Use the GnuPG encrypted signature to verify the reliability and integrity of the downloaded file
After you download a file from the Internet (such as the installer, ISO image, or a compressed package), the file may be damaged under different circumstances, for example: due to line transmission errors, interrupted downloads, storage hardware errors, file system errors, and so on. In addition to these errors, files may be intentionally tampered with before or during download. For example, an attacker who has cracked the Certificate Authority can launch an MITM attack (man-in-the-middle attack) to trick you into downloading malware files from an HTTPS website.
To protect yourself from these problems, we recommend that you verify the reliability and integrity of the files downloaded from the Internet. Especially when you download a very sensitive file (such as operating system images, binary applications, executable installation packages, etc.), blindly believe that the downloaded file is not a good habit.
A quick and simple way to verify the integrity of downloaded files is to use different verification tools (such as md5sum, sha356sum, and cksum) to calculate and compare the verification code (such: MD5, SHA, CRC ). However, verification is vulnerable to collision attacks and cannot be used to verify the reliability of files (for example, owner ).
File encryption and decryption technology in Linux: GnuPG
If you want to verify the reliability (owner) and integrity (content) of the downloaded file at the same time, you need to rely on the encrypted signature. In this tutorial, I will describe how to use GnuPG (GNU Privacy Guard) to check file reliability and integrity.
In this example, I will verify a disk image downloaded from the https://onionshare.org. On this website, publishers provide their public keys and fingerprints for key verification.
As for the downloaded file, the publisher will also provide its related PGP signature.
Install GnuPG and generate a key pair
Let's first install GnuPG on your Linux system.
On Debian, Ubuntu, and other Debian extensions:
- $ Sudo apt-get install gnupg
On Fedora, CentOS, or RHEL:
- $ Sudo yum install gnupg
After the installation is complete, generate a key pair that will be used in this article.
- $ Gpg -- gen-key
During key pair generation, you will be asked to provide your name and email, as well as a password to protect your private key. You can also choose when the key pair expires (by default, it will not expire ). Depending on the size of the key you select (between 1024 and 4096 bits), key generation takes several minutes or more, and it requires collecting a large amount of random data from your desktop activity. (For example, keyboard input, mouse movement, disk access, etc., so you can freely move the mouse or keyboard at this time ).
Once the key is generated, the public key and private key are stored in ~ /. Gnupg directory.
For more details, please continue to read the highlights on the next page: