig
|-  class="even"
|  align="center" | {{project_name_short}} VirtualBox Xfce
|  align="center" |
* https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.ova
* https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.sha512sums
* https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.sha512sums.sig
|}

Forum discussion: [https://forums.whonix.org/t/signify-openbsd/7842 signify-openbsd].

= Codecrypt Signatures =
[[PQCrypto#Codecrypt|Codecrypt]] signatures are not yet available, but are planned long term.

Volunteer contributions are happily considered! If you were to contribute <code>codecrypt</code> signature creation to the {{project_name_short}} [https://github.com/Kicksecure/developer-meta-files/blob/master/usr/bin/dm-prepare-release <code>dm-prepare-release</code> script], then this feature could be provided much sooner.

If you would like to use codecrypt for software signature verification, please consider making a report in the [https://forums.whonix.org/t/use-codecrypt-to-sign-whonix-releases/7844 codecrypt forum thread]. This method might be supported sooner if there is sufficient interest.

Forum discussion:<br />
[https://forums.whonix.org/t/use-codecrypt-to-sign-whonix-releases/7844 use codecrypt to sign releases].

= See Also =
* [[Signing_Key|Download the {{project_name_short}} Signing Key]]
* [[Verifying Software Signatures]]
* [[Trust|Placing Trust in {{project_name_short}}]]
* [[OpenPGP|OpenPGP key distribution strategies]]

{{Footer}}

[[Category:Documentation]]