Verifying Software Signatures

From Kicksecure
Revision as of 05:36, 1 July 2018 by imported>Mrscreenshot (Created page with "{{Header}} {{#seo: |description=Verifying Software Signatures }} = Introduction = For greater system security, it is strongly recommended to avoid installing unsigned softwa...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Introduction

For greater system security, it is strongly recommended to avoid installing unsigned software. Users should also make sure that signing keys and signatures are correct and/or use mechanisms that heavily simplify and automate this process, like apt-get upgrades.

What Digital Signatures Prove

Users should bear in mind that using digital signatures to verify the trustworthiness of software is not an infallible process. Digital signatures increase the certainty that no backdoor was introduced by a third party during transit, but this does not mean the software is absolutely "backdoor-free". The following is a summary of what digital signatures prove and do not prove.

Digital Signatures Prove

  • Someone with access to the private key has made a signature.
  • The file contents have not been tampered with (preserving integrity).
  • May indicate the given file is authentic.


Digital Signatures do not Prove

  • Any other property, for example, that the file is not malicious. Nothing stops a person from signing a malicious program.
  • That persons signing the file are inherently trustworthy, for example, Microsoft, Whonix developers and so on (but trust must be eventually placed in someone). [1]


If all files downloaded from trusted vendors are verified, then this removes the threat of server compromises, dishonest staff at hosting companies or ISPs, Wi-Fi attacks and so on. The reason is files that have been tampered with will produce bad digital signatures, so long as the public keys used for signature verification are the authentic, original ones (see below).

Checking Digital Fingerprints of Signing Keys

Warning: Software should only be installed after a key's fingerprint has been verified and good signatures are produced for files/repositories.


Based on the preceding information, a critical first step in verifying software is legitimate is to confirm the authenticity of the signing key via its fingerprint. [2] This is a necessary step before keys are imported, or trust is placed in OpenPGP output when verifying files or repositories.

The standard advice in Whonix documentation is to carefully obtain copies of the OpenPGP fingerprint from multiple secure websites, and to use other authentication systems to check they match. [3] In this instance, other "authentication systems" refers to: [4]

  • Use the PGP Web of Trust.
  • Check the key against different keyservers.
  • Use different search engines to search for the fingerprint.
  • Use Tor to view and search for the fingerprint on various websites.
  • Use various VPNs and proxy servers.
  • Use different Wi-Fi networks (work, school, internet cafe, etc.).
  • Ask people to post the fingerprint in various forums and chat rooms.
  • Check against PDFs and photographs in which the fingerprint appears (e.g., slides from a talk or on a T-shirt).
  • Repeat all of the above from different computers and devices.

Checking Digital Fingerprints of Signed Software

Once a user has carefully:

  • Downloaded a signing key pair.
  • Checked the signing key's fingerprints against multiple sources.
  • Imported the key pair.
  • Downloaded the software package intended for installation.
  • Downloaded the accompanying signature file for the software package (.asc files are GPG signatures).


Then the file(s) signatures must be verified against the signing key.

Below is an example of how to check the file signature, using the Tor Browser bundle v6.5.2 downloaded directly from The Tor Project website.

In a terminal run.

Click = Copy Copied to clipboard! gpg --verify tor-browser-linux64-6.5.2_en-US.tar.xz.asc tor-browser-linux64-6.5.2_en-US.tar.xz

The OpenPGP output should show a "good signature", with the primary key fingerprint matching the one verified by the user earlier on. In this example. 

    gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
    gpg: Good signature from "Tor Browser Developers (signing key) "
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

The software can now be safely installed. If the output states "bad signature", then the files and digital signatures should be removed and downloaded again.

Footnotes

  1. Digital signatures are still useful in this case, because the user can choose to limit trust to a few select people/organizations such as Whonix developers.
  2. For example, anybody could generate an OpenPGP key pair and pretend to be the "Whonix Project", but only Patrick Schleizer's generated key pair is legitimate.
  3. Website checks are only as secure as the imperfect TLS system, which is itself based on certificate authorities that have been frequently compromised in recent years.
  4. https://www.qubes-os.org/security/verifying-signatures/archive.org iconarchive.today icon
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Verifying_Software_Signatures&oldid=40491"