Verifying downloads is something that should be ingrained into every computer user. Unfortunately, the process is very complicated and very few services make this easy for people. It’s intimidating to be told to use the terminal, especially if you are on Windows or Mac.

Paid Signatures

What’s more, why bother when a lot of the programs you use are probably verified already? Windows and macOS have a built-in mechanism to identify whether or not a program was created by the manufacturer that claimed to make it. If you use Snaps or Flatpaks on Linux, both implement a checkmark system to show the developer was verified by the Snapcraft and Flathub developers.

Signed applications are necessary to ensure the file wasn’t tampered with on the way from the developer to your computer. If you use a package manager like Winget, Homebrew, or the one in your Linux distribution, this process is also automatic. What’s more on Linux, the vast majority of packages on Linux are not verified. Even within the average distribution repository, most packages are not officially sanctioned by the original developers. This doesn’t mean a application is malware, but it can often introduce more problems.

The problem is signing systems like Apple’s notarization process or Microsoft certificates are costly for developers, requiring at least a couple hundred dollars up front just so the program you made won’t get blocked by the default antivirus.

Unsigned applications don’t suggest they are malware, but it’s important to pay attention to where you got the program to begin with.

Bypassing Signature Checks on macOS

Like Microsoft, Apple has a robust verification system. Unlike Microsoft, Apple is more proactive at blocking unverified downloads. When you open an application for the first time, Apple will prompt you if you want to open the application.

If you need to open an unsigned application (e.g. LibreOffice, Alacritty, etc): navigate to /Applications and Ctrl + Click the application you want to open. Then select “Open.”

If you are on macOS Sequoia or higher, you will need to go to the Settings, “Privacy & Security” and manually allow an unsigned app.

Manual Verification

Naturally, people aren’t accustomed to verifying their downloads.

A couple years ago, Linux Mint was hacked and the ISO was modified to mine cryptocurrency off the unlucky souls who downloaded it. Thankfully, Mint’s team shut down the attack very quickly, but it goes to show how important it is to verify your downloads.

The attack was easily prevented if users verified their downloads. Unfortunately, verifying downloads is something that doesn’t get enough attention. The hacker of the Linux Mint, Peace, made the bold, but accurate claim:

Who the f**k checks those anyway?

Peace, to ZDNET’s Zack Whittaker February 21, 2016

We’re going to have to go and prove him wrong. It’s not going to be easy and maybe this is something that we need to start developing.

GPG Signatures

One of the most popular ways files are verified is PGP keys. Pretty Good Privacy (PGP) keys are often necessary for verifying other files using a central server for trust. Some projects also require verifying additional files.

PGP was originally only available to the government in the 1970s and PGP was developed to make file and text encryption more accessible to average people. Almost 40 years later, PGP is very unfriendly and is far too complicated to use. Encrypted messaging apps automate this message verifiability and security process, so they fill this void better. Despite its shortcomings, many open source projects and packaging utilities rely on PGP, because nobody has been able to break it.

PGP is typically handled with a command line application called GNU Privacy Guard (gnupg). There are various graphical front-ends:

Of course, like most GNU applications, using gnupg or any of its frontends is not particularly straightforward.

Verifying GPG Signatures

I will be using the instructions for Kleopatra and Gpg4win. The instructions are similar for GPG Suite.

First, download the files you wish to verify. This will be your desired file and a signature file with the extension .sig or .asc.

Typically, these files are named something similar. If you download openSUSE Tumbleweed’s ISO and verify the checksums, the files we need here are the signature file openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc and file we want to verify openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.

Make note the folder where the files you downloaded are (e.g. Downloads).

  1. In your GPG program, navigate to “Decrypt/Verify.”
  2. Select the signature file first and the file that needs to be verified.
  3. If you are told the certificate is unavailable, select “Search” to download the key from a known key server. Otherwise, skip to #6.
  4. Once the key server has found the certificate, click on it and select “Import.”
  5. Accept the next dialogue once the certificate was imported.
  6. Repeat the process of “Decrypt/Verify” and select the files again.
  7. Select “Show Audit Log.” If you see “Good signature from…,” the file has been verified as the authentic file.

Ignore any warnings that tell you the signature cannot be verified. This often confuses people who are trying to verify files when they aren’t trying to encrypt files themselves.

