• Welcome to Peterborough Linux User Group (Canada) Forum.
 

Checking PGP Signatures

Started by Jason, August 05, 2021, 05:35:46 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

Sometimes software is important enough that when you download it, you want to be really sure it wasn't messed with. To protect against that, you can use digital signatures.

Digital signatures are what they sound like, a signature that verifies your approval of a document except that digital signatures are a lot harder to fake. Here's how it works:

1. The maintainer or author of the software creates a key pair, a private and public key.

2. They keep the private key to themselves. It's used to sign the program.

3. The public key is given to anyone who wants it either on the website or a key server.

4. A user downloads the program and the public key.

5. The user runs a command that compares the signature on the file to the public key.

6. If it's valid, it means the developer/maintainer signed it with their key. If an attacker changed the file on the server, the signature would no longer match since the signature is embedded in the file.

Here's a tutorial on how to check signatures on a program (or any file, really) to make sure the program is safe. I tried it out and it worked. The only issue I had was trying to get the public key from a key server instead of having to get it from the website.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

Good to know. Thanks for the info Jason.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

I hope it's useful. If you try it out, let me know. It's not just whether or not I inspired members to try it, I want to know how hard they find it or if they have any other questions.

I've used PGP in the past but just to encrypt/decrypt email. I wish more people would use secure email, messaging, phoning extra. I'd use it all the time but I don't know anyone else that uses the services so I can't get that extra privacy. Everyone that uses electronic devices that connect to the internet should be concerned about their privacy.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13