How to verify the integrity of downloaded files?
Checking hashes of downloaded files is an essential step that casual users often overlook. Altered packages can contain viruses at worst or corrupted files at best. Therefore, it is necessary to check downloaded files for integrity before installing them on a computer. Furthermore, most software publishers disclose the checksum on their websites, making it a trivial task to compute checksums.
sha256sum -filename (Linux)
certutil -hashfile -filename SHA256 (Windows)
sha256 -a File_Name (Mac OS)
Get-FileHash (Windows-Powershell)
However, there are instances when a nefarious entity could have theoretically planted the hash values. For example, when downloading the Firefox application, many different checksums are provided by Mozilla, depending on the language. Since it is an open-source project, anyone can alter this information. Therefore an additional step will need to be completed by the user before the checksums can be validated.
To illustrate this concept further, let us demonstrate this with the Firefox repository. A simple search on google should lead one to the page with all the checksums for Firefox installers.
https://ftp.mozilla.org/pub/firefox/releases/107.0.1/
How do we verify the integrity of our selected package in this case? For example, how can we know if posted hash values are genuine?
- First, download (save as) the file containing the list of hashes. To save the file, click on the link and right-click to ‘Save-As.’
- Next, download the signature file (. sig /.asc) the same way.
- Lastly, complete the verification by executing the following GPG command:
# GPG --verify signature.txt SHA256SUMS.txt
We need Firefox teams’ public key for the above steps to work. If it is not available, then the following error message will pop up.
Before downloading and importing the public key, the RSA key number can be pasted into a PGP server to check the public key’s owner. First, click on the link titled ‘KEY’ to look up the hash information. Now navigate to any Open PGP server and search for the key to verify the owner. (This example uses the https://keyserver.ubuntu.com/# server.)
If the information presented in the PGP server reflects the fingerprint and email, then the public key can be imported and verified, as shown below.
Having established confidence in the list of hashes, we are now ready to download the desired file and check its hash with the list.
Conclusion
This article highlights the importance of verifying the list of hashes often found on publisher’s websites. Rather than perfunctorily checking hashes on a website, confirming that a threat actor has not altered the hash value is essential to ensure the integrity of software. As we saw, this is possible if the publisher supplies a GPG signature key, as in the case of Firefox.
Modern operating systems have built-in digital signature verification and check digital signatures (provided the publisher attached it to the executable). For example, windows OSes have the Digital signature tab under properties where this information is available.
And in the case of MAC, mac OS includes a security technology called Gatekeeper. Gatekeeper will help ensure that only trusted software runs on a user’s Mac.
However, in Linux, it is best to do the complete verification as described in this article.