{{Header}}
{{Title|title=
Verify Virtual Machine Images on Linux
}}
{{#seo:
|description=Instructions for OpenPGP and Signify Verification of {{project_name_long}} VirtualBox and KVM on the Command Line
|image=Approved-29149640.png
}}
[[image:Approved-29149640.png|250px|thumbnail]]
{{intro|
Instructions for OpenPGP and Signify Verification of {{project_name_short}} VirtualBox and KVM on the Command Line
}}
<!--
Copyright:

   Kicksecure Verify_the_images_using_Linux wiki page Copyright (C) Amnesia <amnesia at boum dot org>
   Kicksecure Verify_the_images_using_Linux wiki page Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@kicksecure.com>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to:

    Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor
    Boston, MA 02110-1301, USA.

On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in the /usr/share/common-licenses' directory.

The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in Kicksecure virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <https://github.com/{{project_name_short}}/derivative-maker/blob/master/GPLv3>.
-->
<!--
The Kicksecure Verify_the_images_using_Linux wiki page is forked from the Tails Verify the ISO image using the command line  page, from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/doc/get/verify_the_iso_image_using_the_command_line.html;hb=ec769a098398fc009b617d9f0aef56310497e518>.
-->
= Introduction =
{{always_verify_signatures_reminder}}

{{Tab
|type=controller
|content=
{{Tab
|title= = OpenPGP =
|image=[[File:GnuPG-Logo.svg|25px]]
|active=true
|addToClass=info-box
|content=

{{gpg_verification_introduction}}

'''1.''' Import the signing key.

{{Tab
|type=controller
|linkid=virtualizer
|content=
{{Tab
|title={{Headline|h=2|content={{project_name_short}} VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|type=section
|addToClass=info-box
|active=true
|content=

Refer to the more secure, detailed [[Main/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions.

{{signing_key_main}}

'''2.''' Download the cryptographic (OpenPGP) signature corresponding to the virtual machine image you want to verify.

'''3.''' Save the signature in the same folder as the virtual machine image.

{{Tab
|type=controller
|content=
{{Tab
|title={{Headline|h=2|content={{project_name_short}} VirtualBox Xfce}}
|image=[[File:Clipart-gui.svg|25px]]
|addToClass=info-box
|content=
{{#widget:Download_Button
|text=VirtualBox Xfce image
|url=https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.ova
|onion=https://download.{{project_onion}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.ova
|os=
|addToClass=
}}

{{#widget:Download_Button
|text=VirtualBox Xfce signature
|icon=sig
|url=https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.ova.asc
|onion=https://download.{{project_onion}}/ova/{{VersionNew}}/{{project_name_short}}-Xfce-{{VersionNew}}.ova.asc
|os=
|addToClass=
}}

}} <!-- close tab: {{project_name_short}} VirtualBox Xfce -->

{{Tab
|title={{Headline|h=2|content={{project_name_short}} VirtualBox CLI}}
|image=[[File:Utilities-terminal.png|25px]]
|addToClass=info-box
|content=

{{#widget:Download_Button
|text=VirtualBox CLI image
|url=https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.ova
|onion=https://download.{{project_onion}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.ova
|os=
|addToClass=
}}

{{#widget:Download_Button
|text=VirtualBox CLI signature
|icon=sig
|url=https://download.{{project_clearnet}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.ova.asc
|onion=https://download.{{project_onion}}/ova/{{VersionNew}}/{{project_name_short}}-CLI-{{VersionNew}}.ova.asc
|os=
|addToClass=
}}

}} <!-- close tab: {{project_name_short}} VirtualBox CLI -->
}} <!-- close tab controller: {{project_name_short}} VirtualBox XFCE and CLI -->
}} <!-- close tab: VirtualBox OpenPGP -->

{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=

Refer to the more secure, detailed [[KVM/Project_Signing_Key|{{project_name_short}} Signing Key]] instructions.

{{signing_key_kvm}}

'''2.''' Download the cryptographic (OpenPGP) signature corresponding to the virtual machine image you want to verify.

'''3.''' Save the signature in the same folder as the virtual machine image.

{{#widget:Download_Button
|text=KVM Xfce image
|url=https://download.{{project_clearnet}}/libvirt/{{Version_KVM}}/{{project_name_short}}-Xfce-{{Version_KVM}}.Intel_AMD64.qcow2.libvirt.xz
|onion=https://download.{{project_onion}}/libvirt/{{Version_KVM}}/{{project_name_short}}-Xfce-{{Version_KVM}}.Intel_AMD64.qcow2.libvirt.xz
|os=
|addToClass=
}}

{{#widget:Download_Button
|text=KVM Xfce signature
|icon=sig
|url=https://download.{{project_clearnet}}/libvirt/{{Version_KVM}}/{{project_name_short}}-Xfce-{{Version_KVM}}.Intel_AMD64.qcow2.libvirt.xz.asc
|onion=https://download.{{project_onion}}/libvirt/{{Version_KVM}}/{{project_name_short}}-Xfce-{{Version_KVM}}.Intel_AMD64.qcow2.libvirt.xz.asc
|os=
|addToClass=
}}

}} <!-- close tab: KVM OpenPGP -->

}} <!-- close tab controller: VirtualBox and KVM OpenPGP -->

'''4.''' Start the cryptographic verification.

This process can take several minutes.

