{{Header}} {{Title|title= Verify Virtual Machine Images on Linux }} {{#seo: |description=Instructions for OpenPGP and Signify Verification of {{project_name_long}} ISO, VirtualBox and KVM on the Command Line |image=Approved-29149640.png }} [[File:Approved-29149640.png|250px|thumbnail]] {{intro| Instructions for OpenPGP and Signify Verification of {{project_name_short}} ISO, VirtualBox and KVM on the Command Line }} = Introduction = {{always_verify_signatures_reminder}} {{Tab |type=controller |content= {{Tab |title= = OpenPGP = |image=[[File:GnuPG-Logo.svg|25px]] |active=true |addToClass=info-box |content= {{gpg_verification_introduction}} '''1.''' Choose your platform. {{Tab |type=controller |linkid=virtualizer_openpgp |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO}} |image=[[File:Cd-rom-icon.png|25px]] |type=section |addToClass=info-box |active=true |content= '''2.''' Import the signing key. Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions. {{signing_key_main}} '''3.''' Download the cryptographic (OpenPGP) signature corresponding to the image you want to verify. '''4.''' Save the signature in the same folder as the image. {{Download_image_and_signature |text_image=ISO image |text_signature=ISO signature |flavor=Xfce |extension=Intel_AMD64.iso |after_slash=iso |version={{VersionNew}} }} }} {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |type=section |addToClass=info-box |content= Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions. {{signing_key_main}} '''3.''' Download the cryptographic (OpenPGP) signature corresponding to the image you want to verify. '''4.''' Save the signature in the same folder as the image. Select Xfce or CLI version. {{Tab |type=controller |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} VirtualBox Xfce}} |image=[[File:Clipart-gui.svg|25px]] |addToClass=info-box |content= {{Download_image_and_signature |text_image=VirtualBox Xfce image |text_signature=VirtualBox Xfce signature |flavor=Xfce |extension=Intel_AMD64.ova |after_slash=ova |version={{VersionNew}} }} }} {{Tab |title={{Headline|h=2|content={{project_name_short}} VirtualBox CLI}} |image=[[File:Utilities-terminal.png|25px]] |addToClass=info-box |content= {{Download_image_and_signature |text_image=VirtualBox CLI image |text_signature=VirtualBox CLI signature |flavor=CLI |extension=Intel_AMD64.ova |after_slash=ova |version={{VersionNew}} }} }} }} }} {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content= Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions. {{signing_key_main}} '''3.''' Download the cryptographic (OpenPGP) signature corresponding to the image you want to verify. '''4.''' Save the signature in the same folder as the image. Select Xfce or CLI version. {{Tab |type=controller |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} KVM Xfce}} |image=[[File:Clipart-gui.svg|25px]] |addToClass=info-box |content= {{Download_image_and_signature |text_image=KVM Xfce image |text_signature=KVM Xfce signature |flavor=Xfce |extension=Intel_AMD64.qcow2.libvirt.xz |after_slash=libvirt |version={{Version_KVM}} }} }} {{Tab |title={{Headline|h=2|content={{project_name_short}} KVM CLI}} |image=[[File:Utilities-terminal.png|25px]] |addToClass=info-box |content= {{Download_image_and_signature |text_image=KVM CLI image |text_signature=KVM CLI signature |flavor=CLI |extension=Intel_AMD64.qcow2.libvirt.xz |after_slash=libvirt |version={{Version_KVM}} }} }} }} }} }} '''5.''' Change directory.
cd [the directory in which you downloaded the image and the signature]'''6.''' Start the cryptographic verification. This process can take several minutes. {{Tab |type=controller |linkid=virtualizer_openpgp |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO}} |image=[[File:Cd-rom-icon.png|25px]] |addToClass=info-box |content= {{CodeSelect|code= gpg --verify-options show-notations --verify {{project_name_short}}-*.Intel_AMD64.iso.asc {{project_name_short}}-*.Intel_AMD64.iso }} }} {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |addToClass=info-box |content= {{CodeSelect|code= gpg --verify-options show-notations --verify {{project_name_short}}-*.ova.asc {{project_name_short}}-*.ova }} }} {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content= {{CodeSelect|code= gpg --verify-options show-notations --verify {{project_name_short}}-*.libvirt.xz.asc {{project_name_short}}-*.libvirt.xz }} }} }} '''7.''' Check the output of the verification step. {{GnuPG-Success}} {{Tab |type=controller |linkid=virtualizer_openpgp |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO}} |image=[[File:Cd-rom-icon.png|25px]] |type=section |addToClass=info-box |active=true |content=
gpg: Good signature}} {{Tab |title={{Headline|h=2|content=VirtualBox}} |image=[[File:Virtualbox_logo.png|25px]] |addToClass=info-box |content=
gpg: Good signature}} {{Tab |title={{Headline|h=2|content=KVM}} |image=[[File:Kvm-new-logo.png|25px]] |addToClass=info-box |content=
gpg: Good signature}} }} This output might be followed by a warning as follows. {{GnuPG-Warning}} {{gpg_signature_timestamp}} Example of signature creation timestamp; see below.
gpg: Signature made Mon 19 Jan 2023 11:45:41 PM CET using RSA key ID ...{{GnuPG_file_names}} {{gpg_file_name_notation}} {{Tab |type=controller |linkid=virtualizer_openpgp |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO}} |image=[[File:Cd-rom-icon.png|25px]] |type=section |addToClass=info-box |active=true |content=
gpg: BAD signature{{do_not_continue_on_gpg_verification_errors}} '''8.''' Done. Digital software signature verification using OpenPGP has been completed. {{Template:GnuPG-Troubleshooting}} }} {{Tab |title= = Signify = |image=[[File:Signify_Logo.svg|25px]] |addToClass=info-box |content= {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Advanced users only! }} '''1.''' Choose your platform. {{Tab |type=controller |linkid=virtualizer_signify |content= {{Tab |title={{Headline|h=2|content={{project_name_short}} ISO Signify}} |image=[[File:Cd-rom-icon.png|25px]] |type=section |addToClass=info-box |active=true |content= '''2.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as
derivative.pub
.
{{signing_key_main_signify}}
}}
{{Tab
|title={{Headline|h=2|content=VirtualBox Signify}}
|image=[[File:Virtualbox_logo.png|25px]]
|type=section
|addToClass=info-box
|active=
|content=
'''2.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as derivative.pub
.
{{signing_key_main_signify}}
}}
{{Tab
|title={{Headline|h=2|content=KVM Signify}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=
'''2.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as derivative.pub
.
{{signing_key_main_signify}}
}}
}}
'''3.''' Install signify-openbsd
.
{{Install Package|
package=signify-openbsd
}}
'''4.''' Note.
[https://forums.whonix.org/t/signify-openbsd/7842/5 It is impossible to signify
sign images (.ova
/ libvirt.tar.xz
) directly.] You can only verify the .sha512sums
hash sum file using signify-openbsd
and then verify the image against the sha512
sum.
'''5.''' Download the .sha512sums
and .sha512sums.sig
files.
'''6.''' Verify the .sha512sums
file with signify-openbsd
.
{{CodeSelect|code=
signify-openbsd -Vp derivative.pub -m {{project_name_short}}-*.sha512sums
}}
If the signature is valid, it will output:
Signature VerifiedIf the signature is invalid, it will output an error. '''7.''' Compare the hash of the image file with the hash in the
.sha512sums
file.
{{CodeSelect|code=
sha512sum --strict --check {{project_name_short}}-*.sha512sums
}}
If the hash is correct, it will output: