{{Header}} {{Title|title= Verify the {{project_name_long}} Windows Installer }} {{#seo: |description=Digital software signature verification of {{project_name_short}} using Gpg4win. |image=Windowsquickstart.jpg }} {{intro| Digital software signature verification of {{project_name_short}} using Gpg4win. }} {{Archived}} __NOINDEX__ {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = {{project_name_short}} Windows Installer currently unavailable. [[Stay Tuned]] for news. '''See [[VirtualBox]] instead.''' }} {{always_verify_signatures_reminder}} = Download {{project_name_short}} Windows Installer and Digital Signature = The {{project_name_short}} Windows Installer was developed with design goals focused on provide users with an fast and easy method to install {{project_name_short}} in Microsoft Windows. When whonix-installer.exe is executed the [[VirtualBox/Recommended_Version|Recommended VirtualBox version]] and both {{project_name_short}} VMs are seamlessly installed on the Windows machine. Once {{project_name_short}} is installed, users only need to click the start button in the {{project_name_short}} GUI for both {{project_name_gateway_long}} and {{project_name_workstation_long}} VMs to start. '''Download the {{project_name_short}} Installer for Microsoft Windows.''' {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = '''By downloading, you acknowledge that you have read, understood and agreed to our [[Terms of Service|Terms of Service]] and [[License Agreement|License Agreement]].''' }} '''Currently unavailable. See [[VirtualBox]] instead.''' Before continuing, download both {{project_name_short}} Windows Installer and corresponding OpenPGP signature in the above download table. Then continue with the steps needed to [[#Software Digital Signature Verification Tools Installation|install of the software digital signature verification tools]]. Then [[#Verify the {{project_name_short}} Windows Installer|verify the {{project_name_short}} digital software signatures]]. Users that are familiar with OpenPGP verification can go straight to download the [[Main/Project Signing Key|signing key]] and verify the {{project_name_short}} Windows installer. = Software Digital Signature Verification Tools Installation = == Introduction == Due to [[Verifying_Software_Signatures#Conceptual_Challenges_in_Digital_Signatures_Verification|Conceptual Challenges in Digital Signatures Verification]] and [[Windows_Hosts#Windows_Software_Sources|impracticality, unpopularity of digital software signature verification on the Windows platform]], this is a cumbersome process. None of these issues are specific to {{project_name_short}} to caused by {{project_name_short}}. This is being stated to avoid {{project_name_short}} of getting blamed for this mess. Previously users put it this way:
I never had to verify any software. Why Whonix makes this more complicated than everyone else?
To keep a system secure and free of malware it is strongly recommended to [[Warning#Always_Verify_Signatures|always verify software signatures]]. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world.
Most other vendors of software on the Windows platform are either unaware or ignore this issue. The {{project_name_short}} project makes an effort to document and cope up with the mess on the Windows platform. This page includes documentation on how to securely acquire Gpg4win - an application which can be used to verify digital software signatures provided by the {{project_name_short}} project and other software. Option A) The following guide provides steps to: # Download and installation of SignTool. # Download Gpg4win. # Verify Gpg4win using SignTool. # Import the developer's GPG signing key into Gpg4win. # Verify the {{project_name_short}} Windows Installer using Gpg4win. SignTool is a Windows platform focused tool provided by Microsoft which can be used to verify software digital signatures. [https://gnupg.org/ GnuPG] is a complete and free implementation [[OpenPGP]] that allows users to encrypt and sign data and communications. Popular on Windows, macOS and Linux platform. [https://www.gpg4win.org/ Gpg4win] is a graphical front end for GnuPG that is used to for file and email encryption in Windows. The verification process for the {{project_name_short}} Windows Installer includes securely downloading an verifying the gpg4win package. Once completed GPG can be used from the command-line to verify the {{project_name_short}} Windows Installer. Download and installation of SignTool (from the Microsoft website over TLS) and verification of Gpg4win using SignTool might be considered optional. This is because both, SignTool and Gpg4win (downloaded from the Gpg4win website over TLS) are only downloaded over [[SSL|TLS]], a very basic form of authentication. The argument for that is debatable. "It would be much more unlikely for a massive company like Microsoft to be compromised and serve malicious software than gpg4win server." https://forums.whonix.org/t/testing-whonix-installer-for-windows/2987/217 Option B) Therefore optionally the user might decide to skip the SignTool step and simplify as follows. # Download and install Gpg4win. # Import the developer's GPG signing key into Gpg4win. # Verify the {{project_name_short}} Windows Installer using Gpg4win. The Gpg4win documentation also covers subject. * [https://www.gpg4win.org/package-integrity.html Check integrity of Gpg4win packages - Gpg4win website] * [https://wiki.gnupg.org/Gpg4win/CheckIntegrity Check integrity of Gpg4win packages - Gpg4win wiki] {{Download_and_Verify_GPG4win_in_Windows}} = Verify the {{project_name_short}} Windows Installer = {{Box|text= It is important to check the integrity of the downloaded {{project_name_short}} Windows Installer to ensure that neither a man-in-the-middle attack or file corruption occurred; (see [[Download Security]]). {{do_not_continue_on_gpg_verification_errors}} '''1.''' If not already completed, have GnuPG initialize your user data folder. {{CodeSelect|code= gpg --fingerprint }} '''2.''' Download the [[Main/Project Signing Key|signing key]]. '''3.''' Store the key as C:\Users\\Downloads\derivative.asc

