{{Header}} {{Title|title= Verify Virtual Machine Images on Linux }} {{#seo: |description=Instructions for OpenPGP and Signify Verification of {{project_name_long}} VirtualBox and KVM on the Command Line |image=Approved-29149640.png }} [[image:Approved-29149640.png|250px|thumbnail]] {{intro| Instructions for OpenPGP and Signify Verification of {{project_name_short}} VirtualBox and KVM on the Command Line }} = Introduction = {{always_verify_signatures_reminder}} {{Tab |type=controller |content= {{Tab |title= = OpenPGP = |image=[[File:GnuPG-Logo.svg|25px]] |active=true |addToClass=info-box |content= {{gpg_verification_introduction}} '''1.''' Import the signing key. {{Tab |type=controller |linkid=virtualizer |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |type=section |addToClass=info-box |active=true |content= Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions. {{signing_key_main}} '''2.''' Download the cryptographic (OpenPGP) signature corresponding to the virtual machine image you want to verify. '''3.''' Save the signature in the same folder as the virtual machine image. {{Tab |type=controller |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} VirtualBox Xfce}} |image=[[File:Clipart-gui.svg|25px]] |addToClass=info-box |content= {{#widget:Download_Button |text=VirtualBox Xfce image |url=https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.ova |onion=https://download.{{project_onion}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.ova |os= |addToClass= }} {{#widget:Download_Button |text=VirtualBox Xfce signature |icon=sig |url=https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.ova.asc |onion=https://download.{{project_onion}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.ova.asc |os= |addToClass= }} }} {{Tab |title={{Headline|h=2|content={{project_name_short}} VirtualBox CLI}} |image=[[File:Utilities-terminal.png|25px]] |addToClass=info-box |content= {{#widget:Download_Button |text=VirtualBox CLI image |url=https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.ova |onion=https://download.{{project_onion}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.ova |os= |addToClass= }} {{#widget:Download_Button |text=VirtualBox CLI signature |icon=sig |url=https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.ova.asc |onion=https://download.{{project_onion}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.ova.asc |os= |addToClass= }} }} }} }} {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content= Refer to the more secure, detailed [[KVM/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions. {{signing_key_kvm}} '''2.''' Download the cryptographic (OpenPGP) signature corresponding to the virtual machine image you want to verify. '''3.''' Save the signature in the same folder as the virtual machine image. {{#widget:Download_Button |text=KVM Xfce image |url=https://download.{{project_clearnet}}/libvirt/{{Version_KVM}}/{{project_name_short}}-Xfce-{{Version_KVM}}.Intel_AMD64.qcow2.libvirt.xz |onion=https://download.{{project_onion}}/libvirt/{{Version_KVM}}/{{project_name_short}}-Xfce-{{Version_KVM}}.Intel_AMD64.qcow2.libvirt.xz |os= |addToClass= }} {{#widget:Download_Button |text=KVM Xfce signature |icon=sig |url=https://download.{{project_clearnet}}/libvirt/{{Version_KVM}}/{{project_name_short}}-Xfce-{{Version_KVM}}.Intel_AMD64.qcow2.libvirt.xz.asc |onion=https://download.{{project_onion}}/libvirt/{{Version_KVM}}/{{project_name_short}}-Xfce-{{Version_KVM}}.Intel_AMD64.qcow2.libvirt.xz.asc |os= |addToClass= }} }} }} '''4.''' Start the cryptographic verification. This process can take several minutes. {{CodeSelect|code= cd [the directory in which you downloaded the .ova and the .asc] }} {{Tab |type=controller |linkid=virtualizer |content= {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |addToClass=info-box |content= {{CodeSelect|code= gpg --verify-options show-notations --verify {{project_name_short}}-*.ova.asc {{project_name_short}}-*.ova }} }} {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content= {{CodeSelect|code= gpg --verify-options show-notations --verify {{project_name_short}}-*.libvirt.xz.asc {{project_name_short}}-*.libvirt.xz }} }} }} '''5.''' Check the output of the verification step. {{GnuPG-Success}} {{Tab |type=controller |linkid=virtualizer |content= {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |addToClass=info-box |content=
gpg: Good signature from "Patrick Schleizer"}} {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content=
gpg: Good signature from "HulaHoop"}} }} This output might be followed by a warning as follows. {{GnuPG-Warning}} {{gpg_signature_timestamp}} Example of signature creation timestamp; see below.
gpg: Signature made Mon 19 Jan 2023 11:45:41 PM CET using RSA key ID ...{{GnuPG_file_names}} {{gpg_file_name_notation}} {{Tab |type=controller |linkid=virtualizer |content= {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |addToClass=info-box |content=
gpg: BAD signature{{do_not_continue_on_gpg_verification_errors}} '''6.''' Done. Digital software signature verification using OpenPGP has been completed. {{Template:GnuPG-Troubleshooting}} }} {{Tab |title= = Signify = |image=[[File:Signify_Logo.svg|25px]] |addToClass=info-box |content= {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Advanced users only! }} '''1.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as
derivative.pub
.
{{Tab
|type=controller
|linkid=virtualizer
|content=
{{Tab
|title={{Headline|h=2|content=VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|type=section
|addToClass=info-box
|active=true
|content=
{{signing_key_main_signify}}
}}
{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=
{{signing_key_kvm_signify}}
}}
}}
'''2.''' Install signify-openbsd
.
{{Install Package|
package=signify-openbsd
}}
'''3.''' Note.
[https://forums.whonix.org/t/signify-openbsd/7842/5 It is impossible to signify
sign images (.ova
/ libvirt.tar.xz
) directly.] You can only verify the .sha512sums
hash sum file using signify-openbsd
and then verify the image against the sha512
sum.
'''4.''' Download the .sha512sums
and .sha512sums.sig
files.
'''5.''' Verify the .sha512sums
file with signify-openbsd
.
{{CodeSelect|code=
signify-openbsd -Vp derivative.pub -m {{project_name_short}}-*.sha512sums
}}
If the signature is valid, it will output:
Signature VerifiedIf the signature is invalid, it will output an error. '''6.''' Compare the hash of the image file with the hash in the
.sha512sums
file.
{{CodeSelect|code=
sha512sum --strict --check {{project_name_short}}-*.sha512sums
}}
If the hash is correct, it will output: