(2 votes, average: 5.00 out of 5)
Safeguarding your downloaded files and programs is essential to protect against malware and ensure their authenticity. Learn how to verify file signatures to confirm if your files have been compromised since they were signed.
You can rely on digital signatures to ensure the safety and integrity of software programs and updates. These cryptographic data blocks validate files’ origins, authenticity, and integrity.
This guide will help you through verifying file signatures in Linux and Windows, empowering you to download software with confidence. Let’s enhance your software downloads.
Ransomware attacks targeted 67% of organizations surveyed by Fortinet in 2023, with a disheartening 65% unable to recover their data fully.
Cybercriminals continue to employ cunning methods, exploiting user trust in reputable brands like Microsoft OneNote and Adobe Acrobat Sign. Their deceptive tactics involve sending malicious attachments to trick users into downloading and opening infected files.
Verifying a file’s digital signature is vital in protecting your devices and organization from the risks associated with downloading compromised code. So, how can you do it? Let’s break it down.
Don’t assume Linux is immune to malware infections. Elastic Security Lab’s latest report revealed that Linux endpoints were targeted in over 54% of malware infections in 2022.
Once regarded as a safe haven, Linux is now subject to rapidly changing threats. To counter cyber risks, more efforts are needed to verify a file’s checksum, ensuring file integrity. You should also check its digital signature.
Let’s consider an example where you want to install software, such as VeraCrypt, a multiplatform, open-source disk encryption tool that isn’t available in Linux repositories.
After downloading the Linux package from the official website, you must follow the steps to verify the file’s digital signature (VeraCrypt employs PGP and X.509 digital signatures).
While these steps apply to most signed software, some exceptional cases may involve variations. For instance, the public key or the PGP signature file might be stored elsewhere or included in a bundle.
By adhering to these procedures, you can ensure the integrity and authenticity of the files you download, mitigating the risks of malware and tampering. Stay vigilant against cybercriminals who exploit user trust, and prioritize protecting your data and systems in today’s ever-evolving digital landscape.
Checking a file’s digital signature can help safeguard your devices and organization from compromised code. Follow the steps below to verify digital signatures in Windows and Linux environments.
Confirm GPG is installed on your system, by downloading the publisher’s public key and importing it into your local keyring, following these steps:
Step 1: Open a terminal window by pressing Ctrl+Alt+T.
Step 2: Type the following command and press Enter to check if GnuPG is already installed:
If the installed version of GnuPG is displayed, you can proceed to the next step. If you receive an error message such as “command not found,” it means GnuPG is not installed, and you need to install it for further verification.
Step 3: Install GnuPG by running the following commands in the terminal:
sudo apt-get update sudo apt-get install gnupg
Enter your system password when prompted, and the installation process will begin. Follow any additional instructions provided by the package manager.
Step 4: Once GnuPG is installed, you can download the publisher’s public key. On the software download page, locate the publisher’s public key link. Right-click on the link and select “Copy” to copy the link to your clipboard.
Step 5: In the terminal, navigate to the directory where you want to download the public key. Use the “cd” command followed by the path to the desired folder.
Step 6: Type the following command in the terminal, replacing “link” with the actual link to the public key you copied:
Press Enter to execute the command, and the public key file will be downloaded to your current directory.
Step 7: To import the public key into your local keyring, navigate to the directory where you downloaded the key using the “cd” command.
Step 8: Type the following command in the terminal, replacing “filename” with the name of the downloaded public key file:
gpg --import filename
Press Enter to import the key into your local keyring.
Step 9: Verifying the downloaded public key’s fingerprint ensures its authenticity and integrity. Navigate to the directory where you downloaded the key using the “cd” command.
Step 10: Type the following command in the terminal to view the fingerprints in your local keyring:
Compare the fingerprint displayed with the one published on the website from which you downloaded the key. Make sure these match to ensure the key’s authenticity and integrity.
Now, continue with the steps below to download the Pretty Good Privacy (PGP) signature file and verify the installer’s signature. Follow these steps:
Step 1: Locate the PGP signature file link related to the software you downloaded. Click on it and save it on your device. In this example, we’ll assume you’re downloading the PGP signature file for Ubuntu 20.
Step 2: Navigate to the folder where you saved the installer and the PGP signature file. For instance, if you saved them in the Download folder, open a terminal and navigate to that directory using the “cd” command.
Step 3: To verify the signature of the installer, use the following command in the terminal:
gpg --verify [installer].sig [installer]
QUICK NOTE: Replace ‘[installer].sig’ with the filename of the PGP signature file, and replace ‘[installer]’ with the filename of the installer file.
Step 4: If the command output displays “Good signature” the file hasn’t been modified since it was signed, and you can install it confidently.
Step 5: In some cases, you may see a message like
“WARNING: This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner” after the “Good signature” message.
This informational message indicates that you must still sign Veracrypt’s key to mark it as trusted. According to Ubuntu.com, this is not a cause for concern. VeraCrypt.eu states that you need to sign the imported key to avoid seeing an error message about the signing key being invalid.
Step 6: If you receive a “BAD signature” message when running the verification command, it indicates something is wrong with the signature, and you should proceed with caution.
These steps guarantee that the software you’re installing is original and hasn’t been modified by malicious actors.
Step 1: Open a terminal.
Step 2: Use the ‘gpg’ command to check the signature. The ‘gpg’ command is usually pre-installed in most Linux distributions. If you don’t have it, install it using the package manager specific to your distribution.
gpg --verify <file>.sig <file>
Replace ‘<file>.sig’ with the signature file and ‘<file>’ with the file you want to verify. Ensure the signature file is in the same directory as the file you want to check.
Step 3: The ‘gpg’ command will output the result of the verification. If the signature is valid and the file hasn’t been tampered with, you will see a “Good signature” message.
Checking the digital signature of a file in Windows 10 is a straightforward process. Let’s use File Explorer, a built-in feature that requires no additional software.
In this example, we’ll demonstrate how to verify the X.509 digital signature of the communication application Slack.
First, locate the Installer File.
After downloading the installer file:
Once you’ve found the file:
To ensure the signature is valid:
Now that you understand how to check file signatures, it is essential to perform this verification every time you download new software.
Step 1: Download and install Gpg4win, which provides a Windows implementation of the GNU Privacy Guard (GnuPG) tool.
Step 2: Open File Explorer and navigate to the directory containing the signature and file you want to verify.
Step 3: Right-click on the signature file (usually with the ‘.sig’ or ‘.asc’ extension) and select “GpgEX” > “Verify” from the context menu.
Step 4: GpgEX will display a dialog box with the verification result. If the signature is valid, it will indicate that the file has not been tampered with.
These instructions assume you have the signature file available for verification. The commands may differ slightly if the signature is embedded within the file or provided separately (e.g., using detached signatures).