Posted 2021-02-23 with tags security, GnuPG, SHA256, software integrity, phishing

All downloaded software should be verified prior to extraction, installation, or use in order to ensure that files have not been tampered with (ex. due to phishing, man-in-the-middle (MITM), etc.).

The publisher of the software file(s) should provide a cryptographically signed hash (computed for instance using SHA256) accompanying the file download, and if the binary has been tampered with it will produce a different hash.

Rough steps:

  • install verification software (Ex. GnuPG)
  • download and import publisher's signing key
  • download hash for binary
  • verify binary is authentic

We'll be using GnuPG which is already present on linux installations.

Verify and Import Signing Key

The publisher should provide the key used to sign the binary, which we'll need to download, verify, and import via GnuPG.

gpg --keyid-format long --with-fingerprint sergey-brin-jr-signing-key.asc

This should ouput the downloaded key's fingerprint; verify it with the published fingerprint and ensure it matches.

gpg --import sergey-brin-jr-signing-key.asc

Verify GPG Signature and Checksums

Use the gpg --verify command to verify the signature of the downloaded file:

gpg --verify google-home-spy-1.29-setup.tar.bz2.sig google-home-spy-1.29-setup.tar.bz2

Also we can compare the published hash of the file/binary we want to download to the locally computed hash of the download on our own filesystem. Make sure the checksum of the downloaded file matches the checksum provided by the publisher:

shasum -a 256 google-home-spy-1.29-Ubuntu-8.04.deb

This will spit out a checksum; compare it to the entry in hashes.txt provided by the publisher to ensure it matches.

If all this worked, it's safe to install the software! Otherwise, try again or don't use the software.