Since PGP keys aren’t designed for humans, you need to move them electronically. But of course humans still need to verify the authenticity of received keys, as accepting an attacker-provided public key can be catastrophic.

PGP addresses this with a hodgepodge of key servers and public key fingerprints. These components respectively provide (untrustworthy) data transfer and a short token that human beings can manually verify. While in theory this is sound, in practice it adds complexity, which is always the enemy of security.

Now you may think this is purely academic. It’s not. It can bite you in the ass.

What’s the matter with PGP? - Matthew D. Green, Johns Hopkins University

Command-Line

gnupg can also be used from a terminal to verify keys. As a GNU utility, it’s best utilized on Linux, macOS through Homebrew, or Windows Subsystem for Linux. It’s also preinstalled in many Linux distributions.

First, verify your file using the signature file first, then the downloaded file.

gpg --verify openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso.sha256

If the certificate is not yet added, we need import it into our GPG keyring. You will get presented with a dialogue similar to this:

gpg: Signature made Tue 06 Aug 2024 09:04:47 AM EDT
gpg:                using RSA key 35A2F86E29B700A4
gpg: Can't check signature: No public key

Next, import the certificate from a remote server. This is the blob of letters and numbers after the key type. In this example, openSUSE uses an RSA key and the key is 35A2F86E29B700A4.

gpg --recv-keys 35A2F86E29B700A4

You should get an output informing you if the signature was imported to your keyring. Rerun the gpg --verify command from earlier. If you see “Good signature from…,” the file has been verified as the authentic file.

Check Out Those Checksums!

Often times, software makers will provide checksums, which are verified using GPG keys. This ensures the files you downloaded aren’t tampered with or corrupt in some way.

Checksums are alphanumeric representations of files or data—every file has one. There are many different algorithms to check files and it’s different for every operating system. For example on Linux, there’s a nice GUI called Collision. There are also command-line options.

An alternative is uploading the file to VirusTotal, but this may be privacy invasive as VirusTotal will receive a copy of your file.

At any point if you need to navigate to a folder or type a file name, you can drag the folder or file into your terminal instead of typing it out.

  • SHA1
  • SHA256
  • SHA512
  • MD5

GNU coreutils (Linux)

Linux has the most comprehensive and commonly used hash verification tools by the GNU Project. The commands also have a built-in checker to formatted checksums from a file.

sha256sum openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso

Running the command will give an output that looks like this:

3b55f6f88c0a64f0e4e2abe19e106c40578ef60a9d97b5be149736e83154b0ce  /var/home/user/bin/mullvad-browser/Browser/Downloads/openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso

If you have a .sha* file, you can verify the file with the -c command.

sha256sum -c openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240806-Media.iso.sha256

If you were not provided a .sha* file, you can manually verify by opening the file in a text editor or word processor, then manually comparing the hashes.

macOS/BSD: shasum and md5

On Mac, the process is slightly different than Linux, because macOS still maintains BSD tooling. The GNU version from above can be downloaded from Homebrew if you prefer the Linux commands.

Apple briefly discusses SHA checksums in their developer documentation. MD5 is deprecated due to its insecurities.

Open Terminal (or an alternative like iTerm2) and enter the desired commands.

shasum

For SHA checksums, use the shasum command. Below is an example for SHA256 sums.

shasum -a 256 subscribe.pkg

The output will look like this:

baaeeedffc7ef4a4f65ec8015699a5c95db91d131d253f1eb2ebc469557344c2 subscribe.pkg

md5

For MD5 checksums, use the md5 command.

md5 likethevideo.dmg

The output is very different from the Linux version, but it’s functionally the same.

MD5(likethevideo.dmg)= 20665acd5f59a8e22275c78e1490dcc7

Windows

Windows has a PowerShell utility called Get-Filehash, which is a catch-all command for all signatures and algorithms.

Get-Filehash is always following by your file, then the algorithm you wish to use.

Get-FileHash C:\Users\user1\Downloads\Contoso8_1_ENT.iso -Algorithm SHA256

All common algorithms are supported by Windows like SHA and MD5.

Did It Work?

Regardless of operating system, if the file is verified, you should just get an “OK.” Now your file is ready to use!

Now that you know, verify your downloads every time. You’ll keep yourself safe from the nasty things out there. All we need to do is pray for better tooling.

Resources

Track Listing