How to check the authenticity of Linux software with digital signatures
When you download software from the Internet, you must believe that the developer (s) program is not malicious. However, you also have to worry about hackers. There are many attackers who can hack a website and replace the software with a malicious version.
Think of a website hosting Bitcoin wallet utility. If an attacker seizes control and replaces the legal version with a malicious version, they can steal money from tens of thousands of users. Another valuable goal to attack is the operating system. This has happened with Linux Mint in the past.
So what can you do to remedy these situations?
Hash and signature
Developers with a sense of security will often pack files set up with checksums (software used to ensure the integrity of a file, after being transferred from another device) that you can Verification. Refer to the article: Check MD5 and SHA1 to check the integrity of the file for more details. However, the problem with these hash is that if a hacker replaces the files on a web page, he can easily replace the hash. This makes hash almost useless, especially if they are stored on the same server where the programs are located.
To make these checksum useful, many developers have added digital signatures to them with the help of public and private key pairs. Only the owner of this private key can create a signature and they can only be verified by the corresponding public key, published on the Internet. If the verification process is passed, you can be sure that the private key owner has 'signed' his software.
In order to bypass this security mechanism, hackers must steal private keys in some way, which is much harder to implement if the owner takes appropriate measures for security. And even if this key is stolen, the owner can disable it by revoking and notifying it. If this happens, when you download the public key and try to use it to verify the signature, you will be notified that the signature has been revoked.
How to verify the signature with GnuPG (GPG)
Gpg utilities are usually installed by default on all releases. If, for some reason, it is missing, you can install gpg with the commands below. On some distributions, if you get an error ' gpg: failed to start / usr / bin / dirmngr' dirmngr ': No such file or directory ', you need to install dirmngr too.
On distributions based on Debian, Ubuntu or Debian, run:
sudo apt install gnupg dirmngr
For RedHat / CentOS:
sudo yum install gnupg dirmngr
And on Fedora:
sudo dnf install gnupg dirmngr
You can follow the example below to check how you verify the ISO installer Debian 9.8.0.
Download SHA256SUMS, SHA256SUMS.sign, and debian-9.8.0-amd64-netinst.iso. You may have to right-click on the first two files and select 'Save link as' or the equivalent option, in the web browser. If not, clicking on these files may only display content instead of automatically downloading.
Open the terminal emulator and change the directory containing the downloads.
cd Downloads/
Check the checksum
Wait for the ISO download process to finish. Next, verify the SHA256 checksum.
sha256sum -c SHA256SUMS
You will see the name of the file followed by the message 'OK' if the checksum is fine. To verify other checksum types, you have the following commands: sha1sum, sha512sum, md5sum. But you should use at least one SHA256SUMS or more, if available.
Some websites do not provide files like SHA256SUMS, where file names and checksum are grouped together for easier verification. If the page only displays sum, verify the file's hash with a command like this:
sha256sum debian-9.8.0-amd64-netinst.iso
Use GPG to verify the signed checksum
In this example, the Debian team signed the SHA256SUMS file, with their private key and saved it in the SHA256SUMS.sign file. Confirm the signature with the command:
gpg --verify SHA256SUMS.sign SHA256SUMS
You will receive a message like this:
gpg: Signature made Sun 17 Feb 2019 05:10:29 PM EET gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Can't check signature: No public key
This means you do not have a public key on your computer. This is very normal. You must import it from a keyserver.
gpg --keyserver keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
If keyserver has a problem, you can use another keyerver instead. For example, you can replace keyring.debian.org with keyerver.ubfox.com.
But how do you know this key is legitimate? Unfortunately, to be absolutely certain, you'll need to build something called Web of Trust (WOT). Obviously, you don't have it at this point. But there are a few things you can do.
Search on the key's Google fingerprint (DF9B9C49EAA9298432589D76DA87E80D6294BE9B). If you don't find anything, try Google only the last eight characters (6294BE9B). A legitimate key will be mentioned on many websites related to similar software. Moreover, posts will usually last for many years because the safety-protected key will be used for a long time.
If you are not really sure, download the BitTorrent image and then verify the checksum and signature. With the way torrent works, it cannot replace files uploaded by hundreds of different users. Moreover, BitTorrent also has its own mechanisms for verifying the integrity of each data block it downloads.
Now you have a public key. Finally, you can also verify the signature:
gpg --verify SHA256SUMS.sign SHA256SUMS
If you see the 'Good signature' message, it means everything has been checked. Don't worry about alerts. That's normal because, as mentioned, you don't have any Web of Trust set for public key.
As you probably already know, nothing is certain on the Internet. But it is certainly safer to take preventive measures and verify the electronic signature of the files you download. These measures can help you avoid malware. Many times users have downloaded Bitcoin wallet or operating systems that are infected with malware, but they can avoid trouble if they check the signature.
Hope you are succesful.
You should read it
- 7 ways to run Linux software on Windows
- Safe steps to download software on Linux
- Why don't developers make more apps for Linux?
- Decode how the package manager works and software installation on Linux
- Top 7 best free antivirus software for Linux
- Is it possible to run .exe files on Linux?
- What's new in Linux Kernel 5.18?
- How to run Windows applications on Linux with Wine
- Gift for Linux users on Christmas, Spotify's desktop client software
- Best Linux monitoring tool & software
- 4 methods to copy Linux hard drive
- 14 interesting Linux commands in Terminal