Verifying downloads is something that should be ingrained into every computer user. Unfortunately, the process is very complicated and very few services make this easy for people. It’s intimidating to be told to use the terminal, especially if you are on Windows or Mac.
Paid Signatures
What’s more, why bother when a lot of the programs you use are probably verified already? Windows and macOS have a built-in mechanism to identify whether or not a program was created by the manufacturer that claimed to make it. If you use Snaps or Flatpaks on Linux, both implement a checkmark system to show the developer was verified by the Snapcraft and Flathub developers.
Signed applications are necessary to ensure the file wasn’t tampered with on the way from the developer to your computer. If you use a package manager like Winget, Homebrew, or the one in your Linux distribution, this process is also automatic. What’s more on Linux, the vast majority of packages on Linux are not verified. Even within the average distribution repository, most packages are not officially sanctioned by the original developers. This doesn’t mean a application is malware, but it can often introduce more problems.
The problem is signing systems like Apple’s notarization process or Microsoft certificates are costly for developers, requiring at least a couple hundred dollars up front just so the program you made won’t get blocked by the default antivirus.
- Apple’s crazy developer fees
- Microsoft’s explainer about certificates
- Microsoft’s list of code signing certificate providers
Unsigned applications don’t suggest they are malware, but it’s important to pay attention to where you got the program to begin with.
Bypassing Signature Checks on macOS
Like Microsoft, Apple has a robust verification system. Unlike Microsoft, Apple is more proactive at blocking unverified downloads. When you open an application for the first time, Apple will prompt you if you want to open the application.
If you need to open an unsigned
application
(e.g. LibreOffice, Alacritty, etc): navigate to /Applications and
Ctrl + Click the application you want to open. Then select “Open.”
If you are on macOS Sequoia or higher, you will need to go to the Settings, “Privacy & Security” and manually allow an unsigned app.
Manual Verification
Naturally, people aren’t accustomed to verifying their downloads.
A couple years ago, Linux Mint was hacked and the ISO was modified to mine cryptocurrency off the unlucky souls who downloaded it. Thankfully, Mint’s team shut down the attack very quickly, but it goes to show how important it is to verify your downloads.
The attack was easily prevented if users verified their downloads. Unfortunately, verifying downloads is something that doesn’t get enough attention. The hacker of the Linux Mint, Peace, made the bold, but accurate claim:
Who the f**k checks those anyway?
Peace, to ZDNET’s Zack Whittaker February 21, 2016
We’re going to have to go and prove him wrong. It’s not going to be easy and maybe this is something that we need to start developing.
GPG Signatures
One of the most popular ways files are verified is PGP keys. Pretty Good Privacy (PGP) keys are often necessary for verifying other files using a central server for trust. Some projects also require verifying additional files.
PGP was originally only available to the government in the 1970s and PGP was developed to make file and text encryption more accessible to average people. Almost 40 years later, PGP is very unfriendly and is far too complicated to use. Encrypted messaging apps automate this message verifiability and security process, so they fill this void better. Despite its shortcomings, many open source projects and packaging utilities rely on PGP, because nobody has been able to break it.
PGP is typically handled with a command line application called GNU Privacy Guard (gnupg). There are various graphical front-ends:
Of course, like most GNU applications, using gnupg or any of its frontends is not particularly straightforward.
Verifying GPG Signatures
I will be using the instructions for Kleopatra and Gpg4win. The instructions are similar for GPG Suite.
First, download the files you wish to verify. This will be your desired file and a signature file with the extension .sig or .asc.
Typically, these files are named something similar. If you download
openSUSE Tumbleweed’s ISO and verify the checksums, the files we need
here are the signature file
openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc and file we want
to verify openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.
Make note the folder where the files you downloaded are (e.g. Downloads).
- In your GPG program, navigate to “Decrypt/Verify.”
- Select the signature file first and the file that needs to be verified.
- If you are told the certificate is unavailable, select “Search” to download the key from a known key server. Otherwise, skip to #6.
- Once the key server has found the certificate, click on it and select “Import.”
- Accept the next dialogue once the certificate was imported.
- Repeat the process of “Decrypt/Verify” and select the files again.
- Select “Show Audit Log.” If you see “Good signature from…,” the file has been verified as the authentic file.
Ignore any warnings that tell you the signature cannot be verified. This often confuses people who are trying to verify files when they aren’t trying to encrypt files themselves.
Since PGP keys aren’t designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic.
PGP addresses this with a hodgepodge of key servers and public key fingerprints. These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify. While in theory this is sound, in practice it adds complexity, which is always the enemy of security.