'''4.''' Check fingerprints/owners without importing anything. {{CodeSelect|code= gpg --keyid-format long --with-fingerprint derivative.asc }} '''5.''' Verify the output. The output should be identical to the following. 
TODO
If the key was successfully imported, the following message will appear. 
TODO
'''6.''' Import the key. {{CodeSelect|code= gpg --import derivative.asc }} The output should confirm the key was imported. 
TODO
Output already imported. If the signing key was already imported in the past, ''the output should confirm the key is unchanged.'' 
TODO
'''4.''' Start the cryptographic verification, which can take several minutes. In Windows command prompt, change to the directory with the whonix-installer.exe package and corresponding signature file. {{CodeSelect|code= cd C:\Users\\ }} Next, verify the {{project_name_short}} Windows Installer. {{CodeSelect|code= gpg --verify-options show-notations --verify whonix-installer.exe.asc whonix-installer.exe }} If the Whonix Installer image is correct the output will tell you that the signature is good. 
TODO

This might be followed by a warning saying: {{Template:GnuPG-Warning}} {{gpg_signature_timestamp}} The first line includes the signature creation timestamp. Example. 
gpg: Signature made Sun 18 Aug 2019 08:31:41 PM EDT
{{GnuPG_file_names}} }} = Install Whonix = {{Box|text= Note: When the {{project_name_short}} Windows Installer is executed, the currently installed VirtualBox package -- if there is one installed on the system -- is removed and the latest VirtualBox package is installed. At the time of writing (AUG 19 2019) VirtualBox 6.0.10 was the latest stable release version. {{project_name_short}} can be installed by simply running whonix-installer.exe. When installation is complete, users will be greeted with the {{project_name_short}} GUI which can then be used to start the VMs. Keep in mind that installation could take can up to 15 minutes to complete depending on your hardware configuration.

In the folder you downloaded the {{project_name_short}} Windows Installer: * Double "click" whonix-installer.exeLicense agreement "click" Install → Finish '''Figure:''' ''Whonix Windows Installer'' [[Image:Whonix_windows_installer.png]] '''Figure:''' Install Whonix [[Image:Whonix_installer_wizard.png]] '''Figure:''' ''License agreement'' [[Image:Whonix_windows_installer_license_agreement.png]] '''Figure:''' ''Extracting files'' [[Image:Installing_whonix.png]] '''Figure:''' ''Whonix installation complete'' [[Image:Whonix_setup_wizard_complete.png]] }} = Start Whonix = {{Box|text= '''Whonix Desktop Starter''' * Double "click" Whonix desktop starter"click" Start Whonix. '''VirtualBox interface''' * Double "click" Whonix desktop starter "click" Advanced in Whonix GUI. When the Advanced button is pressed, the VirtualBox user interface will open and the VMs can be started. The VirtualBox interface will provide a more granular control of the VMs. From there users can manage the {{project_name_short}} VMs or modify VirtualBox settings. '''Figure:''' ''Whonix desktop starter'' [[Image:Whonix_desktop_starter.png]] '''Figure:''' ''Whonix user interface'' [[Image:Whonix_User_Interface_start.png]] '''Figure:''' ''Start Whonix VM'' [[Image:Virtualbox_user_interface.png]] }} = Shutdown Whonix = {{Box|text= '''From the Whonix GUI''' * Both Whonix VMs can be shutdown simultaneously by clicking the Stop Whonix button. '''Figure:''' ''Stop Whonix VMs'' [[Image:Whonix_User_Interface_stop.png]] }} = First Time Users = {{VirtualBox_2}} = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]