All downloaded software should be verified prior to extraction, installation, or use in order to ensure that files have not been tampered with (ex. due to phishing, man-in-the-middle (MITM), etc.).
The publisher of the software file(s) should provide a cryptographically signed hash (computed for instance using SHA256) accompanying the file download, and if the binary has been tampered with it will produce a different hash.
Rough steps:
- install verification software (Ex. GnuPG)
- download and import publisher's signing key
- download hash for binary
- verify binary is authentic
We'll be using GnuPG which is already present on linux installations.
Verify and Import Signing Key
The publisher should provide the key used to sign the binary, which we'll need to download, verify, and import via GnuPG.
wget https://google.com/sergey-brin-jr-signing-key.asc
gpg --keyid-format long --with-fingerprint sergey-brin-jr-signing-key.asc
This should ouput the downloaded key's fingerprint; verify it with the published fingerprint and ensure it matches.
gpg --import sergey-brin-jr-signing-key.asc
Verify GPG Signature and Checksums
Use the gpg --verify
command to verify the signature of the downloaded file:
gpg --verify google-home-spy-1.29-setup.tar.bz2.sig google-home-spy-1.29-setup.tar.bz2
Also we can compare the published hash of the file/binary we want to download to the locally computed hash of the download on our own filesystem. Make sure the checksum of the downloaded file matches the checksum provided by the publisher:
wget https://google.com/downloads/google-home-spy/hashes.txt
shasum -a 256 google-home-spy-1.29-Ubuntu-8.04.deb
This will spit out a checksum; compare it to the entry in hashes.txt
provided by the publisher to ensure it matches.
If all this worked, it's safe to install the software! Otherwise, try again or don't use the software.