How to Verify Authenticity of Linux Software

Antivirus, forensics, intrusion detection, cryptography, etc.
Post Reply
Message
Author
labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

How to Verify Authenticity of Linux Software

#1 Post by labbe5 »

https://www.maketecheasier.com/verify-a ... ignatures/

When you download software from the Internet, you have to trust the developer(s) that their program isn’t malicious. However, you also have to worry about hackers. There is a lot an attacker can gain from hacking a website and replacing software with a backdoored version.

Think about a site that hosts a Bitcoin wallet utility. If an attacker manages to replace the legitimate version with a malicious one, he can potentially steal money from tens of thousands of users. Another valuable target to backdoor is an operating system.

Developers that are security-conscious will often bundle their setup files or archives with checksums that you can verify. You can read how to verify them on Windows or Linux. The problem with these hashes, though, is that if a hacker replaces files on a website, he can easily replace the hashes, too. This makes hashes on their own almost useless, especially if they’re hosted on the same server where the programs reside.

To make these checksums useful, developers can also digitally sign them, with the help of a public and private key pair. Only the person that owns this private key can create signatures. These can be verified only with the corresponding public key, which is published on the Internet. If the verification passes, you can be (almost always) certain that the owner of the private key signed his software.

For a hacker to bypass this security mechanism, he has to steal the private key somehow, which is much harder to do if the owner takes proper measures to keep it secret. And even when the key is stolen, the owner can invalidate it by revoking it and announcing it. If this happens, when you download his/her public key and try to use it to verify a signature, you’ll be notified that this has been revoked.

Next :
How to Verify Signatures Using GnuPG (GPG)

Further reading :
Checksum – File Integrity Check on Linux Command Line
https://www.putorius.net/linux-checksum ... check.html
QuickHash GUI
QuickHash GUI is an open-source Linux, Windows, and Apple Mac OSX graphical interface that enables easy and rapid data hashing of data : text, text files line by line, binary files, file comparisons, folder comparisons, disks and drive volumes (as administrator), Base64 data, as well as allowing files in one folder to be copied to another with data hashing conducted at either side for comparisons and data integrity.
https://quickhash-gui.org/downloads/
How To Verify ISO Images In Linux
https://www.ostechnix.com/how-to-verify ... -in-linux/
Last edited by labbe5 on Fri 26 Jul 2019, 19:00, edited 3 times in total.
Top
User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#2 Post by 8Geee »

Essentially a known good app/program/file can have a sha256 sum applied to it. Any version/copy that is not a match is suspect at the very least. Newer puppies (Slacko5.7 can) have the ability to run #sha256sum /path-to-file in terminal.

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
Top
Post Reply

Return to “Security/Privacy”