Verify Kicksecure ™ Images Software Signatures

Your support makes all the difference!
We believe security software like Kicksecure needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!
Download image verification instructions for Kicksecure with OpenPGP and Signify.
Digital signatures can increase security but this requires knowledge. Learn more about digital software signature verification.
OpenPGP Signature[edit]
Qubes[edit]
Kicksecure ™ for Qubes templates are automatically verified when
qubes-dom0-update
downloads and installs them; manual user verification is unnecessary.
VirtualBox[edit]
Steps to verify the virtual machine images depend on the operating system in use:
Also see: VirtualBox Appliance is not signed
Error Message.
KVM[edit]
Refer to the KVM
Linux on the Command Line instructions.
Signify Signatures[edit]
It is impossible to signify
sign images (.ova
/ libvirt.tar.xz
) directly. You can only verify the
.sha512sums
hash sum file using signify-openbsd
and then verify the image against the sha512
sum.
1. Download the signify Key and save it as keyname.pub
.
2. Install signify-openbsd
.
Install signify-openbsd
. To accomplish that, the following steps A. to D. need to be done.
A. Update the package lists.
sudo apt update
B. Upgrade the system.
sudo apt full-upgrade
C. Install the signify-openbsd
package.
Using apt
command line parameter --no-install-recommends
is in most cases optional.
sudo apt install --no-install-recommends signify-openbsd
D. Done.
The procedure of installing signify-openbsd
is complete.
3. Download the .sha512sums
and .sha512sums.sig
files.
4. Verify the .sha512sums
file with signify-openbsd
.
signify-openbsd -Vp keyname.pub -m Kicksecure-*.sha512sums
If the file is correct, it will output:
Signature Verified
If the file is not correct, it will output an error.
5. Compare the hash of the image file with the hash in the .sha512sums
file.
sha512sum -c Kicksecure-*.sha512sums
If the file is correct, it will output:
Kicksecure-CLI-16.0.9.8.ova: OK
Do not continue if verification fails! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity. This page is strongly related to the pages Placing Trust in Kicksecure ™ and Verifying Software Signatures.
If you are using signify for software signature verification, please consider making a report in the signify-openbsd forum thread. This will help developers decide whether to continue supporting this method or deprecate it.
Table: Kicksecure ™ VirtualBox Files
Kicksecure ™ Version | Files |
---|---|
Kicksecure ™ VirtualBox CLI | |
Kicksecure ™ VirtualBox XFCE |
Forum discussion: signify-openbsd.
Codecrypt Signatures[edit]
Codecrypt signatures are not yet available, but are planned long term.
Volunteer contributions are happily considered! If you were to contribute codecrypt
signature creation to the Kicksecure ™ dm-prepare-release
script, then this feature could be provided much sooner.
If you would like to use codecrypt for software signature verification, please consider making a report in the codecrypt forum thread. This method might be supported sooner if there is sufficient interest.
See Also[edit]
- Download the Kicksecure ™ Signing Key
- Verifying Software Signatures
- Placing Trust in Kicksecure ™
- OpenPGP key distribution strategies
- Software Signature Verification Usability Issues and Proposed Solutions