{{CodeSelect|code=
cd [the directory in which you downloaded the .ova and the .asc]
}}

{{Tab
|type=controller
|linkid=virtualizer
|content=
{{Tab
|title={{Headline|h=2|content=VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|addToClass=info-box
|content=

{{CodeSelect|code=
gpg --verify-options show-notations --verify {{project_name_short}}-*.ova.asc {{project_name_short}}-*.ova
}}

}} <!-- close tab Verify VirtualBox -->

{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=

{{CodeSelect|code=
gpg --verify-options show-notations --verify {{project_name_short}}-*.libvirt.xz.asc {{project_name_short}}-*.libvirt.xz
}}

}} <!-- close tab: Verify KVM -->

}} <!-- close tab controller: Verify VirtualBox & KVM -->

'''5.''' Check the output of the verification step.

{{GnuPG-Success}}

{{Tab
|type=controller
|linkid=virtualizer
|content=
{{Tab
|title={{Headline|h=2|content=VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|addToClass=info-box
|content=
<pre>
gpg: Good signature from "Patrick Schleizer"
</pre>

}} <!-- close tab: VirtualBox Good Signature -->

{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=

<pre>
gpg: Good signature from "HulaHoop"
</pre>

}} <!-- close tab: VirtualBox Good Signature -->

}} <!-- close tab controller: VirtualBox and KVM Good Signature -->

This output might be followed by a warning as follows. 

{{GnuPG-Warning}}

{{gpg_signature_timestamp}}

Example of signature creation timestamp; see below.

<pre>
gpg: Signature made Mon 19 Jan 2023 11:45:41 PM CET using RSA key ID ...
</pre>

{{GnuPG_file_names}}

{{gpg_file_name_notation}}

{{Tab
|type=controller
|linkid=virtualizer
|content=
{{Tab
|title={{Headline|h=2|content=VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|addToClass=info-box
|content=

<div class="pre">gpg: Signature notation: file@name={{project_name_short}}-{{VersionNew}}.ova</div>
}} <!-- close tab: VirtualBox Signature Notation -->

{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=
<div class="pre">gpg: Signature notation: file@name={{project_name_short}}-{{Version_KVM}}.libvirt.xz</div>

}} <!-- close tab: KVM Signature Notation -->
}} <!-- close tab controller: VirtualBox and KVM Signature Notation -->

<u>If the Virtual Machine image is not correct</u>, the output will inform that the signature is bad:

<pre>
gpg: BAD signature
</pre>

{{do_not_continue_on_gpg_verification_errors}}

'''6.''' Done.

Digital software signature verification using OpenPGP has been completed.

{{Template:GnuPG-Troubleshooting}}

}} <!-- close tab: OpenPGP -->

{{Tab
|title= = Signify =
|image=[[File:Signify_Logo.svg|25px]]
|addToClass=info-box
|content=

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = Advanced users only!
}}
'''1.''' [[Signing_Key#Download_the_signify_Key|Download the signify Key]] and save it as <code>derivative.pub</code>.

{{Tab
|type=controller
|linkid=virtualizer
|content=
{{Tab
|title={{Headline|h=2|content=VirtualBox}}
|image=[[File:Virtualbox_logo.png|25px]]
|type=section
|addToClass=info-box
|active=true
|content=

{{signing_key_main_signify}}

}} <!-- close tab: VirtualBox Signify -->

{{Tab
|title={{Headline|h=2|content=KVM}}
|image=[[File:Kvm-new-logo.png|25px]]
|addToClass=info-box
|content=

{{signing_key_kvm_signify}}

}} <!-- close tab: KVM Signify -->
}} <!-- close tab controller: VirtualBox and KVM signify tabs -->

'''2.''' Install <code>signify-openbsd</code>.

{{Install Package|
package=signify-openbsd
}}

'''3.''' Note.

[https://forums.whonix.org/t/signify-openbsd/7842/5 It is impossible to <code>signify</code> sign images (<code>.ova</code> / <code>libvirt.tar.xz</code>) directly.] You can only verify the <code>.sha512sums</code> hash sum file using <code>signify-openbsd</code> and then verify the image against the <code>sha512</code> sum.

'''4.''' Download the <code>.sha512sums</code> and <code>.sha512sums.sig</code> files.

'''5.''' Verify the <code>.sha512sums</code> file with <code>signify-openbsd</code>.

{{CodeSelect|code=
signify-openbsd -Vp derivative.pub -m {{project_name_short}}-*.sha512sums
}}

If the signature is valid, it will output:

<pre>
Signature Verified
</pre>

If the signature is invalid, it will output an error.

'''6.''' Compare the hash of the image file with the hash in the <code>.sha512sums</code> file.

{{CodeSelect|code=
sha512sum --strict --check {{project_name_short}}-*.sha512sums
}}

If the hash is correct, it will output:

<div class="pre">{{project_name_short}}-Xfce-{{VersionNew}}.ova: OK</div>

{{do_not_continue_on_gpg_verification_errors}}

'''7.''' Done.

Digital signature verification using signify has been completed.

If you are using signify for software signature verification, please consider making a report in the [https://forums.whonix.org/t/signify-openbsd/7842 signify-openbsd forum thread]. This will help developers decide whether to continue supporting this method or deprecate it.

Forum discussion: [https://forums.whonix.org/t/signify-openbsd/7842 signify-openbsd].

}} <!-- close tab: Signify -->
}} <!-- closing tabs: OpenPGP and Signify -->

= Footnotes =
{{reflist|close=1}}

= License =
{{License_Amnesia|{{FULLPAGENAME}}}}

{{Footer}}

[[Category:Documentation]]
[[Category:MultiWiki]]