{{Header}}
{{Title|title=
Verify Downloaded Images on Linux
}}
{{#seo:
|description=Instructions for OpenPGP and Signify Verification of {{project_name_long}} ISO, VirtualBox and KVM on the Command Line
|image=Verify_images_on_linux.png
}}
[[File:Verify_images_on_linux.png|200px|thumbnail]]
{{intro|
Instructions for OpenPGP and Signify Verification of {{project_name_short}} ISO, VirtualBox and KVM on the Command Line
}}
<!--
Copyright:

  Kicksecure Verify_the_images_using_Linux wiki page Copyright (C) Amnesia <amnesia at boum dot org>
  Kicksecure Verify_the_images_using_Linux wiki page Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <[email protected]>

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 3 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program; if not, write to:

   Free Software Foundation, Inc.
   51 Franklin St, Fifth Floor
   Boston, MA 02110-1301, USA.

On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in the /usr/share/common-licenses' directory.

The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in Kicksecure virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <https://github.com/{{project_name_short}}/derivative-maker/blob/master/GPLv3>.
-->
<!--
The Kicksecure Verify_the_images_using_Linux wiki page is forked from the Tails Verify the ISO image using the command line  page, from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/doc/get/verify_the_iso_image_using_the_command_line.html;hb=ec769a098398fc009b617d9f0aef56310497e518>.
-->
= Introduction =
{{always_verify_signatures_reminder}}

{{Tab
|type=controller
|content=
{{Tab
|title= = OpenPGP =
|image=[[File:GnuPG-Logo.svg|25px]]
|active=true
|addToClass=info-box
|content=

{{gpg_verification_introduction}}

'''1.''' Platform specific. Select your platform.

{{Tab
|type=controller
|linkid=virtualizer_openpgp
|content=
{{Tab
|title={{Headline|h=2|content={{project_name_short}} ISO}}
|image=[[File:Cd-rom-icon.png|25px]]
|type=section
|addToClass=info-box
|active=true
|content=
'''2.''' Import the signing key.

Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions.

{{signing_key_main}}

'''3.''' Download the cryptographic (OpenPGP) signature corresponding to the image you want to verify.

'''4.''' Save the signature in the same folder as the image.

{{Download_image_and_signature
|text_image=ISO image
|text_signature=ISO signature
|flavor=Xfce
|extension=Intel_AMD64.iso
|after_slash=iso
|version={{VersionNew}}
}}

}} <!-- close tab: {{project_name_short}} OpenPGP key -->

{{Tab
|title={{Headline|h=2|content=VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|type=section
|addToClass=info-box
|content=

Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions.

{{signing_key_main}}

'''3.''' Download the cryptographic (OpenPGP) signature corresponding to the image you want to verify.

'''4.''' Save the signature in the same folder as the image.

Select Xfce or CLI version.

{{Tab
|type=controller
|content=
{{Tab
|title={{Headline|h=2|content={{project_name_short}} VirtualBox Xfce}}
|image=[[File:Clipart-gui.svg|25px]]
|addToClass=info-box
|content=

{{Download_image_and_signature
|text_image=VirtualBox Xfce image
|text_signature=VirtualBox Xfce signature
|flavor=Xfce
|extension=Intel_AMD64.ova
|after_slash=ova
|version={{VersionNew}}
}}

}} <!-- close tab: {{project_name_short}} VirtualBox Xfce -->

{{Tab
|title={{Headline|h=2|content={{project_name_short}} VirtualBox CLI}}
|image=[[File:Utilities-terminal.png|25px]]
|addToClass=info-box
|content=

{{Download_image_and_signature
|text_image=VirtualBox CLI image
|text_signature=VirtualBox CLI signature
|flavor=CLI
|extension=Intel_AMD64.ova
|after_slash=ova
|version={{VersionNew}}
}}

}} <!-- close tab: {{project_name_short}} VirtualBox CLI -->
}} <!-- close tab controller: {{project_name_short}} VirtualBox XFCE and CLI -->
}} <!-- close tab: VirtualBox OpenPGP -->

{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=
Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions.

{{signing_key_main}}

'''3.''' Download the cryptographic (OpenPGP) signature corresponding to the image you want to verify.

'''4.''' Save the signature in the same folder as the image.

Select Xfce or CLI version.

{{Tab
|type=controller
|content=
{{Tab
|title={{Headline|h=2|content={{project_name_short}} KVM Xfce}}
|image=[[File:Clipart-gui.svg|25px]]
|addToClass=info-box
|content=

{{Download_image_and_signature
|text_image=KVM Xfce image
|text_signature=KVM Xfce signature
|flavor=Xfce
|extension=Intel_AMD64.qcow2.libvirt.xz
|after_slash=libvirt
|version={{Version_KVM}}
}}

}} <!-- close tab: {{project_name_short}} VirtualBox Xfce -->

{{Tab
|title={{Headline|h=2|content={{project_name_short}} KVM CLI}}
|image=[[File:Utilities-terminal.png|25px]]
|addToClass=info-box
|content=

{{Download_image_and_signature
|text_image=KVM CLI image
|text_signature=KVM CLI signature
|flavor=CLI
|extension=Intel_AMD64.qcow2.libvirt.xz
|after_slash=libvirt
|version={{Version_KVM}}
}}

}} <!-- close tab: {{project_name_short}} VirtualBox CLI -->
}} <!-- close tab controller: {{project_name_short}} VirtualBox XFCE and CLI -->

}} <!-- close tab: KVM OpenPGP -->

}} <!-- close tab controller: VirtualBox and KVM OpenPGP -->

'''5.''' Change directory.

<pre>
cd [the directory in which you downloaded the image and the signature]
</pre>

'''6.''' Start the cryptographic verification.

This process can take several minutes.

{{Tab
|type=controller
|linkid=virtualizer_openpgp
|content=
{{Tab
|title={{Headline|h=2|content={{project_name_short}} ISO}}
|image=[[File:Cd-rom-icon.png|25px]]
|addToClass=info-box
|content=

{{CodeSelect|code=
gpg --verify-options show-notations --verify {{project_name_short}}-*.Intel_AMD64.iso.asc {{project_name_short}}-*.Intel_AMD64.iso
}}

}} <!-- close tab Verify ISO -->

{{Tab
|title={{Headline|h=2|content=VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|addToClass=info-box
|content=

{{CodeSelect|code=
gpg --verify-options show-notations --verify {{project_name_short}}-*.ova.asc {{project_name_short}}-*.ova
}}

}} <!-- close tab Verify VirtualBox -->

{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=

{{CodeSelect|code=
gpg --verify-options show-notations --verify {{project_name_short}}-*.libvirt.xz.asc {{project_name_short}}-*.libvirt.xz
}}

}} <!-- close tab: Verify KVM -->

}} <!-- close tab controller: Verify VirtualBox and KVM -->

'''7.''' Check the output of the verification step.

{{GnuPG-Success}}

{{Tab
|type=controller
|linkid=virtualizer_openpgp
|content=
{{Tab
|title={{Headline|h=2|content={{project_name_short}} ISO}}
|image=[[File:Cd-rom-icon.png|25px]]
|type=section
|addToClass=info-box
|active=true
|content=
<pre>
gpg: Good signature
</pre>

}} <!-- close tab: ISO Good Signature -->

{{Tab
|title={{Headline|h=2|content=VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|addToClass=info-box
|content=
<pre>
gpg: Good signature
</pre>

}} <!-- close tab: VirtualBox Good Signature -->

{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=

<pre>
gpg: Good signature
</pre>

}} <!-- close tab: VirtualBox Good Signature -->

}} <!-- close tab controller: VirtualBox and KVM Good Signature -->

This output might be followed by a warning as follows.

{{GnuPG-Warning}}

{{gpg_signature_timestamp}}

Example of signature creation timestamp; see below.

