Is this what I think it is?
When downloading a file from the internet, it’s always important to check that the file you’ve downloaded is the file you were actually intending to download , there are a number of reasons you’d want check :
- To stop things like this from compromising your system
- To make sure you’re getting the file you intend to get - for example if you’ve downloaded software from a website you can check it’s the latest version by comparing the relevant checksums
- It can even be used to check a file has completely downloaded
In Linux there is a tool installed by default called GPG or GNU Privacy Guard which allows us to verify a files integrity by using two things:
- The file
- The detached signature (filename.sig)
Once you have both of these it’s just a case of running the following command
gpg --verify filename.sig filename
Initially, this probably won’t work as you’ll see something like
more info can be found about this in the manual.
We’re going to be installing GPG4Win so download the latest version for windows in this example its 2.3.3 - once it’s downloaded open powershell by opening the run dialog box Win+r
and typing powershell
)
navigate to the downloads folder (where you downloaded GPG4Win to and then enter the following command)
$(CertUtil -hashfile .\gpg4win-2.3.3.exe SHA1)[1] -replace " ",""
This will give you the SHA1 check sum of the file verify that it matches(1)
Once verified we can install it - be sure to tick the GPA box as this will make things easier later
Once the installation has finished open GPA - we need to generate a key pair or import one if we followed the earlier post about setting one up using Keybase - as that post mentions you need to keep your private key VERY safe … don’t share it with anyone - not even your bestest friend in the world… my recommendation would be to put it on an encrypted USB drive somewhere safe.
But any way once you’ve imported a private key you should see something like this
So lets go verify something - how about veracrypt then we can create that encrypted USB drive later
Download the latest Veracrypt setup and its corresponding PGP signature
right click the exe file and you should see some GPG options - select verify
But oh no! we get the same message we did when we tried to verify in Linux - that being that the key is unknown
No worries though! we installed GPA so it’s really easy to add this
Enter the Key ID in this case 54DDD393
you should then get a prompt saying this key has been imported and it will show up in GPA
Now that the key is imported we need to tell GPA that we trust it - we do this by signing it with our key right click the imported key and go to sign keys...
You will then be prompted for your key password once you enter that you’re good to go - go back to the exe file and right click and verify again you should see something like this:
A few caveats though:
- Don’t just sign keys, only sign it if you trust it.
- Encryption might be illegal where you live, don’t break the law.
- This is only intended to be a guide to hopefully make file signature checking less intimidating.
I hope this has been useful,
Phyu