Now you may think this is purely academic. It’s not. It can bite you in the ass.
What’s the matter with PGP? - Matthew D. Green, Johns Hopkins University
Command-Line
gnupg can also be used from a terminal to verify keys. As a GNU utility, it’s best utilized on Linux, macOS through Homebrew, or Windows Subsystem for Linux. It’s also preinstalled in many Linux distributions.
First, verify your file using the signature file first, then the downloaded file.
gpg --verify openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso.sha256
If the certificate is not yet added, we need import it into our GPG keyring. You will get presented with a dialogue similar to this:
gpg: Signature made Tue 06 Aug 2024 09:04:47 AM EDT
gpg: using RSA key 35A2F86E29B700A4
gpg: Can't check signature: No public key
Next, import the certificate from a remote server. This is the blob of
letters and numbers after the key type. In this example, openSUSE uses
an RSA key and the key is 35A2F86E29B700A4.
gpg --recv-keys 35A2F86E29B700A4
You should get an output informing you if the signature was imported to
your keyring. Rerun the gpg --verify command from earlier. If you see
“Good signature from…,” the file has been verified as the authentic
file.
Check Out Those Checksums!
Often times, software makers will provide checksums, which are verified using GPG keys. This ensures the files you downloaded aren’t tampered with or corrupt in some way.
Checksums are alphanumeric representations of files or data—every file has one. There are many different algorithms to check files and it’s different for every operating system. For example on Linux, there’s a nice GUI called Collision. There are also command-line options.
An alternative is uploading the file to VirusTotal, but this may be privacy invasive as VirusTotal will receive a copy of your file.
At any point if you need to navigate to a folder or type a file name, you can drag the folder or file into your terminal instead of typing it out.
Popular Algorithms
- SHA1
- SHA256
- SHA512
- MD5
GNU coreutils (Linux)
Linux has the most comprehensive and commonly used hash verification tools by the GNU Project. The commands also have a built-in checker to formatted checksums from a file.
sha256sum openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso
Running the command will give an output that looks like this:
3b55f6f88c0a64f0e4e2abe19e106c40578ef60a9d97b5be149736e83154b0ce /var/home/user/bin/mullvad-browser/Browser/Downloads/openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso
If you have a .sha* file, you can verify the file with the -c command.
sha256sum -c openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso.sha256
If you were not provided a .sha* file, you can manually verify by opening the file in a text editor or word processor, then manually comparing the hashes.
macOS/BSD: shasum and md5
On Mac, the process is slightly different than Linux, because macOS still maintains BSD tooling. The GNU version from above can be downloaded from Homebrew if you prefer the Linux commands.
Apple briefly discusses SHA checksums in their developer documentation. MD5 is deprecated due to its insecurities.
Open Terminal (or an alternative like iTerm2) and enter the desired commands.
shasum
For SHA checksums, use the shasum command. Below is an example for
SHA256 sums.
shasum -a 256 subscribe.pkg
The output will look like this:
baaeeedffc7ef4a4f65ec8015699a5c95db91d131d253f1eb2ebc469557344c2 subscribe.pkg
md5
For MD5 checksums, use the md5 command.
md5 likethevideo.dmg
The output is very different from the Linux version, but it’s functionally the same.
MD5(likethevideo.dmg)= 20665acd5f59a8e22275c78e1490dcc7
Windows
Windows has a PowerShell utility called Get-Filehash, which is a catch-all command for all signatures and algorithms.
Get-Filehash is always following by your file, then the algorithm you
wish to use.
Get-FileHash C:\Users\user1\Downloads\Contoso8_1_ENT.iso -Algorithm SHA256
All common algorithms are supported by Windows like SHA and MD5.
Did It Work?
Regardless of operating system, if the file is verified, you should just get an “OK.” Now your file is ready to use!
Now that you know, verify your downloads every time. You’ll keep yourself safe from the nasty things out there. All we need to do is pray for better tooling.
Resources
- Riseup’s tutorial on GPG key management. The guide is outdated, but the format of commands and best practices are still true.
- The Code Book: The Secret History of Codes and Code-breaking by Simon Singh. If you want to read specifically about key exchange, PGP, and quantum computing, it’s chapter 6 and onward.
- Damon Garn’s blog post for Red Hat “An introduction to hashing and checksums in Linux”
Track Listing
- Takashi Waraya (稿屋 隆) - With watching the donkey (ロバでも眺めながら)
- Yu-Gi-Oh! Power of Chaos: Kaiba the Revenge - Card List
- えだまめ88 - chocomint (チョコミント)
- Outro: Khaim - Neon Lamp