I am going to teach people how to verify the integrity of the software they are downloading for just basic computer security purposes. You know like NOT downloading malware that can steal all your cryptocurrencies and empty your bank account, that sort of thing.

I can't believe the situation is this desperate, but it is. Most people just totally ignore these threats until their last penny is stolen in some major cyberattack. I can't believe people can ignore this, but I hope they won't for much longer, because the stakes are now higher than ever.

This is not 2000 when the most damage a malware could do is just screw up your 8-bit game that you were playing on your PC. Now you have Social Media accounts full of personal information, Government accounts (healthcare, pension, tax, etc...) and of course Banking accounts, all of it directly on your computer, and the latest addition is Cryptocurrencies, which is even easier to steal than the rest.

Your computer is now valuable, and this means that all the hackers and thieves around the world are drooling to get into it and steal whatever they can find. And given how insecure people's computers are, this is actually getting easier and easier, instead of harder.

In this post I am going to teach you how you can verify the integrity of the software you download. Of course this is very relevant now given how easily tons of people can get infested by malware.

Verify Software Integrity

There are 2 ways, either you build from the source or you use the genuine binary package built by the devs, hopefully deterministically and was vetted by many others already. Of course I assume here that you only use OPEN SOURCE software, which is really the bare minimum security standard. And of course this tutorial is only for Linux, if you don’t use a Linux already, you should install one first immediately and start this from Step 0 again.

Step 0

The first step, or really the 0th step, is to actually have a secure environment by default. And this includes a safe operating system. I mean you can't assume security and integrity at all if your OS is already potentially compromized by a malware. If it's compromized, then it's done for. You need to establish trust from scratch. So you need to get a trusted OS, burn it to a DVD and start verifying stuff from that.

So you need a Live OS, here are a few examples:

• http://livecdlist.com

Of course you should verify this as well, I have wrote relevant articles about this:

• https://steemit.com/security/@profitgenerator/what-operating-system-to-use
• https://steemit.com/security/@profitgenerator/create-a-safe-operating-system
• https://steemit.com/security/@profitgenerator/linux-users-in-danger-secure-your-pc-immediately
• https://steemit.com/security/@profitgenerator/what-is-a-hash-how-to-do-it
• https://steemit.com/technology/@profitgenerator/linux-mint-installation-tutorial-full-install-in-10-minutes

Or just go to OPTION B and use that method to verify the OS itself. After you have a genuine secure OS on a DVD, you can boot that and use it to verify your downloaded software's integrity, or to build software from source on a safe environment.

OPTION A - Build Your Own

Now different softwares come in different languages, but in Linux is either C/C++ or Python, the other languages irrelevant or if they are from Github the developers usually describe there what tools you need to build it. Needless to say that the compilation itself should be done in a secure environment as shown in Step 0, otherwise the compilation could be compromized.

• For C/C++ you need the software called GCC or GCC++ and build-essential:
  sudo apt-get install gcc
sudo apt-get install build-essential

Then just execute it like this make filename.cpp usually C/C++ files end with the extension cpp or c. If it’s a Github based software it usually has a makefile which means that you just go into the folder and simple enter make and the command will automatically compile the entire folder.

• For Python files, you don’t even have to compile it, most of them runs from the source like this:
  python file.py
python3 file.py

Depending on the Python version, better to use the 3.xx version, so use python3 as command. Optionally you can compile it to make it cross-platform compatible, see instructions here:

• http://effbot.org/zone/python-compile.htm

So you just download the source code of your software, possibly multiple times, to avoid MITM attacks, compare the SHA256 sums of the downloads, make sure they all match, and then compile the source code or use it directly.

If the compiler is Gitian, then it’s deterministic so you can check your compiled binary against what the developers have compiled, so this proves that both of you have the same result meaning that the source matches the output and since the source is open, the software is trustworthy. Just see OPTION B for details.

OPTION B – Verify Checksums & Integrity of a Binary

To verify the trustworthyness of a downloaded binary it is good if the file has a GPG signature with it. The problems is that you still need to establish the trustworthyness of the GPG public key, or the checksum itself, so this could be a lenghty process.

• 1] First of all you should only do this on the secure environment, download the GPG key together with the software and the signature. If there is no GPG key and signature, that shows that the developer is amateur, but the integrity can still be verified.

• 2] Now we need to verify the integrity of the download and of the GPG pair. So you should download it multiple times at random intervals. It might take 2-3 days, but really this is the only way you can make sure you haven’t been a victim of an MITM attack. Even the hacker can’t keep a malicious channel up constantly without being detected or shut down and people will signal phishing scams pretty soon. So you need to download things multiple times and verify them against eachother.

