Greeting's :
There are many site's which offer Signature files or .sig files which can be used to verify the file downloaded. I wanted to know how this work's.
Printable View
Greeting's :
There are many site's which offer Signature files or .sig files which can be used to verify the file downloaded. I wanted to know how this work's.
Hi
Let me explain the issue based on an example. You will need
a "public-key" program, for example gnupg[1].
integrity
You often find SHA1[2] or MD5[3] checksums of files on webpages, as
for example on the download page[4]
After you have downloaded that specific file, you can create a sha1-sumCode:db573a6c3707f65797b569efda7e0905c4c4469c gnupg-w32cli-1.4.1.exe
using
If you get the same hash, you can be sure that the integrity of theCode:> sha1sum gnupg-w32cli-1.4.1.exe
file is given. However, can you trust that sha1-hash given of the
webpage? For example, it mightbe possible that someone launched
a man-in-the-middle attack and changed the file as well as the sha1-hash.
authenticity
To make sure, that the file and hash really come from the gnupg.org people,
they signed the file. The signature file for gnupg-w32cli-1.4.1.exe also
is available on the webpage.
How does that work:
The gnupg.org people encrypted the sha1-hash using their private key.
It is possible to decrypt the ciphertext using the public key of the
gnupg.org people. If the ciphertext can be decrypted, you have authenticated
its origin, because the private key is supposed to be known to the gnupg.org
people only. If you already have installed another gnupg-program, you can verify
the signature using[5]
See the readme.txt file in the gnupg package for detailed instructions howCode:> gpg --verify gnupg-w32cli-1.4.1.exe.sig
to import the key of gnupg.org (Werner Koch (gnupg sig) <[email protected]>)[6]
and to verify it.
Digital signing thus allows for integrity, authenticity and nonrepudiation!
Cheers.
[1] http://www.gnupg.org/
[2] http://www.handyarchive.com/free/sha1/
[3] http://www.handyarchive.com/free/md5
[4] http://www.gnupg.org/(en)/download/index.html
[5] http://www.gnupg.org/(en)/download/integrity_check.html
[6] http://www.gnupg.org/(en)/signature_key.html
You might find this useful also
http://www.slavasoft.com/hashcalc/