Is this what I think it is - using GPG to verify a file’s integrity

Is this what I think it is?

When downloading a file from the internet, it’s always important to check that the file you’ve downloaded is the file you were actually intending to download , there are a number of reasons you’d want check :

To stop things like this from compromising your system
To make sure you’re getting the file you intend to get - for example if you’ve downloaded software from a website you can check it’s the latest version by comparing the relevant checksums
It can even be used to check a file has completely downloaded

In Linux there is a tool installed by default called GPG or GNU Privacy Guard which allows us to verify a files integrity by using two things:

The file
The detached signature (filename.sig)

Once you have both of these it’s just a case of running the following command

gpg --verify filename.sig filename

Initially, this probably won’t work as you’ll see something like

linux message after verifying

more info can be found about this in the manual.

We’re going to be installing GPG4Win so download the latest version for windows in this example its 2.3.3 - once it’s downloaded open powershell by opening the run dialog box Win+r and typing powershell) navigate to the downloads folder (where you downloaded GPG4Win to and then enter the following command)

$(CertUtil -hashfile .\gpg4win-2.3.3.exe SHA1)[1] -replace " ",""

using certutil

This will give you the SHA1 check sum of the file verify that it matches(1)

checksum

Once verified we can install it - be sure to tick the GPA box as this will make things easier later

make sure GPA is enabled

Once the installation has finished open GPA - we need to generate a key pair or import one if we followed the earlier post about setting one up using Keybase - as that post mentions you need to keep your private key VERY safe … don’t share it with anyone - not even your bestest friend in the world… my recommendation would be to put it on an encrypted USB drive somewhere safe.

But any way once you’ve imported a private key you should see something like this

key manager

So lets go verify something - how about veracrypt then we can create that encrypted USB drive later

Download the latest Veracrypt setup and its corresponding PGP signature

download

right click the exe file and you should see some GPG options - select verify

verifying

But oh no! we get the same message we did when we tried to verify in Linux - that being that the key is unknown

unknown key

No worries though! we installed GPA so it’s really easy to add this

receiving

Enter the Key ID in this case 54DDD393 you should then get a prompt saying this key has been imported and it will show up in GPA

importing

Now that the key is imported we need to tell GPA that we trust it - we do this by signing it with our key right click the imported key and go to sign keys...

signing key

You will then be prompted for your key password once you enter that you’re good to go - go back to the exe file and right click and verify again you should see something like this:

signing key

A few caveats though:

Don’t just sign keys, only sign it if you trust it.
Encryption might be illegal where you live, don’t break the law.
This is only intended to be a guide to hopefully make file signature checking less intimidating.

I hope this has been useful,

Phyu

blog.phyubox.com

Phyushin's Blog!

Is this what I think it is?