April 10th, 2005, 02:24 PM
How to verify Signature of downloaded program.
There are many site's which offer Signature files or .sig files which can be used to verify the file downloaded. I wanted to know how this work's.
April 10th, 2005, 03:14 PM
Let me explain the issue based on an example. You will need
a "public-key" program, for example gnupg.
You often find SHA1 or MD5 checksums of files on webpages, as
for example on the download page
After you have downloaded that specific file, you can create a sha1-sum
If you get the same hash, you can be sure that the integrity of the
> sha1sum gnupg-w32cli-1.4.1.exe
file is given. However, can you trust that sha1-hash given of the
webpage? For example, it mightbe possible that someone launched
a man-in-the-middle attack and changed the file as well as the sha1-hash.
To make sure, that the file and hash really come from the gnupg.org people,
they signed the file. The signature file for gnupg-w32cli-1.4.1.exe also
is available on the webpage.
How does that work:
The gnupg.org people encrypted the sha1-hash using their private key.
It is possible to decrypt the ciphertext using the public key of the
gnupg.org people. If the ciphertext can be decrypted, you have authenticated
its origin, because the private key is supposed to be known to the gnupg.org
people only. If you already have installed another gnupg-program, you can verify
the signature using
See the readme.txt file in the gnupg package for detailed instructions how
> gpg --verify gnupg-w32cli-1.4.1.exe.sig
to import the key of gnupg.org (Werner Koch (gnupg sig) <firstname.lastname@example.org>
and to verify it.
Digital signing thus allows for integrity, authenticity and nonrepudiation!
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
April 11th, 2005, 11:45 AM