When you download software from the Internet, you have to trust the developer(s) that their program isn’t malicious. However, you also have to worry about hackers. There is a lot an attacker can gain from hacking a website and replacing software with a backdoored version.
Think about a site that hosts a Bitcoin wallet utility. If an attacker manages to replace the legitimate version with a malicious one, he can potentially steal money from tens of thousands of users. Another valuable target to backdoor is an operating system. This happened to Linux Mint in the past.
So, what can you do about it?
Hashes and Signatures
Developers that are security-conscious will often bundle their setup files or archives with checksums that you can verify. You can read how to verify them on Windows or Linux. The problem with these hashes, though, is that if a hacker replaces files on a website, he can easily replace the hashes, too. This makes hashes on their own almost useless, especially if they’re hosted on the same server where the programs reside.
To make these checksums useful, developers can also digitally sign them, with the help of a public and private key pair. Only the person that owns this private key can create signatures. These can be verified only with the corresponding public key, which is published on the Internet. If the verification passes, you can be (almost always) certain that the owner of the private key signed his software.
For a hacker to bypass this security mechanism, he has to steal the private key somehow, which is much harder to do if the owner takes proper measures to keep it secret. And even when the key is stolen, the owner can invalidate it by revoking it and announcing it. If this happens, when you download his/her public key and try to use it to verify a signature, you’ll be notified that this has been revoked.
How to Verify Signatures Using GnuPG (GPG)
The gpg utility is usually installed by default on all distros. If, for some reason, it’s missing, you can install it with the commands below. On some distributions, if you get an error like “gpg: failed to start the dirmngr ‘/usr/bin/dirmngr’: No such file or directory,” you have to install
dirmngr as well.
On Debian, Ubuntu or Debian-based distros, run:
sudo apt install gnupg dirmngr
sudo yum install gnupg dirmngr
and on Fedora:
sudo dnf install gnupg dirmngr
You can follow the example below to test how you would verify a Debian 9.8.0 installer ISO.
Download “SHA256SUMS,” “SHA256SUMS.sign,” and “debian-9.8.0-amd64-netinst.iso.” You may have to right-click on the first two files and select “Save link as” or the equivalent, in your web browser. Otherwise, clicking on them may just display their contents instead of automatically downloading.
Open a terminal emulator and change to the directory where your downloads are located.
Wait for the ISO download to finish. Next, verify the SHA256 checksums.
sha256sum -c SHA256SUMS
You will see the name of the file followed by an “OK” message when the checksum is good. To verify other types of checksums, you have the following commands:
md5sum. But it’s recommended you use at least a SHA256 sum, or above, if it’s available.
Some sites don’t offer files like SHA256SUMS, where file names and checksums are grouped together for easy verification. If they just display the sum on their site, then verify the hash of the file with a command like:
Using GPG to Verify Signed Checksums
In this example the Debian team signed the “SHA256SUMS” file with their private key and saved it in the “SHA256SUMS.sign” file. Verify the signature with:
gpg --verify SHA256SUMS.sign SHA256SUMS
You will get this message:
gpg: Signature made Sun 17 Feb 2019 05:10:29 PM EET gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Can't check signature: No public key
This means you don’t have the public key on your computer, which is normal. You have to import it from a keyserver.
gpg --keyserver keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
If a keyserver is down, you can use an alternate one. For example, you could replace
But how do you know this key is legitimate? Unfortunately, to be absolutely certain, you would need to build something called web of trust. Obviously, you don’t have it at this point. But there are a couple of things you can do.
Google the key’s fingerprint (DF9B9C49EAA9298432589D76DA87E80D6294BE9B). If you don’t find anything, try to Google only the last eight characters (6294BE9B). A legitimate key will be mentioned on many websites regarding similar software. Furthermore, posts will usually span across years since a safely-guarded key will be used for a long time.
If you’re really paranoid, download a BitTorrent image and then verify the checksum and signatures. The way that torrents work, it’s impossible to replace the files uploaded by hundreds of different users. Furthermore, BitTorrent also has mechanisms of its own to verify the integrity of every chunk of data it downloads.
Now that you have the public key, you can finally verify the signature:
gpg --verify SHA256SUMS.sign SHA256SUMS
If you see “Good signature,” it means everything checks out. Don’t worry about the warning –it’s normal because, as mentioned, you have no established web of trust to the public key.
As you may already know, nothing is certain on the Internet. But it’s certainly safer to take precautionary measures, and verifying digital signatures of the files you download can help you avoid malicious software. Many times when users have downloaded backdoored operating systems, or Bitcoin wallet software, they could have avoided the trouble if they checked the signatures, as those haven’t been tampered with.
Our latest tutorials delivered straight to your inbox