Security

Verify your download

By Nikolas Eller, Posted on Oct 15, 2018 - 08:07 UTC


If you downloaded an application you can install it directly. But how can you be sure that you downloaded the file from the developers and not a malicious one from attackers? You can’t be sure if you don’t verify the downloaded file. This blog post shows you how to verify the downloaded EAuthenticator installer.

Why don’t we provide a checksum for our installers?

A lot of websites provide a checksum for their downloadable software. And they recommend you to verify their download with their given checksum. But they don’t say or maybe don’t know that checksum don’t ensure that the software is from the developers or the project. What are checksums and what do they ensure? Checksums are typically the hash value of your file. A hash is a function that maps a long bit string to a fixed length bit string. A good hash function should produce a completely different bit string even if only one bit from the file (or the long bit string) changed. This means if you download a file and the checksum don’t match something is corrupt. In computer security, it’s the security goal ‘integrity’. The problem with checksum is that everybody can generate one. This means an attacker who changed the installer has probably also the possibility to change the checksum of that file. So a user can’t determine if the installer is from the developers or an attacker. To not let users think with checksums they can be sure the software is from the EAuthenticator team we don’t provide a checksum.

What is the better solution?

To guaranty that the software is from us, we need the security goal ‘authenticity’. This goal ensures that the software is from the team. This is done with asymmetric cryptographic systems. We have a private key for the signature and provide a public key to you to verify the signature. Because we only have the private key it’s nearly impossible to make a signature that would pass a verification.

How to verify our installers

We use GnuPG for signing your software, so we recommend you also to use GnuPG. To download and install GnuPG take a look at the following GnuPG download area. After that follow these steps.

  1. Download our public key
     gpg --keyserver pool.sks-keyservers.net --recv-keys 0x1CDD3BC6E26BB0887821B5D66038601234E754F6
    
  2. Verify the downloaded installer (you need also the corresponding .sig file)
     gpg --verify EAuthenticator[...].sig
    

    Note: Replace the […] with your downloaded file name extensions. The installer file must be in the same dir.


If you want to get the newest information about EAuthenticator: Follow us on Twitter