Every time you download a program from the Internet, you have to trust the developer that it isn’t malicious. There is no way around that. But this isn’t an issue, usually, especially with well-known software and developers.
However, websites that host software are more vulnerable. Attackers can subvert the security of a website and replace programs with their own, malicious version. This looks and works exactly like the original, except it has a backdoor inserted. With this backdoor, attackers can control various parts of your normal day-to-day computing. Your computer is either inserted in a botnet, or worse, the utility waits until you use your credit/debit card and steals its credentials. You should be especially careful when you download important software such as an operating system, cryptocurrency wallet, or similar.
Digital Signatures Can Save the Day
Software writers can sign their products. Unless an attacker can steal their private key, there is no known way someone can forge this signature. There are numerous cases where thousands of users have downloaded malicious programs, and in almost every case, if they would have checked the digital signatures, they would have noticed that they were invalid, thus avoiding the situation. It’s relatively easy to replace software on a vulnerable website but incredibly hard to steal a private key that is properly stored and isolated from Internet access.
You can read much more about digital signatures here. This article discusses the same thing, except you’ll be using Windows utilities to validate downloads.
How to Use Gpg4win to Verify Digital Signatures
Go to this page and download and install Gpg4win. Smart people will ask themselves, “But how do I know that this is legitimate?” And it’s a good question. If this would be broken, then all the later steps would be useless.
Fortunately, the developer went through all the trouble to get his software signed by a certificate authority. And he details the steps to verify his program on his website. Although similar cryptography is used to check for validity, the overall method is different. Digital certificates are used for this.
Verify File Checksums
Let’s say you want to download the Bitcoin Core wallet. Download the x64 Windows executable (exe, not zip). Afterwards, click on “Verify release signatures” to download the “SHA256SUMS.asc” file. The first step is to verify the hash of the setup file. You can read more about hashes here.
Go to your downloads folder, and with Gpg4win installed, you can now right-click on a file, and a new context menu will appear. Right-click on the Bitcoin setup file (the exe you downloaded), and select “More GpgEX Options -> Create checksums,” like in the picture below.
Open both “sha256sum.txt” that has been generated and “SHA256SUMS.asc” that you downloaded. Compare the SHA256 checksums. They should be a perfect match.
Check Signature of File that Lists the Checksums
While you just downloaded a setup file and a list of checksums from the same website, if an attacker replaced the setup file, he could easily replace the list of checksums, too. What he can’t do, however, is forge a signature. That can be validated by a known (legitimate) public key. First, you need to download this key.
The following image is what a signature looks like.
This is an inline signature (included in the same file it validates). Sometimes this will be detached, included in a separate file. If you change just one letter in this text file, the signature becomes invalid. This is a way of knowing that the developer approved and signed these exact, specific contents with the correct checksums.
Import Developer’s Public Key
You have the public keys available for download under “Bitcoin Core Release Signing Keys” in Bitcoin’s download page. As a precautionary measure, you can download them from another source. If an attacker replaced the legitimate keys with his own, odds are we will find the correct keys (and fingerprints) in all other places where they have been posted or discussed.
Right-click on “SHA256SUMS.asc,” and select “Decrypt and Verify.” The program will tell you you don’t yet have the public key. Click on “Search.”
The search may take a while. Note the string in the “Find” field.
You can copy this and paste into Google to see if this public key fingerprint has been discussed on legitimate forum threads/websites, etc. The more places you find it, the more you can be certain that it belongs to the intended owner.
Click on the key and then import it. You can click “No” in the prompt you get next (take measures to certify the key) if you don’t know how or don’t want to do this now.
Finally, click on “Show Audit Log.”
You should see the text that has been highlighted in the next picture, “Good signature.”
Try to change just one letter in “SHA256SUMS.asc,” and you will get what is depicted in the following image.
Few developers give you the possibility to check that their software comes from them. But usually programs that deal with sensitive data or are very important will offer you this option. Use it and it might save you from trouble some day.