How to verify a download file using a .sig file and public key, in Windows 10

anti-malwarefile-downloadSecurityverification

I'm interested in installing the Electron Cash application from electroncash.org (Electron-Cash-2.9.4.exe) and the website indicates that to be sure of the integrity of the download, I should verify the authenticity of the file.

The site points me to the developers github page to get the keys and hashes. I've deduced that of the 3 public keys at that link, the one to use is probably the one called jonaldkey.txt (though there is another one jonaldkey2.txt for some reason) and there is a .sig file that presumably contains the hash.

In Windows 10, how can I use the public key (jonaldkey.txt) and hash (Electron-Cash-2.9.4.exe.sig) to verify my downloaded file (Electron-Cash-2.9.4.exe) ?

Best Answer

There's a Gpg4win application, which deals with signing and verifying files. It has its Compendium, on whose 110th page we read:

Checking a signature

Now check the integrity of the file that has just been signed, i.e. check that it is correct! To check for integrity and authenticity, the signature file – hence the file with the ending .sig , .asc , .p7s or .pem – and the signed original file (original file) must be in the same file folder. Select the signature file and select the entry Decrypt and check from the Windows Explorer context menu:

Obviously you need to install it with shell extension. Option to verify a .SIG file is under the More GpgEX Options. To verify your program, I used these steps:

downloaded jonaldkey.txt, not the other, and the Electron-Cash-2.9.4.exe.sig file
renamed jonaldkey.txt to jonaldkey.PEM
right-clicked the .SIG and choose Verify
program said it cannot verify because of an unknown key, so I clicked Import button,
I was asked to create my own key in order to verify other person's public key, so I did that, unfortunately I was asked to accept a fingerprint of that public key, which isn't available anywhere
after that I choose the newly imported key in the verification process and it passed.

Verify checksum (not the signature)

You can also download the SHA1.Electron-Cash-2.9.4.exe.txt file, which is a text file, rename it's extension to .sha1. I have two tools at my disposal, which verify checksums. These are: 7zip and Total Commander by Ghisler. The former adds a context menu allowing you to show various checksums of a clicked file, in this case we right-click an .exe file (not the .sig) and verify displayed sum with the downloaded SHA1 text file. The latter allows you to press Enter on the *.sha, *.md5, *.sfv etc. files and displays results as OK or FAIL.

Related Solutions

How to check the integrity of a video file (avi, mpeg, mp4…)

You can use a feature in ffmpeg video converter: if you will specify it to recode video to nothing it will just read input file and report any errors that will appear. This is very fast process because video frames are just being read, checked and silently dropped.

Example command line: (for Linux)

ffmpeg -v error -i file.avi -f null - 2>error.log

-v error means a certain level of verbosity (to show some errors that are normally hidden because they don't affect playability a much).

You will get a full error log with some generic information about file ffmpeg will output, so this will probably require your attention, through filters can be written to perform batch check of similar files.

FFmpeg is also available for Windows here. The command line will be almost identical with an exception of stderr redirect:

ffmpeg.exe -v error -i file.avi -f null - >error.log 2>&1

How does one verify the PGP RSA and/or DSA checksum signatures for putty

The most popular tool is GnuPG, normally a command-line tool, but the Gpg4win project has a bundle of GnuPG for Windows along with two graphical interfaces.

$ gpg --verify putty.exe.DSA putty.exe
gpg: Signature made 2013-08-06T20:21:29 EEST
gpg:                using DSA key FECD6F3F08B0A90B
gpg: Good signature from "PuTTY Releases (DSA) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 00B1 1009 38E6 9800 6518  F0AB FECD 6F3F 08B0 A90B

(I had imported the signer's public key before. You will need to do that too, as well as find a way of making sure that you have the correct key and not a fake one...)

While PGP Corporation was bought by Symantec long ago, among their various PGP-based products you can still find trial versions of Symantec Desktop Email Encryption and Symantec Encryption Desktop Corporate which are a continuation of the original PGP for Windows and commercial PGP Desktop 8.x–9.x.

Trial versions of PGP Desktop 8.x can be found in various places. It is likely that 7.x will work just fine for verifying the signatures, even if it lacks security fixes and updates.

Best Answer

Related Solutions

How to check the integrity of a video file (avi, mpeg, mp4…)

How does one verify the PGP RSA and/or DSA checksum signatures for putty

Related Question