It is very important to spend a little time to verify that a downloaded file is actually what the website described, to minimise the risk of man in the middle attacks or downloading a fraudulent file.
In most of the cases, the GPG signature is used for this security measure, which is based in the asymmetric encryption paradigm. You might want to learn more about in the following post: Encrypt or Digitally Sign With OpenSSL using Asymmetric Keys
The process is outlined as the following:
- Download the public key from the website and import it
- Download the intended file and the detached signature “.sig” or “.asc” file
- Verify the downloaded file
In order to explain the use case, the ClamAV web page will be used as the example to verify the GPG signature.
Download the public key from the website
First of all, you’ll need to download the public key from the website. To do so, go to the URL ClamAV Download section, expand the “Talos PGP Public Key” and copy the text section from “—–BEGIN PGP PUBLIC KEY BLOCK—–” to “—–END PGP PUBLIC KEY BLOCK—“
Then, paste it as is in a file on your system by using vim
or nano
and save it. In this example, the file was saved as clamav.key.:
Next, to import this key file, you need to run the following command:
$ gpg --import clamav.key
The result will look similar to the following input:
$ gpg --import clamav.key
gpg: directory `/home/fse/.gnupg' created
gpg: new configuration file `/home/fse/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/fse/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/fse/.gnupg/secring.gpg' created
gpg: keyring `/home/fse/.gnupg/pubring.gpg' created
gpg: /home/fse/.gnupg/trustdb.gpg: trustdb created
gpg: key 2B3EDD07: public key "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
Download the intended file and the detached signature “.sig” or “.asc” file
After importing the ClamAV key, proceed to download the file you’re looking for and the corresponding signature file. In this case, both files are named:
- clamav-0.105.1.linux.x86_64.rpm
- clamav-0.105.1.linux.x86_64.rpm.sig
Normally, the signature file has the same name as the original file but with “.asc” or “.sig” appended.
Execute the next commands to download both files:
$ wget -q https://www.clamav.net/downloads/production/clamav-0.105.1.linux.x86_64.rpm
$ wget -q https://www.clamav.net/downloads/production/clamav-0.105.1.linux.x86_64.rpm.sig
Verify the downloaded file’s signature
Once you have all the files in place and the PGP key imported, proceed with the following command to perform the verification:
$ gpg --verify clamav-0.105.1.linux.x86_64.rpm.sig clamav-0.105.1.linux.x86_64.rpm
If you get the message “Good signature from …” then the file was not tampered:
$ gpg --verify clamav-0.105.1.linux.x86_64.rpm.sig clamav-0.105.1.linux.x86_64.rpm
gpg: Signature made Tue 26 Jul 2022 10:26:17 AM CEST using RSA key ID 2B3EDD07
gpg: Good signature from "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E34D B95B 374B 3157 0496 CD3F 609B 024F 2B3E DD07
Let’s manually manipulate the downloaded rpm file to force the negative message and perform again the verification:
$ echo a >> clamav-0.105.1.linux.x86_64.rpm
$ gpg --verify clamav-0.105.1.linux.x86_64.rpm.sig clamav-0.105.1.linux.x86_64.rpm
After the above commands, the message obtained should be “BAD signature from …“:
$ gpg --verify clamav-0.105.1.linux.x86_64.rpm.sig clamav-0.105.1.linux.x86_64.rpm
gpg: Signature made Tue 26 Jul 2022 10:26:17 AM CEST using RSA key ID 2B3EDD07
gpg: BAD signature from "Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>"
Here’s the image from the 2 verification attempts:
To conclude
By doing this verification from the downloaded files, you ensure that the file has preserved its integrity before executing it in your system, to avoid tampered files that could run fraudulent software made by malicious actors.