Mini-guide: Verifying Software
Tip jar 🫙 expatriotic@walletofsatoshi.com
Donations
Bitcoin paynym = +expatriotic
Monero QR
88D6SZFBA6fFhYGdnY4c57dTAJD6jyqRTfCKwHjZrfdnhd8phAMYnDQWSJrqyAmgVHV7mDU6soaHogZvno1AUXp79DwtWvK
Why you SHOULD verify mission critical software
Verifying your software downloads is a critical, two-step security process. It ensures the file you downloaded is both uncorrupted and authentic.
- File Integrity: We check that the file wasn't damaged during download. A single bad bit can corrupt an entire installation.
- File Authenticity: We check that the file is the real file from the developer, not a fake version injected with malware by an attacker who may have compromised a download server.
Core Concepts
We use two different cryptographic tools to solve these two problems.
Checksum: A checksum (like
SHA256) is a unique "digital fingerprint" of a file. If even one bit changes, the fingerprint changes completely. This check is great for integrity, but it has a flaw: if an attacker hacks a website, they will replace both the software and itsSHA256fingerprint.Signature: This is the solution. A GPG signature (
.gpgfile) is a "tamper-proof wax seal" that only the developer can create. We use this to verify the list of fingerprints itself. An attacker cannot fake this seal.
Our flow is simple: First, we verify the signature on the list so that we can trust those hash outputs (fingerprints) that it lists. Second, we verify our software against that now trusted list.
Prerequisite Tools
Before you begin, you need the necessary command-line tools.
- Linux: You are all set.
gpgandsha256sumare pre-installed. - macOS: Install the tools via Homebrew.
brew install gnupg coreutils
- Windows: Install Gpg4win (for
gpg) and Git for Windows (which provides the Git Bash terminal, giving youcurlandsha256sum).
Download Files
We will use Ubuntu 24.04 LTS as our example. First, open your terminal (or Git Bash on Windows).
Let's navigate to our Downloads folder and create a new directory for our work. The ~ is a shortcut for your home directory.
cd ~/Downloads
mkdir ubuntu-verify
cd ubuntu-verify
Now, let's download the four files we need. We use curl to do this.
# 1. The software itself (the .iso file)
curl -LO https://releases.ubuntu.com/noble/ubuntu-24.04.3-live-server-amd64.iso
# 2. The list of fingerprints (SHA256SUMS)
curl -LO https://releases.ubuntu.com/noble/SHA256SUMS
# 3. The signature for that list
curl -LO https://releases.ubuntu.com/noble/SHA256SUMS.gpg
# 4. The official Ubuntu keyring
curl -o ubuntu-keyring.gpg "https://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg"
Command Flags Explained:
curl: A tool to transfer data from or to a server.-L: (Location) Follows any redirects if the file has moved.-O: (Output) Saves the file with its original name from the URL.-o ubuntu-keyring.gpg: (output) Saves the file with the specific name we provide.
This last file, ubuntu-keyring.gpg, is our secret weapon. Instead of trying to find the one correct key on a public server (which often fails due to firewalls), we have securely downloaded Ubuntu's entire set of official keys. This is the most reliable method.
If you were downloading a program from a lone dev, I would recommend locating their PGP key somewhere OTHER than the page that the program is to be downloaded from. Manually check their X account or they may store it--as Ashigaru devs do--on keybase.io.
Verify Signature
This is Step 1, where we check that the list was signed by the dev(s).
We will use the gpgv command, a lightweight tool for only verifying signatures. We'll tell it to use the keyring file we just downloaded.
gpgv --keyring ./ubuntu-keyring.gpg SHA256SUMS.gpg SHA256SUMS
Command Explained:
gpgv: The GPG verification tool.--keyring ./ubuntu-keyring.gpg: Tellsgpgvto only use the keys in this specific file to check the signature.SHA256SUMS.gpg: The first argument is the signature file ("the seal").SHA256SUMS: The second argument is the data file that was signed ("the fingerprint list").
You are looking for this exact output:
gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>"
Note: You may also see a WARNING that the key is "not certified with a trusted signature." This is normal and safe. It simply means you have not personally signed that key. The Good signature message is all that matters. It confirms the file is authentic.
Verify File
This is Step 2, where we check our software's "fingerprint" against the trusted list.
Now that we 100% trust the SHA256SUMS file, we can use it to check our .iso.
# On Linux / MacOS / Git Bash
sha256sum -c SHA256SUMS 2>&1 | grep ubuntu-24.04.3-live-server-amd64.iso
Command Explained:
sha256sum -c: The-cflag tells the tool to "check" the files listed in theSHA256SUMSfile.2>&1: This is a standard shell redirect. It sends all error messages (like "file not found" for the other ISOs in the list) to the same place as the normal output.|: This "pipe" sends the entire output of the first command as the input for the next command.grep ...: This filters the many lines of output and shows us only the single line that contains the name of our.isofile.
The only output you should see on your screen is:
ubuntu-24.04.3-live-server-amd64.iso: OK
If you see OK, your verification is complete. You have cryptographically proven that your file is authentic and uncorrupted. If you see FAILED or get no output, your file is bad. Delete it and download it again.
CLI Tips
Working in the terminal can be much faster with these tricks.
- Tab Completion: After typing the first few letters of a command or file (e.g.,
gpgv --keyring ./ubu...), press theTabkey. Your shell will automatically complete the rest of the name for you. - Drag and Drop: If your files are in a different folder, you don't need to type the full path (e.g.,
/Users/yourname/Downloads/...). You can type the command (gpgv --keyring) and then drag theubuntu-keyring.gpgfile from your Finder/Explorer window and drop it into the terminal. The full, correct path will appear automatically.