I just had a realization about something that is pretty important and I wanted to share it with you, regarding security. Verifying your downloads
As a general rule of thumb, you should always download files from the home pages of their respective developers.
Virtual Box: https://www.virtualbox.org/
The reason this is so important, is that there are people who host maliciously modified versions of these programs and will host legitimate looking sites to try and get you to download their version, which can install things like backdoors into your computers, keyloggers, and all types of nasty surprises. Sometimes developers will offer mirrors for their projects, which are simply just alternative links to download from in case the main server is too slow, or down. Sometimes these mirrors can become compromised without the knowledge of the developers.
Maybe you do not have TOR or Tails on your laptop and you are traveling out of the country and the hotel that you are staying at has TOR’s homepage blocked. There are times when you may need to find an alternative mirror to download certain things. Then of course there is the infamous man-in-the-middle attack where an attacker can inject malicious code into your network traffic and alter the file you are downloading. The TOR developers have even reported that attackers have the capability of tricking your browser into thinking you are visiting the TOR home page when in fact you are not.
So what do you do about it? You can verify that the file you downloaded is in fact legitimate. The best tool for this is GnuPG. The TOR developers recommend you get it from the following page (Windows Users).
You can install this program on your USB drive or on your actual computer, you will hear your actual computer’s operation system referred to as your Host OS. So download it, run it, install it and we will start showing you how to use GnuPG.
If you remain on the GnuPG download page you will see something under the big green box that is called OpenPGP signature. Download that into the same folder as the GnuPG file, this is the file that the download was signed with. Basically someone’s signature saying, I made this file. And you also need a PGP public key to verify the signature. So to sum it up so far, the signature is created from the PGP private key, and can be verified by the PGP public key. The signature file is used to verify the program itself. So let us grab the PGP public key for GnuPG as well.
If you look on the same download page, under the heading Installation, you will see a link where it says verify the integrity of the file. It will lead to you the following page.
Note where it says the following statement. The signatures have been created with the following OpenPGP certificate Intevation File Distribution Key (Key ID: EC70B1B8). This is the link to the page that hosts the PGP public key file that you need to download, go there. On the page we just navgiated to, go to the bottom right where it says Intevation-Distribution-Key (public OpenPGP key for signing files) and download that file. This is the PGP public key file, save it to the same place as your signature file for ease of use.
Okay, now that we have both the signature file and the PGP public key, let us now verify our download. First thing you need to do is navigate to the PGP public key file, called Intervation-Distribution-Key.asc, right click it and go to More GpgEX Options and down to Import Keys. This will import the PGP public key into your key ring, and now you can verify the file with the signature.
Right click your actual file you want to verify, in this case gpg4win-2.2.1.exe and go to More GpgEX Options and down to Verify and it should automatically detect the signature file where it says Input File, but if it does not, navigate to the signature file and make sure the box below it where it says Input file is a detached signature is checked. Look at the bottom and click Decrypt/Verify and you will likely get the following message.
Not enough information to check signature validity. Check details.
Believe it or not, this is completely fine. Click on show details, you are looking for a specific result.
Signed on 2013-10-07 08:31 by [email protected] (Key ID: 0xEC70B1B8). The validity of the signature cannot be verified.
If you navigate back to the page from Gpg4Win that says Check Integrity where you found the link to the page that contained the PGP public key you will see on that page.
Intevation File Distribution Key (Key ID: EC70B1B8)
Note the key ID from your decrypt result and the key ID from the Check Integrity page and note the email address ending in the same URL that we downloaded the PGP public key from. We have a match! I will explain the reason for this warning message later.
Now that we verified that our verification program is legit. Let us try and verify our Tails ISO file, since if we have a compromised Tails OS, then nothing we do will be anonymous. Let us get right to the Tails download page.
Scroll down to where it says Tails 0.22 signature and download that to your Tails folder where you have the ISO file that we already downloaded. Next scroll down to where it says Tails signing key, this is our PGP public key. Exact same procedure, import the key, then click Verify and specify the signature file if it has not already been specified for you, exact same settings and you will get the same warning message. As explained by Tails
If you see the following warning:
Not enough information to check the signature validity.
