Whenever you download any program from the Internet, trust the developer that it is not harmful. There is no path around. But that’s not usually a problem, especially with well-known software and developers.
However, websites hosting software are more vulnerable. Attackers can compromise the security of a website and replace programs with their own malicious version. It looks and works just like the original, except that it has a back door. This backdoor allows attackers to control various parts of a normal daily computer. Your computer is either connected to a botnet or, worse, the utility waits for you to use your credit / debit card and steals its credentials. Be especially careful when downloading important software such as the operating system, cryptocurrency wallet, or the like.
Digital signatures can save the day
Software developers can sign their products. Unless an attacker can steal their private key, there is no known way to forge this signature. There are many cases where thousands of users have downloaded malware, and in almost all cases, if they had verified digital signatures, they would have found them to be invalid, thus avoiding the situation. Changing software on a vulnerable website is relatively easy, but incredibly difficult to steal a properly stored private key that is isolated from your Internet connection.
You can read more about digital signatures here. This article covers the same thing, except that you use Windows utilities to verify downloads.
How to use the Gpg4win file to verify digital signatures
Go to this page and download and install Gpg4win. Smart people ask, “But how do I know it’s legal?” And that’s a good question. If this were to break, all subsequent steps would be unnecessary.
Fortunately, the developer put a lot of effort into getting their software signed by the certification authority. And he clarifies steps to review the program on your website. Although a similar encryption method is used to validate, the general method is different. Digital certificates are used for this purpose.
Check the checksums of the files
Let’s say you want to download the Bitcoin Core wallet. Download executable for Windows x64 (exe, no zip). Then click “Check Version Signatures” to download the file “SHA256SUMS.asc”. The first step is to check the installation file seal. You can read more about decentralization here.
Navigate to the download folder, and once Gpg4win is installed, you can now right-click on the file and a new context menu will appear. Right-click on the Bitcoin installation file (the exe file you downloaded) and select “Add GpgEX Settings -> Create Checksums” as shown below.
Open both the created “sha256sum.txt” and the downloaded “SHA256SUMS.asc”. Compare SHA256 checksums. They should be the perfect match.
Check the signature of the file containing the checksums
When you just downloaded the configuration file and the checksum list from the same website, if an attacker overwrote the configuration file, he could easily replace the checksum list as well. However, what he cannot do is forge a signature. This can be confirmed with a known (legal) public key. First, you need to download this key.
The following image shows what the signature looks like.
This is an online signature (included in the same file it validates). Sometimes this is detached and included in a separate file. If you change one letter in this text file, the signature becomes invalid. It’s a way to know that the exact content has been accepted and signed by the developer with the correct checksums.
Bring the developer’s public key
You have the public keys available for download from the “Bitcoin Core Release Signing Keys” section of the Bitcoin download page. As a precaution, you can download them from another source. If an attacker replaced legal keys with their own, we have a good chance of finding the right keys (and fingerprints) from every other place they sent or discussed.
Right-click “SHA256SUMS.asc” and select “Unpack and Confirm”. The program says you don’t have a public key yet. Click “Search.”
The search may take some time. Note the string in the “Search” field.
You can copy and paste it into Google to see if this public key fingerprint has been discussed in legitimate threads / websites, etc. The more places you find, the more confident you can be sure it belongs to the intended owner.
Click on the key and import it. You can click “No” at the next prompt (make sure the key) if you don’t know how or don’t want to do it now.
Finally, click “View audit log”.
You should see the text highlighted in the following image, “Good Signature.”
Try changing only one letter in “SHA256SUMS.asc” and you will get the image in the following image.
Few developers give you the opportunity to verify that their software is coming from them. But usually programs that handle sensitive or very important information will give you this option. Use it and it might get you out of trouble one day.