Do you ever see the checksums, CRCs, SHA, or PGP signatures presented to you when you’re downloading a file? Like this for example:
These are actually SUPER IMPORTANT!
What are those signatures?
They are, in a very very simplistic explanation, answers to a math function where the numbers given to the function are the bytes of the file you want to download.
Why are they important?
They are used to prove to you that the file you’re downloading hasn’t been tampered with. HOW? you may ask? Because only the valid, original file, with the original set of bytes in it could have produced that signature. If you change just ONE byte in the entire file, no matter how big the file is, you’d get a DIFFERENT answer to the math function.
This is CRUCIALLY important for things like cryptocurrency wallets for cryptocurrencies like #BitCoin, #Ethereum, #LiteCoin, etc… Hackers frequently publish TAMPERED versions of wallet software and if you install and run the hacker’s version, they’re going to steal ALL OF YOUR CRYPTO! This has already happened many times. Websites are compromised and hacked versions are put on their websites.
This brings up another important concept of signatures vs. the files they’re supposedly coming from:
A published signature is absolutely USELESS if it’s on the SAME website as the download file. Why? Because if a hacker compromises the download site, then you can’t trust anything on that site, including the signature. You’ll find that MOST sites that publish a signature do so on one website, but the downloaded file is hosted on another website. For BOTH the signature AND the file to be compromised by the same hacker, they’d have to hack BOTH of those websites, which is much more difficult.
How can I validate them?
You’ll need software on your computer that can compute the same types of signatures that the website publishes for their downloaded files. In short, these are the steps (I’ll go into explicit detail shortly):
- Install some signature making and validating software onto your computer (Do this only once).
- Make note of the published signature for the file you’re about to download. (Do this for every download that offers it).
- Download the file (DO NOT EXECUTE IT! It’s NOT trusted until you validate the signature!)
- Use the signature software to make or verify the signature of the downloaded file.
- If the signature checks out, the file is safe. If it doesn’t, DELETE THE FILE! DO NOT EXECUTE IT!
Detailed VALIDATION instructions:
Before you get overwhelmed, scroll to the bottom and see that once you’ve done all this once, future validations are really simple…. Just those 4 steps at the bottom. But for now, you’ll need to go through this more lengthy setup process.
In this tutorial, we’ll be dealing with a downloadable executable file that offers a public PGP signature for you to validate against. You should know that there are many forms of signatures that an author could choose to publish. Other than PGP, there are SHA1, SHA256, SHA512, MD5 (which has been broken), and several others. These are the most popular ones.
We’ll be downloading and validating a popular BitCoin wallet app. For this type of app, it’s critical to validate the downloaded file against the published signature.
Yes! This looks very involved, but the good news is that most of these steps are only needed to be done ONCE EVER. Since this is your first time, there are many steps to get new things installed and set up right. Subsequent verification will be much simpler and I’ll provide a list of steps to do after you have everything set up.
First, install some PGP key software on your computer.
- Install gpg4win from here: https://gpg4win.org/
- It will install a few utilities and a GUI app that will hold all of your PGP keys and certificates. (You don’t need to understand what those are at this point).
- Skip this step if you already have a public/private PGP key pair. Create public/private keys for your own e-mail address. You’ll need this later and it has other benefits such as being able to send and receive encrypted e-mail on any e-mail system. See: STICK IT TO THE NSA: HOW TO ENCRYPT YOUR WEBMAIL
- Open the “File” menu and choose “New Key Pair”.
- On the box that opens, choose “Create a personal OpenPGP key pair”.
- Enter your name and e-mail address, then click “Advanced Settings…” and on the top 2 drop downs, change it to 4096 bits. That’ll make your key orders of magnitude stronger. If you want, feel free to check “Authentication” and “Valid until” and pick a date. I recommend 1 year into the future. If you choose a date, your key will not be trusted by anyone after that day.
- Click [OK], then [Next], then [Create].
- It’ll prompt you for a password. To use your private key, you’ll need this password, so DO NOT LOSE IT!!!!! Go ahead and enter it.
- After taking a few moments (and it WILL take a few moments), you’ll have a key pair. If you want others to be able to send you encrypted data, I recommend clicking the button “Upload Public Key To Directory Service…”. People will be able to look up your public key via your name or e-mail address. But, it’s not needed for validating signatures, which is the primary purpose of this article. Now, click [Finish].
- You’ll now have a new, certified key in your key ring. PROTECT YOUR PRIVATE KEY WITH YOUR LIFE!!!!
If you’re interested in more details about what they private/public key pair is that you created, please see. It’s not necessary to know all of that for this article, but it will clear up some confusion, if you have any.
Now, let’s do an actual Verification!
- Go to https://electrum.org/#download and view that page. (Note, if you have the know-how and the means to download and build from the source code, ALWAYS do that rather than downloading a pre-built executable!) Notice the signature links next to every download option? THAT’S what we’re working with in this article.
- Click the Windows Installer and download it. DO NOT RUN IT! In the folder in which you downloaded the file, you’ll see a file named something like electrum-3.1.0-setup.exe. As you can see, I’ve downloaded prior versions of the file too. Notice that some of the files DON’T have “.exe” at the end? We’ll fix that shortly.
- Back on the web page, click the signature next to “Windows Installer”. You’ll see something that looks like this in your browser:
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
- Click anywhere on the text and hit [Ctrl]+[A] to select all of that text, then [Ctrl]+[C] to copy it. Or you can select all the text with your mouse and copy it. You’ll be pasting it into a text file shortly.
- DO NOT COPY THE PGP SIGNATURE FROM MY ARTICLE TEXT!!!
