Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Verifying Software Signatures

Introduction[edit]

For greater system security the installation of unsigned software should be avoided at all costs. Instead it is recommended to:

What Digital Signatures Prove[edit]

Bear in mind that using digital signatures to verify the trustworthiness of software is not an infallible process. Digital signatures increase the certainty that no backdoor was introduced by a third party during transit, but this does not mean the software is absolutely "backdoor-free". The following is a summary of what digital signatures prove and do not prove.

Table: Digital Signatures Properties

Property Description
Digital Signatures Prove
  • Someone with access to the private key has made a signature.
  • The file contents have not been tampered with (preserving integrity).
  • May indicate the given file is authentic.
Digital Signatures do not Prove
  • Any other property, for example, that the file is not malicious. Nothing stops a person from signing a malicious program.
  • That persons signing the file are inherently trustworthy, for example, Microsoft, Whonix ™ developers and so on -- but trust must be eventually placed in someone. [1]

If all files downloaded from trusted vendors are verified, then this removes the threat of server compromises, dishonest staff at hosting companies or ISPs, Wi-Fi attacks and so on. The reason is files that have been tampered with will produce bad digital signatures, so long as the public keys used for signature verification are the authentic, original ones (see below).

Checking Digital Fingerprints of Signing Keys[edit]


A critical first step in verifying software is legitimate is confirmation that the signing key is authentic -- this requires inspection of the key fingerprint. [2] Always perform this operation before keys are imported or trust is placed in OpenPGP output when verifying files or repositories.

The standard Whonix ™ wiki advice is to carefully obtain copies of the OpenPGP fingerprint from multiple secure websites and to use other authentication systems to check they match. [3] In this instance, "other authentication systems" refers to: [4]

  • Use the PGP Web of Trust.
  • Check the key against different keyservers.
  • Use different search engines to search for the fingerprint.
  • Use Tor to view and search for the fingerprint on various websites.
  • Use various VPNs and proxy servers.
  • Use different Wi-Fi networks (work, school, internet cafe, etc.).
  • Ask people to post the fingerprint in various forums and chat rooms.
  • Check against PDFs and photographs in which the fingerprint appears (e.g., slides from a talk or on a T-shirt).
  • Repeat all of the above from different computers and devices.

Checking Digital Fingerprints of Signed Software[edit]

Before file signatures can be safely verified with the signing key, several prerequisites must be met:

  1. The correct signing key pair was downloaded.
  2. The signing key's fingerprints were checked against multiple sources.
  3. The key pair was imported.
  4. The software package intended for installation was downloaded.
  5. The accompanying signature file for the software package (.asc files are GPG signatures) was downloaded.

The following example shows how the file signature is checked for Tor Browser bundle v8.5, directly downloaded from The Tor Project website.

In a terminal run.

gpg --verify tor-browser-linux64-8.5_en-US.tar.xz.asc tor-browser-linux64-8.5_en-US.tar.xz

The OpenPGP output should show a "good signature", with the primary key fingerprint matching the one verified by the user earlier on. In this example.

    gpg: Signature made Mon May 20 11:00:34 2019 UTC using RSA key 0xEB774491D9FF06E2
    gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
         Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

The software can now be safely installed. If the output states "bad signature", then the files and digital signatures should be removed and downloaded again.

Attribution[edit]

Gratitude is expressed to Qubes OS (Permission) (w). The What Digital Signatures Prove chapter contains content from the Qubes OS: What do the Digital Signatures Prove and What They DO NOT Prove page.

Footnotes[edit]

  1. Digital signatures are still useful in this case, because it is possible to limit trust to a few select people/organizations such as Whonix ™ developers.
  2. For example, anybody could generate an OpenPGP key pair and pretend to be the "Whonix ™ Project", but only Patrick Schleizer's key pair is legitimate.
  3. Website checks are only as secure as the imperfect TLS system, which is itself based on certificate authorities that have been frequently compromised in recent years.
  4. https://www.qubes-os.org/security/verifying-signatures/

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Did you know that anyone can edit the Whonix wiki to improve it?


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.