How to verify a file's authenticity which you downloaded from the internet?
A digital signature is a way to ensure the authenticity and integrity of a digital document or file. It is similar to a traditional signature on a paper document, but it uses encryption to create a unique code that is tied to the document and the person signing it.
When a digital signature is created, a hash is generated using a cryptographic algorithm and is specific to the document being signed. This hash, along with other signature information, is then embedded in the document. When the document is received by someone else, the signature can be verified using the sender's public key to confirm that the document has not been tampered with and that it was indeed signed by the person or organization that it claims to be signed by.
Digital signatures can be used to verify the authenticity of downloaded files in several ways:
By checking the file's digital signature: If the file has a digital signature from a trusted source, it is likely to be authentic.
By using the software's built-in signature verification tools: Many software programs, such as Adobe Acrobat or Microsoft Word, have built-in mechanisms for verifying digital signatures. These tools will typically allow you to check the signature, view the certificate information, and ensure that the signature is valid and the document has not been tampered with.
By using online verification: Some organizations or websites provide online verification tools that can be used to check the validity of a digital signature.
Using open-source libraries: Some open-source libraries like OpenSSL, GnuPG, etc. can be used to verify digital signatures on a command-line interface.
It's important to note that while digital signatures can help ensure the authenticity of a downloaded file, they do not guarantee the safety or accuracy of the content of the file. Additionally, digital signatures can be forged, and it is important to verify the authenticity of the signature itself, and not just rely on the signature present.
Example:
Let's say we download "Py Charm" from this link: https://www.jetbrains.com/pycharm/download/#section=windows
And after we download the exe file, We go to the location of the file and check the properties
We notice that in the properties section, there is something called "Digital Signatures" and when we open that section we can see that JetBrains actually signed this file with their certificate.
Now we download the same file from Softonic
So how do we know that Softonic didn't just add their malware into it and it could be a completely different file right?
After the download finishes, we can check the properties again and see that this is also been signed by JetBrains
So this is how you can verify if the file you downloaded is authentic or not.
In conclusion, Digital Signatures provide an additional layer of security when it comes to verifying the authenticity of downloaded files, it's important to use multiple methods to ensure that you are downloading a secure file and always verify the authenticity of the signature itself.
Subscribe to my newsletter
Read articles from Jubaer Alnazi directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jubaer Alnazi
Jubaer Alnazi
A security guy with 5+ years of experience in web application and mobile pen-testing. My work has been acknowledged across the globe. I have worked with more than 300+ companies to secure them.