How to verify the authenticity of a download

28. August 2013 Security 0

Sometimes you’ll see a mention of a SHA1 checksum, MD5 checksum or PGP Signature on websites. These are there for you, so you can verify the authenticity of a file or document. For simplicity we’ll stick with SHA1 for the remainder of this article. SHA1 is essentially a secure checksum for a data file. The SHA1 checksum is based on a cryptographic standard. For a given file, SHA1 produces a 160 bit encrypted output known as a “message digest.” It is highly improbable that a modified data set would produce the same message digest. If a file is changed during transit, its message digest also changes. MD5 and PGP are just other cryptographic means to validate. Here’s how to use this information.

SuperSecretIMDownload SuperSecretIM.dmg
SHA1 = cb57a43867d2fc3acb7f1b9370ba078df4c28202

 

For example, I offer a file available for download, the file is a messenger that guarantees complete privacy and security. If that file was replaced by someone that compromised my website and replaced it with an altered version of that messenger, one with a backdoor in it, you won’t know and all your communications may be compromised. A Man-In-The-Middle (Mitm) attack can also be used to alter a file or maybe the server the file is on is infected with malware or a virus. So I offer a checksum in SHA1 format. In this case the SHA1 checksum for this file is: cb57a43867d2fc3acb7f1b9370ba078df4c28202

When you check the checksum on your end, after you download the file, that’s the exact sum you should see. If it’s anything but that, something happened to the file and you should not trust it. So how do you check this sum? Feel free to download the actual file, it’s just a 10.5MB empty disk image. Open Terminal (Applications > Utilities > Terminal.app) and type the following:

openssl sha1 /Users/yourname/Downloads/SuperSecretIM.dmg
(without the quotes) and hit Enter/Return.

Here’s what it would look like on my end:

Snippet from Terminal.app
Telling Terminal to show me the SHA1 checksum of this file

And after hitting Enter I see this:

Terminal shows me the SHA1 checksum
Terminal shows me the SHA1 checksum

Entering “md5” instead of “sha1” would give you the md5 checksum, no other command needed. If you do not know the exact path of the file and/or do not want to type it all out, just type “openssl sha1” (again without the quotes) and drag the file you want to check behind that. Terminal will fill out the complete path for you. So, now you know if the file you downloaded is the actual file that was posted online. Using SSL (https) will add security and should make sure noone can intercept and alter a file while it’s being downloaded.

What about PGP signatures?
If you have PGP software installed and the signature is in your PGP keychain, you can right-click on files or documents to verify if they were signed by the actual person it came from. More on PGP can be found in this article which focuses on encrypting OS X Mail but the same software can be used to verify documents.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.