'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Bitcoin Wallet Architecture4.7(91)
Intermediate
Dive into the cryptographic principles that power Bitcoin wallets.
- Why verify software integrity and authenticity?
- Verify software integrity and authenticity
Installing software on your computer may seem like a trivial operation, but in reality it represents a very serious potential risk to your computer security. In fact, downloaded software can be altered or infected by attackers, who take advantage of this opportunity to inject viruses, Trojans and other types of malware into your system.
Checking the integrity and authenticity of software before installation is therefore a very important security practice, especially when it comes to sensitive software such as Bitcoin wallets or password managers. This practice ensures that downloaded software corresponds exactly to that published by the original developer, without alteration.
In this chapter, we'll take a look at how to check the integrity and authenticity of a file, and how to carry it out on your operating system.
Why verify software integrity and authenticity?
When you download software from the Internet, you implicitly trust the file to run on your machine. But this trust should never be blind. So it's important to understand two fundamental concepts: file integrity and authenticity.
Integrity: ensuring that no alteration has occurred
The integrity of a file guarantees that it has not been modified, intentionally or unintentionally, between the time it was published by the developer and the time you downloaded it. Even the slightest modification can be enough to insert malicious code into software.
These modifications are not visible to the naked eye: the downloaded file may open and run perfectly normally, while at the same time executing malicious behavior. Hence the importance of verifying its integrity using cryptographic fingerprints (Hash).
Authenticity: guaranteeing that the software comes from the right source
A file may be intact (unmodified), but have been published by a malicious entity usurping the identity of the legitimate developer. Authenticity therefore aims to confirm that the file really does come from the official source, and not from an impostor, an unverified mirror site, or a hacker who has compromised the distribution server.
This verification of origin is made possible by the digital signature, a cryptographic mechanism that links the file to the developer's private key. When you verify this signature using the developer's public key (distributed via secure channels), you can be sure that the file actually comes from that person.
By checking both authenticity (i.e. that the installation file comes from the right source) and integrity (i.e. that it has not been modified since it was published by the legitimate developer), you can be sure you're installing the right software.
Technical solutions: Hash and digital signature
To do this, we're going to use 2 cryptographic tools. The first is hashing. A Hash is a short character string calculated deterministically and unpredictably from the contents of a file, using a hash algorithm such as SHA-256. Two strictly identical files will have exactly the same Hash, but the slightest modification to the file will cause the Hash to change completely.
The legitimate developer usually publishes the Hash of the original file on its official website. For your part, you will locally calculate the Hash of the installation file you downloaded, in order to compare the two. If the two fingerprints match, you can be sure that the downloaded file is genuine and has not been tampered with.
The second tool is the digital signature. This verifies the authenticity of the installation software. The developer signs the file containing Hash with his private key, and you can verify this signature using the corresponding public key. This proves that the file has been published by the right person.
This system relies on asymmetric cryptography and tools such as GnuPG (command line) or Kleopatra (Interface graphical for Windows). These tools must be properly configured, and the developer's public key must be verified via a secure channel (official website, fingerprint on Twitter...). Let's take a look at the practicalities.
To learn more about cryptographic hash functions and digital signatures, I invite you to take the free CYP 201 course offered on Plan ₿ Academy:
Verify software integrity and authenticity
Prerequisites
If you're running Linux, GPG is preinstalled on most distributions. If not, you can install it with the following command:
sudo apt install gnupg
For macOS, if you haven't already installed the Homebrew package manager, do so with the following commands:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> ~/.zprofile eval "$(/opt/homebrew/bin/brew shellenv)"
Then install GPG with this command:
brew install gnupg
For Windows, if you don't have GPG, you can install Gpg4win.
Download documents
To get started, you'll need several documents relating to the software you wish to install. In this example, we'll be checking out Sparrow wallet, a Bitcoin wallet manager. The process will be similar for any other software: all you need to do is find the right files for verification.
Visit the official website of Sparrow wallet in the "Download" section. If you'd like to check out another program, please visit the site for that program.
You can also go to the project's GitHub repository.
Download the software installer for your operating system.
You'll also need the Hash of the file, often called "SHA256SUMS" or "MANIFEST".
Also download the PGP signature of the file. This is the
.asc document.Be sure to place all these files in the same directory to facilitate the following steps.
Finally, you'll need the developer's public key to verify the PGP signature. This key is generally available on the software's official website, on the project's GitHub repository, sometimes on the developer's social networks, or on specialized platforms such as Keybase.
In the case of Sparrow wallet, you can find the developer's public key Craig Raw on Keybase. To download it directly from the terminal, run the following command:
curl https://keybase.io/craigraw/pgp_keys.asc | gpg --import
To make sure that you're using the developer's real public key, and not one usurped by an attacker, I recommend that you cross-check sources: check that the key fingerprint matches on Keybase, on the project's official website, and on any social networks or communication channels of the developer.
Signature verification
The signature verification process is identical on Windows, macOS and Linux. You should have already imported the public key in the previous step, but if you haven't yet done so, you can import it using the following command:
gpg --import [key_path]
Replace
[key_path] with the location of the developer's public key file.Check the signature with the following command:
gpg --verify [file.asc]
Replace
[file.asc] by the path of the signature file. In the case of Sparrow, this file is called "sparrow-2.0.0-manifest.txt.asc" for version 2.0.0.If the signature is valid, GPG will explicitly confirm it. You can then proceed to the next step, since this verification attests to the authenticity of the file.
Checking the Hash
Now that the authenticity of the file containing the hashes has been confirmed, it's time to check the integrity of the installer file, based on this authenticated file. The aim is to compare the Hash of your installer with the one indicated in the
.asc file. If the two match, this guarantees that the software code has not been altered in any way.On Windows, open a terminal and run the following command:
CertUtil -hashfile [file_path] SHA256 | findstr /v "hash"
Replace
[file_path] with the installer location.The terminal returns the Hash of the downloaded software.
Then compare the result with the corresponding value in the "sparrow-2.0.0-manifest.txt" file.
In my case, the two hatchings match perfectly.
Under macOS and Linux, the hash verification process is automated, so there's no need to manually compare the two fingerprints, as may be the case under Windows.
Simply run this command under macOS:
shasum --check [file_name] --ignore-missing
Replace
[file_name] with the name of the authenticated file containing the hashes. For example, for Sparrow wallet version 2.0.0:shasum --check sparrow-2.0.0-manifest.txt --ignore-missing
If the hashes match, the output should be:
Sparrow-2.0.0.dmg: OK
Under Linux, the command is similar:
sha256sum --check [file_name] --ignore-missing
And if the hashes match, you should get:
sparrow_2.0.0-1_amd64.deb: OK
You can now rest assured that the software you've downloaded is both genuine and honest. You can now install it on your machine.
Verifying integrity and authenticity is a fairly straightforward practice, but it provides concrete, effective protection against the vast majority of threats associated with downloading and installing software.
In the next chapter, we'll take a closer look at data management. We'll look at how you can protect yourself against two major risks: data loss and data theft.
Quiz
Quiz1/5
scu2023.3
What is the benefit of verifying a PGP signature on a Hash file or software manifest?