Sometimes software is important enough that when you download it, you want to be really sure it wasn't messed with. To protect against that, you can use digital signatures.
Digital signatures are what they sound like, a signature that verifies your approval of a document except that digital signatures are a lot harder to fake. Here's how it works:
1. The maintainer or author of the software creates a key pair, a private and public key.
2. They keep the private key to themselves. It's used to sign the program.
3. The public key is given to anyone who wants it either on the website or a key server.
4. A user downloads the program and the public key.
5. The user runs a command that compares the signature on the file to the public key.
6. If it's valid, it means the developer/maintainer signed it with their key. If an attacker changed the file on the server, the signature would no longer match since the signature is embedded in the file.
Here's a tutorial (https://www.linuxbabe.com/security/verify-pgp-signature-software-downloads-linux) on how to check signatures on a program (or any file, really) to make sure the program is safe. I tried it out and it worked. The only issue I had was trying to get the public key from a key server instead of having to get it from the website.
Good to know. Thanks for the info Jason.
I hope it's useful. If you try it out, let me know. It's not just whether or not I inspired members to try it, I want to know how hard they find it or if they have any other questions.
I've used PGP in the past but just to encrypt/decrypt email. I wish more people would use secure email, messaging, phoning extra. I'd use it all the time but I don't know anyone else that uses the services so I can't get that extra privacy. Everyone that uses electronic devices that connect to the internet should be concerned about their privacy.