Verifying Downloads with PGP Signatures

by Blake Edwards


Posted Thu Apr 11 2019 22:47:38 GMT+0000 (UTC)



Hi everyone, 
Thank you for reading through another Thought Catalyst post. I hope you enjoy reading and learning from this post as much as I  enjoyed creating it to be shared with you!

Introduction
Unless you are a very passionate or technical computer user, it is unlikely that you are downloading and installing new software on a daily basis. This is an indication of the centralized reliance we put on a select few applications that we use. It is therefore important that the software that we do download and use is legitimate, does not compromise our security, or leave us vulnerable to malicious actors.

Today we are going to be discussing how to verify downloads made over the internet. This is a very important tutorial because it will allow you to verify the integrity of files and software that you download over the internet if they are supplemented with a PGP signature. 

Importance
It is important that you verify internet downloads that are made on websites that are not SSL secured, meaning that they are not HTTPS sites, because the communication that your browser has with these sites is not encrypted and can be manipulated through a man in the middle attack. When a browsers session with a website is not encrypted it means that all communications between your computer and the website is made in plain text view. Any entity sitting between you and the websites server therefore can see and record everything that is exchanged between you and the server. This includes passwords, cookies, background information sent by embedded javascript, form information, and much more. Further explanation of man in the middle attacks (MITM) will be explored in a later post. It is also just a good practice to verify your downloads with a PGP signature because it is never clear whether a site where a download is being made has been compromised. For example, a site may be compromised and an attacker may change the legitimate software that is downloaded by clients on the site in order to compromise the clients of the software distributer.

Limitations
Some of the limitations of PGP signature verification of downloads should also be noted. If a site or download has been compromised by an attacker, it is likely that the attacker will be intelligent enough to change the PGP signature used to verify the download you are making to match the malicious version on the site. However, if you are able to find a third party with the respective PGP signature for the download, you may be able to detect this type of attack.

What is PGP?
What is a PGP and a PGP signature? PGP stands for Pretty Good Privacy. In short it allows you to verify any file or download with a signature that is unique and signed with a private key. If this file or download is altered in any way, the signature will change and will therefore be detected. For more intimate details about PGP checkout this website: http://www.bitcoinnotbombs.com/beginners-guide-to-pgp/. PGP can also be used to encrypt communications and prevent unwanted eyes from observing your conversations. 

My Tech Stack
MacOS Mojave
Default Terminal Application
GPG Suite: https://gpgtools.org/

How to Verify The GPG Keychain Download (Straight from the GPG Site: https://gpgtools.tenderapp.com/kb/how-to/how-to-verify-the-downloaded-gpg-suite)
    1. download the GPG Suite .dmg file and
    2. the gpg signature file from https://gpgtools.org
    3. click this link to display our public key in your browser. Press cmd + A to select all, then copy / paste that information into your GPG Keychain main window - that will import our public key.
    4. make sure that dmg and sig file both are located in the same folder
    5. right-click signature or dmg file and select Services > OpenPGP: Verify Signature of File
    6. When the GPG Keychain opens, the DMG should be signed by the GPGTools Team and show the GPGTools email address, team@gpgtools.org.

How to Verify Any Downloaded File (Straight from the GPG Site: https://gpgtools.tenderapp.com/kb/how-to/how-to-verify-the-downloaded-gpg-suite)
    1. download file you want to verify and
    2. the according gpg signature file
    3. import the public key, of the person you assume has created the signature file, into GPG Keychain
    4. Important: It is highly recommended, to verify the fingerprint of that key with e.g. the developer to ensure you are using the correct public key (open GPG Keychain, double click public key file and you'll find the fingerprint)
    5. make sure that both signature file and file you want to verify are located in the same folder
    6. right-click signature or dmg file and select Services > OpenPGP: Verify Signature of File

Please contact me if you have any problems with verifying any of your downloads and be weary that not every download is supplemented by a GPG signature or public key. In these cases a SHA256 checksum may be provided. Details regarding this form of download integrity verification can also be found on the GPG site here: https://gpgtools.tenderapp.com/kb/how-to/how-to-verify-the-downloaded-gpg-suite

My contact information can be found on my personal page under the contact menu option. Email is the best way to reach me and for me to get back to you in a timely manner! 

Thanks again for reading.

~ Blake Edwards