- Open the folder to where you downloaded the Windows Installer file. It should be named something like electrum-3.1.0-setup.exe. Obviously, if you’re reading this in the future, there will likely be a newer version. This is the latest version at the time of this writing.
- Right-click on any empty, white space in the folder and choose “New”, then “Text Document”. A new, empty text file will be created. Ignore the extra menu items I have. I’m a developer and have extra features installed that you might not.
- Now hit enter to open the empty text file and paste the PGP key into it (from step 3.1 above, you should have the text in your copy buffer (or “clipboard”) still). Hit [Ctrl]+[V]. This will paste the text you already had copied from 3.1 above into the text file. Now hit [Ctrl]+[S] to save it. And finally CLOSE notepad (or whatever text editor you’re using).
- Now rename the text file to exactly the same name as the downloaded electrum exe file, but with “.pgp” added to the end of the filename. In my case, I rename the text file to electrum-3.1.0-setup.exe.pgp
- Now, let’s fix that problem where the file types (also called “file extensions”) are hidden. While looking at the filename that you downloaded in Windows Explorer, open the “View” menu or tab. On the right hand side (you might have to resize the window to something bigger to see it), open the “Options” drop down and choose “Change folder and search options”.
- On the “Folder Options” that opens up, click on the “View” tab and check OFF (or UN-check) the box “Hide extensions for known file types”, then click “OK”. It should NOT have a check-mark in it.
- You’ll see the files changed from this…
- to this… (again, these are MY files, you may have more or fewer and certainly different files in your downloads folder).
- It’s VERY important that you see the FULL filenames. Before this, the electrum-3.1.0-setup.exe.pgp file looked like it it was named electrum-3.1.0-setup.exe and as you can see, there’s actually ANOTHER file that actually has that name. Why Microsoft hides these by default is beyond me. All it does is create confusion is severely increases the risk of hackers tricking you into launching a malicious program when you think you’re opening a safe text file or a picture file.
- LET’S DO IT! Let’s make an attempt to actually verify the PGP signature of the file. Spoiler alert: It won’t work, but that’s OK. It will walk us through what we need to do. Right click your newly created and renamed file that you added “.pgp” to the end of the filename on. In my example, it will be electrum-3.1.0-setup.exe.pgp , and then choose “More GpgEX options”, then “Verify”.
- The verification process will complete as verified, but not fully verified…
- Here’s what’s going on. The EXE file DID verify against the PGP signature, but the signature, itself, is not known to be trusted. At least, your verification software you’re using (called Kleopatra) does not know the signature to be from a trustworthy source. You’ll have to TELL IT that you trust that author’s key. Once you do that, Kleopatra will fully verify everything produced from that author, signed with his same keys. Click the “Search” button. This will search on several public PGP key stores on the internet for one that contains that PGP key you have from that author.
- It SHOULD find a key from ThomasV@gmx.de after a minute or so…
- Click his e-mail address and then click the “Import” button. That will import his public PGP key into your PGP keyring. This will make it available for future use by you to validate new versions of this app and others from the same author. You won’t have to go through all of these steps again for future downloads from him.
- Now we need to CERTIFY his signature. This simply means we’re going to tell our local install of Kleopatra that we TRUST the key from ThomasV. Open your start menu and find Kleopatra and launch it.
- It will show you all the public and private PGP keys you have installed. Here’s what MINE looks like. Yours may have only the one key from ThomasV and your own key. (I’ve blurred my personal keys).
- Now, we’ll certify ThomasV’s key. Right click his key (anywhere on the line with his e-mail address in it) and choose “Certify…”
- Check ALL the boxes on the “Certify Certificate” dialog box that pops up, then click “Next”.
- Now you need to tell it which of YOUR keys you want to certify it with. It should show you all your keys that you already installed for yourself. Select the one you wish to use to validate. It’s not critical which one you choose, but I recommend choosing the latest one of yours that’s not expired and is associated with your most used e-mail address. And select “Certify only for myself”, then click “Certify”. (I’ve blurred all my personal signatures).
- You’ll see the following once Kleopatra has marked his certificate as validated by your own key. We do this to make the software validation work. Most of these steps are a one-time deal. You will not repeat all of these every time you want to validate a signature on software.
- Click [Finish] and you’ll see your list of installed keys and see that his key is now marked as “certified”. This is good. This will REDUCE the number of steps to validate software from him in the future.
- Now, one more time, let’s right-click the electrum-3.1.0-setup.exe.pgp file you created, choose “More GpgEX options”, then “Verify”. This time, you’ll get FULL VERIFICATION!
Congratulations! You’ve now validated that the Electrum BitCoin wallet software is safe, unmodified, and from the original author. It is safe to install. Please note, this was NOT an article about installing the Electrum BitCoin software. It was an example of how to validate software signatures from ANY software you download (as long as the author provides you validation signatures). We could have used countless other apps to do the same thing.
It’s MUCH easier the second time!
Yes, I know. That was quite a lot of work to do. But that’s only because you’re new to this AND you had to install, configure, and create lots of new things. Now that you’ve done it once, doing it again will be much less effort.
From now on, all you do is the following:
- Get the PGP signature of the file you want to download and save it into a text file.
- Download the file you want.
- Rename your PGP signature file to exactly the same name as the file you download, but with “.pgp” appended to the end of the file name.
- Right-click that pgp file, choose “More GpgEX options” -> “Verify”, and it’ll either validate or report that it’s not valid.
That’s it! And getting newer versions of the app will be the same 4 steps.
See these images?
You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.
Check back later for updates too!