P
pumpingiron22
Senior Member
- Mar 2, 2014
- 221
- 39
HOW TO VERIFY YOUR DOWNLOADED FILES ARE AUTHENTIC
I just had a realization about something that is pretty important and I wanted to share it with you, regarding security. Verifying your downloads
As a general rule of thumb, you should always download files from the home pages of their respective developers.
TOR: https://www.torproject.org
Tails: https://www.tails.boum.org
Virtual Box: https://www.virtualbox.org/
The reason this is so important, is that there are people who host maliciously modified versions of these programs and will host legitimate looking sites to try and get you to download their version, which can install things like backdoors into your computers, keyloggers, and all types of nasty surprises. Sometimes developers will offer mirrors for their projects, which are simply just alternative links to download from in case the main server is too slow, or down. Sometimes these mirrors can become compromised without the knowledge of the developers.
Maybe you do not have TOR or Tails on your laptop and you are traveling out of the country and the hotel that you are staying at has TOR's homepage blocked. There are times when you may need to find an alternative mirror to download certain things. Then of course there is the infamous man-in-the-middle attack where an attacker can inject malicious code into your network traffic and alter the file you are downloading. The TOR developers have even reported that attackers have the capability of tricking your browser into thinking you are visiting the TOR home page when in fact you are not.
So what do you do about it? You can verify that the file you downloaded is in fact legitimate. The best tool for this is GnuPG. The TOR developers recommend you get it from the following page (Windows Users).
http://www.gpg4win.org/download.html
You can install this program on your USB drive or on your actual computer, you will hear your actual computer's operation system referred to as your Host OS. So download it, run it, install it and we will start showing you how to use GnuPG.
If you remain on the GnuPG download page you will see something under the big green box that is called OpenPGP signature. Download that into the same folder as the GnuPG file, this is the file that the download was signed with. Basically someone's signature saying, I made this file. And you also need a PGP public key to verify the signature. So to sum it up so far, the signature is created from the PGP private key, and can be verified by the PGP public key. The signature file is used to verify the program itself. So let us grab the PGP public key for GnuPG as well.
If you look on the same download page, under the heading Installation, you will see a link where it says verify the integrity of the file. It will lead to you the following page.
http://gpg4win.org/package-integrity.html
Note where it says the following statement. The signatures have been created with the following OpenPGP certificate Intevation File Distribution Key (Key ID: EC70B1B8). This is the link to the page that hosts the PGP public key file that you need to download, go there. On the page we just navgiated to, go to the bottom right where it says Intevation-Distribution-Key (public OpenPGP key for signing files) and download that file. This is the PGP public key file, save it to the same place as your signature file for ease of use.
Okay, now that we have both the signature file and the PGP public key, let us now verify our download. First thing you need to do is navigate to the PGP public key file, called Intervation-Distribution-Key.asc, right click it and go to More GpgEX Options and down to Import Keys. This will import the PGP public key into your key ring, and now you can verify the file with the signature.
Right click your actual file you want to verify, in this case gpg4win-2.2.1.exe and go to More GpgEX Options and down to Verify and it should automatically detect the signature file where it says Input File, but if it does not, navigate to the signature file and make sure the box below it where it says Input file is a detached signature is checked. Look at the bottom and click Decrypt/Verify and you will likely get the following message.
Not enough information to check signature validity. Check details.
Believe it or not, this is completely fine. Click on show details, you are looking for a specific result.
Signed on 2013-10-07 08:31 by [email protected] (Key ID: 0xEC70B1B8). The validity of the signature cannot be verified.
If you navigate back to the page from Gpg4Win that says Check Integrity where you found the link to the page that contained the PGP public key you will see on that page.
Intevation File Distribution Key (Key ID: EC70B1B8)
Note the key ID from your decrypt result and the key ID from the Check Integrity page and note the email address ending in the same URL that we downloaded the PGP public key from. We have a match! I will explain the reason for this warning message later.
Now that we verified that our verification program is legit. Let us try and verify our Tails ISO file, since if we have a compromised Tails OS, then nothing we do will be anonymous. Let us get right to the Tails download page.
https://tails.boum.org/download/index.en.html
Scroll down to where it says Tails 0.22 signature and download that to your Tails folder where you have the ISO file that we already downloaded. Next scroll down to where it says Tails signing key, this is our PGP public key. Exact same procedure, import the key, then click Verify and specify the signature file if it has not already been specified for you, exact same settings and you will get the same warning message. As explained by Tails
I just had a realization about something that is pretty important and I wanted to share it with you, regarding security. Verifying your downloads
As a general rule of thumb, you should always download files from the home pages of their respective developers.
TOR: https://www.torproject.org
Tails: https://www.tails.boum.org
Virtual Box: https://www.virtualbox.org/
The reason this is so important, is that there are people who host maliciously modified versions of these programs and will host legitimate looking sites to try and get you to download their version, which can install things like backdoors into your computers, keyloggers, and all types of nasty surprises. Sometimes developers will offer mirrors for their projects, which are simply just alternative links to download from in case the main server is too slow, or down. Sometimes these mirrors can become compromised without the knowledge of the developers.
Maybe you do not have TOR or Tails on your laptop and you are traveling out of the country and the hotel that you are staying at has TOR's homepage blocked. There are times when you may need to find an alternative mirror to download certain things. Then of course there is the infamous man-in-the-middle attack where an attacker can inject malicious code into your network traffic and alter the file you are downloading. The TOR developers have even reported that attackers have the capability of tricking your browser into thinking you are visiting the TOR home page when in fact you are not.
So what do you do about it? You can verify that the file you downloaded is in fact legitimate. The best tool for this is GnuPG. The TOR developers recommend you get it from the following page (Windows Users).
http://www.gpg4win.org/download.html
You can install this program on your USB drive or on your actual computer, you will hear your actual computer's operation system referred to as your Host OS. So download it, run it, install it and we will start showing you how to use GnuPG.
If you remain on the GnuPG download page you will see something under the big green box that is called OpenPGP signature. Download that into the same folder as the GnuPG file, this is the file that the download was signed with. Basically someone's signature saying, I made this file. And you also need a PGP public key to verify the signature. So to sum it up so far, the signature is created from the PGP private key, and can be verified by the PGP public key. The signature file is used to verify the program itself. So let us grab the PGP public key for GnuPG as well.
If you look on the same download page, under the heading Installation, you will see a link where it says verify the integrity of the file. It will lead to you the following page.
http://gpg4win.org/package-integrity.html
Note where it says the following statement. The signatures have been created with the following OpenPGP certificate Intevation File Distribution Key (Key ID: EC70B1B8). This is the link to the page that hosts the PGP public key file that you need to download, go there. On the page we just navgiated to, go to the bottom right where it says Intevation-Distribution-Key (public OpenPGP key for signing files) and download that file. This is the PGP public key file, save it to the same place as your signature file for ease of use.
Okay, now that we have both the signature file and the PGP public key, let us now verify our download. First thing you need to do is navigate to the PGP public key file, called Intervation-Distribution-Key.asc, right click it and go to More GpgEX Options and down to Import Keys. This will import the PGP public key into your key ring, and now you can verify the file with the signature.
Right click your actual file you want to verify, in this case gpg4win-2.2.1.exe and go to More GpgEX Options and down to Verify and it should automatically detect the signature file where it says Input File, but if it does not, navigate to the signature file and make sure the box below it where it says Input file is a detached signature is checked. Look at the bottom and click Decrypt/Verify and you will likely get the following message.
Not enough information to check signature validity. Check details.
Believe it or not, this is completely fine. Click on show details, you are looking for a specific result.
Signed on 2013-10-07 08:31 by [email protected] (Key ID: 0xEC70B1B8). The validity of the signature cannot be verified.
If you navigate back to the page from Gpg4Win that says Check Integrity where you found the link to the page that contained the PGP public key you will see on that page.
Intevation File Distribution Key (Key ID: EC70B1B8)
Note the key ID from your decrypt result and the key ID from the Check Integrity page and note the email address ending in the same URL that we downloaded the PGP public key from. We have a match! I will explain the reason for this warning message later.
Now that we verified that our verification program is legit. Let us try and verify our Tails ISO file, since if we have a compromised Tails OS, then nothing we do will be anonymous. Let us get right to the Tails download page.
https://tails.boum.org/download/index.en.html
Scroll down to where it says Tails 0.22 signature and download that to your Tails folder where you have the ISO file that we already downloaded. Next scroll down to where it says Tails signing key, this is our PGP public key. Exact same procedure, import the key, then click Verify and specify the signature file if it has not already been specified for you, exact same settings and you will get the same warning message. As explained by Tails