• 3] To verify a GPG key is simple, you can just search for it on Google or DuckDuckGo by it’s fingerprint , and see what others are saying about it.

For example Chalie Lee, the creator of Litecoin

• His Public Key is: 0x4EF26053 with a fingerprint: 1A25 11E9 7823 9E49 1A09 6D0A 828A C1F9 4EF2 6053 obtained from here
  • How do we know that this is Charlie for sure?
    • https://keybase.io/coblee shows that it’s him that is verified by 3 devices and various social media accounts
      • The coblee keybase account is cross verified here from his Reddit account
      • The github account shows that he worked on LTC, and the verified twitter account, which both are visible on the keybase website point to him.
    • The reddit post a Github gist and even my own older Steemit post where I have verified this in the past (Steemit post permanent after 7 days) prove the fingerprint’s authenticity.
    • The public key is also included in the Github repository of Litecoin, so anyone who downloaded that in the past, or the source code of LTC has his public key and can verify it.
    • The website of LTC has a copy of his public key and of a signature of the latest LTC client which both need to be authentic in order for it to show authenticity.
    • His key is cryptographically signed by BTC Core developer Peter Todd (who’s key can also be verified in many ways to establish authenticity), as described here
    • There are also other trustworthy looking sites that point to his social media account or his “coblee” moniker as authentic:
      • https://www.weusecoins.com/charlie-lee
      • https://forum.bitcoin.com/ama-ask-me-anything/i-m-charlie-lee-creator-of-litecoin-director-of-engineering-at-coinbase-ask-me-anything-t2318.html
      • https://www.bitrated.com/coblee
      • https://www.linkedin.com/in/chocobo
      • https://litecoincore.org
      • https://medium.com/@SatoshiLite_39969

So there is overwhelming direct or indirect evidence proving that his public key is actually his, proving it without a shadow of a doubt. Now 1 vulnerability here is that somebody might obtain his private key and use it to sign stuff with it, which would be a huge reputation blow to him if it were to happen so hopefully people of his magnitude are careful with their crypto stuff.

So after you have established the authenticity of a public key, which in the example above is overwhelming evidence, but there is still a chance that all of these websites can get hacked simultaneously and giving you a fake key or a fake fingerprint. In that case this verification process should be repeated multiple times, by using different search engines, possibly different internet browsers, and even different IP addresses, just to be sure that the verification process is secure.

After we ruled out the possibility of an MITM or phishing attack on the verification process, which is the same if we download the software itself, we proceed.

• 4] Verify the signature against the public key. If the pubkey is authentic then there is little reason to verify the signature itself since a good signature can only be produced from a genuine private key associated with the pubkey. So if the public key is genuine then the signature doesn’t matter.

gpg –verify signature.asc

With the above command you can verify the signature file associated to the software that is derived from the genuine pubkey.

• 5] If there is no GPG pair, you can still verify it, using the checksums of the files. Like how I did it here:
  • https://steemit.com/myetherwallet/@profitgenerator/cerfiying-myetherwallet-com-v3-10-3-4-integrity

This can also be a secondary verification layer if you don’t trust GPG for some reason, usually SHA256 is more vetted than RSA, but it will be a longer work.

Well just downloading the software a bunch of times, on different platforms, from different IP addresses is a good way. So even if an active hacker is trying to feed you BS by any means, if you constantly change your IP address, eventually you will download the genuine file itself. And if you find any discrepancy, that is already a red flag.

If the server itself gets hacked and the file is replaced with a malicious one, then if you can, try download it from different sources. Usually a software is available from different repositories like: Github, official website, Sourceforge, Debian repository, etc…

The probability of all things aligning well for the hacker is very low, so if you do this consistently eventually you will find a discrepancy or if all things match up, then you can be sure to a reasonable probability that your downloaded file is genuine.

To verify a file you can use sha256sum

sha256sum file

Conclusion

Only a few things can go wrong if you verify it consistently:

• All websites get hacked at the same time to feed you malwared software during the download unlikely
• Your computer gets hacked during the download procedure unlikely if you use a secure OS
• Your internet connection gets MITM’d, which can be avoided by:
  • Using HTTPS websites and
  • Downloading & verifying the files dynamically from multiple IP addresses, multiple times and becoming suspicious as soon as 1 discrepancy is found

Otherwise you can now be reasonably sure that the software you have downloaded is genuine, secure and trustworthy. Trustworthy especially since it’s open source nature, you don’t have to trust it really since anybody can search and find bugs in it, which get fixed very fast. And there are just too many things that have to go wrong simultaneously in order to still get compromized despite your best efforts to not be.

So we can now safely say that you are now safe after following this procedure. But we can never be 100% sure!

---

Sources:
https://pixabay.com

---

Upvote, ReSteem &