<pre>
gpg: Signature made Mon 19 Jan 2023 11:45:41 PM CET using RSA key ID ...
</pre>

{{GnuPG_file_names}}

{{gpg_file_name_notation}}

{{Tab
|type=controller
|linkid=virtualizer_openpgp
|content=
{{Tab
|title={{Headline|h=2|content={{project_name_short}} ISO}}
|image=[[File:Cd-rom-icon.png|25px]]
|type=section
|addToClass=info-box
|active=true
|content=

{{#tag:pre|gpg: Signature notation: file@name={{project_name_short}}-{{VersionNew}}.Intel_AMD64.iso}}
}} <!-- close tab: VirtualBox Signature Notation -->

{{Tab
|title={{Headline|h=2|content=VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|addToClass=info-box
|content=

{{#tag:pre|gpg: Signature notation: file@name={{project_name_short}}-{{VersionNew}}.Intel_AMD64.ova}}
}} <!-- close tab: VirtualBox Signature Notation -->

{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=
{{#tag:pre|gpg: Signature notation: file@name={{project_name_short}}-{{Version_KVM}}.libvirt.xz}}

}} <!-- close tab: KVM Signature Notation -->
}} <!-- close tab controller: VirtualBox and KVM Signature Notation -->

<u>If the digital software signature verification failed</u>, the output will inform that the signature is bad:

<pre>
gpg: BAD signature
</pre>

{{do_not_continue_on_gpg_verification_errors}}

'''8.''' Done.

Digital software signature verification using OpenPGP has been completed.

{{Template:GnuPG-Troubleshooting}}

}} <!-- close tab: OpenPGP -->

{{Tab
|title= = Signify =
|image=[[File:Signify_Logo.svg|25px]]
|addToClass=info-box
|content=

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = Advanced users only!
}}
'''1.''' Select your platform.

{{Tab
|type=controller
|linkid=virtualizer_signify
|content=
{{Tab
|title={{Headline|h=2|content={{project_name_short}} ISO Signify}}
|image=[[File:Cd-rom-icon.png|25px]]
|type=section
|addToClass=info-box
|active=true
|content=
'''2.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as <code>derivative.pub</code>.

{{signing_key_main_signify}}

}} <!-- close tab: VirtualBox Signify -->

{{Tab
|title={{Headline|h=2|content=VirtualBox Signify}}
|image=[[File:Virtualbox_logo.png|25px]]
|type=section
|addToClass=info-box
|active=
|content=
'''2.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as <code>derivative.pub</code>.

{{signing_key_main_signify}}

}} <!-- close tab: VirtualBox Signify -->

{{Tab
|title={{Headline|h=2|content=KVM Signify}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=
'''2.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as <code>derivative.pub</code>.

{{signing_key_main_signify}}

}} <!-- close tab: KVM Signify -->
}} <!-- close tab controller: VirtualBox and KVM signify tabs -->

'''3.''' Install <code>signify-openbsd</code>.

{{Install Package|
package=signify-openbsd
}}

'''4.''' Note.

[https://forums.whonix.org/t/signify-openbsd/7842/5 It is impossible to <code>signify</code> sign images (<code>.ova</code> / <code>libvirt.tar.xz</code>) directly.] You can only verify the <code>.sha512sums</code> hash sum file using <code>signify-openbsd</code> and then verify the image against the <code>sha512</code> sum.

'''5.''' Download the <code>.sha512sums</code> and <code>.sha512sums.sig</code> files.

'''6.''' Verify the <code>.sha512sums</code> file with <code>signify-openbsd</code>.

{{CodeSelect|code=
signify-openbsd -Vp derivative.pub -m {{project_name_short}}-*.sha512sums
}}

If the signature is valid, it will output:

<pre>
Signature Verified
</pre>

If the signature is invalid, it will output an error.

'''7.''' Compare the hash of the image file with the hash in the <code>.sha512sums</code> file.

{{CodeSelect|code=
sha512sum --strict --check {{project_name_short}}-*.sha512sums
}}

If the hash is correct, it will output:

{{#tag:pre|{{project_name_short}}-Xfce-{{VersionNew}}.ova: OK}}

{{do_not_continue_on_gpg_verification_errors}}

'''8.''' Done.

Digital signature verification using signify has been completed.

If you are using signify for software signature verification, please consider making a report in the [https://forums.whonix.org/t/signify-openbsd/7842 signify-openbsd forum thread]. This will help developers decide whether to continue supporting this method or deprecate it.

Forum discussion: [https://forums.whonix.org/t/signify-openbsd/7842 signify-openbsd].

}} <!-- close tab: Signify -->
}} <!-- closing tabs: OpenPGP and Signify -->

= Footnotes =
{{reflist|close=1}}

= License =
{{License_Amnesia|{{FULLPAGENAME}}}}

{{Footer}}

[[Category:Documentation]]
[[Category:MultiWiki]]

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.