Signed on … by [email protected] (Key ID: 0xBE2CD9C1
The validity of the signature cannot be verified.
Then the ISO image is still correct, and valid according to the Tails signing key that you downloaded. This warning is related to the trust that you put in the Tails signing key. See, Trusting Tails signing key. To remove this warning you would have to personally sign the Tails signing key with your own key.
In other words, you need to basically promise that the PGP public key you downloaded is safe by signing the PGP public key with your own private key, but we do not really need to do that and I will not be including a tutorial on how to do that. Tails explains that if you are worried about a compromised PGP public key, just download the key from multiple sources and compare them, if they all match, it is a good chance you are using a legit PGP key. Now let us finally move on to TOR because this one will be a little less straight forward, but once you do this one, you should be able to figure out how to verify anything. Navigate to their download page and find the package that you want.
To keep things simple let us choose Tor Browser Bundle 3.5, and under the orange box you will see a link (sig). This is the link for the signature file, I hope by now you know what to do with it. Next we need the PGP public key right? Well it turns out that with so many developers working on TOR, there are multiple PGP public keys, and certain bundles were signed with different keys than other bundles. So we need to find the PGP public key that belongs to our Tor Browser Bundle. Check out this page.
It has a list of all the signing keys that they use and you can certainly use these key IDs to get what we want by simply right clicking on the signature file and click verify. You will get a warning.
Not enough information to check signature validity. Show Details
And in details it will say the following warning.
Signed on 2013-12-19 08:34 with unknown certificate 0x416F061063FEE659
Keep this entire number in mind for later, it is called a fingerprint. But for now if you just compare the last 8 digits to Erinn Clark’s key ID (0x63FEE659) provided on the above page, and since she is the person who signs the Tor Browser Bundles you will see they match. But we want to be a bit more thorough, never settle for mediocrity.
Go to your task bar in Windows, and find the program called Kleopatra, it looks like a red circle with a small white square in it. Right click it and go to Open Certificate Manager. We are going to import the full keys using this manager. Also note, if you go to the tab that says Other Ceriticates you will find the Tails and Intevation (GnuPG) keys we used earlier stored for the future when you need to download a new version of those programs and verify them again.
We are going to be following the instructions from the verifying signatures page on the TOR Project website. Feel free to follow along from that page so you know what I am talking about and where I am getting my URL and numbers from.
In order to import keys, we need to first add an online directory where they are stored. So let us first add the online directory where the PGP public keys are stored according to the TOR website. Click Settings then Configure Kleopatra. Next, click New and we are going to enter the following URL which I took right from the page above. pool.sks-keyservers.net, and leave everything else as default and click OK.
Finally, click the button that says Lookup Certificates On Server and we will be searching for Errin Clark’s PGP public key by searching for her fingerprint provided on the TOR website page called Verifying Signatures above, remember, she is the developer who signs the Tor Browser Bundle. The fingerprint we are entering is 0x416F061063FEE659, does this number look familiar? It should, it is the number we got back the first time we tried verifying but without the actual PGP public key. if you get any warnings that pop up when searching just click OK and it should bring up Errin Clark’s key, select it and click Import. You should now have her key listed under Imported Certificates.
Now let us go back and verify that signature one more time and see what happens. You should get something like the following.
Not enough information to check signature validity.
Signed on 201-12-17 12:41 by [email protected] (Key ID: 0x63FEE659).
The validity of the signature cannot be verified.
TOR also explains this warning message in their words in case you are still not happy with the warning message.
Notice that there is a warning because you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.
I do not know about you, but I am happy with the result here, and I am certainly not going to track down Erinn Clark to get her key fingerprint, and it looks like our TOR Browser Bundle is legitimate as well! Now you know what to do when the PGP public key file is not directly hosted on the site itself, you have no more excuses to not verify your downloads.