Results 1 to 3 of 3

Thread: How to verify Signature of downloaded program.

  1. April 10th, 2005, 02:24 PM #1
    ByTeWrangler
    ByTeWrangler is offline
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    How to verify Signature of downloaded program.

    Greeting's :

    There are many site's which offer Signature files or .sig files which can be used to verify the file downloaded. I wanted to know how this work's.
    Reply With Quote Reply With Quote
  2. April 10th, 2005, 03:14 PM #2
    sec_ware
    sec_ware is offline
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Let me explain the issue based on an example. You will need
    a "public-key" program, for example gnupg[1].


    integrity


    You often find SHA1[2] or MD5[3] checksums of files on webpages, as
    for example on the download page[4]
    Code:
    db573a6c3707f65797b569efda7e0905c4c4469c  gnupg-w32cli-1.4.1.exe
    After you have downloaded that specific file, you can create a sha1-sum
    using

    Code:
    > sha1sum gnupg-w32cli-1.4.1.exe
    If you get the same hash, you can be sure that the integrity of the
    file is given. However, can you trust that sha1-hash given of the
    webpage? For example, it mightbe possible that someone launched
    a man-in-the-middle attack and changed the file as well as the sha1-hash.


    authenticity


    To make sure, that the file and hash really come from the gnupg.org people,
    they signed the file. The signature file for gnupg-w32cli-1.4.1.exe also
    is available on the webpage.

    How does that work:
    The gnupg.org people encrypted the sha1-hash using their private key.
    It is possible to decrypt the ciphertext using the public key of the
    gnupg.org people. If the ciphertext can be decrypted, you have authenticated
    its origin, because the private key is supposed to be known to the gnupg.org
    people only. If you already have installed another gnupg-program, you can verify
    the signature using[5]

    Code:
    > gpg --verify gnupg-w32cli-1.4.1.exe.sig
    See the readme.txt file in the gnupg package for detailed instructions how
    to import the key of gnupg.org (Werner Koch (gnupg sig) <[email protected]&gt[6]
    and to verify it.


    Digital signing thus allows for integrity, authenticity and nonrepudiation!

    Cheers.


    [1] http://www.gnupg.org/
    [2] http://www.handyarchive.com/free/sha1/
    [3] http://www.handyarchive.com/free/md5
    [4] http://www.gnupg.org/(en)/download/index.html
    [5] http://www.gnupg.org/(en)/download/integrity_check.html
    [6] http://www.gnupg.org/(en)/signature_key.html
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)
    Reply With Quote Reply With Quote
  3. April 11th, 2005, 11:45 AM #3
    Aspman
    Aspman is offline
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    You might find this useful also

    http://www.slavasoft.com/hashcalc/
    Sheep Rustlin\' Taz Chairman
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules