How to verify authenticity of downloaded files on Linux

Downloading something from the internet is a regular thing that we all do. We often download files like applications, tools (Software), distro ISOs, and media files. Downloading from the repository is secure but what about the third-party websites. In this quick guide, You’ll learn how to verify the authenticity of downloaded files on Linux.

• How will you make sure that the file is authentic?
• Is it the same one that the publisher is providing?
• How can you make sure it is not compromised?

You will learn to use the hashing techniques to check whether the file is the one that it is supposed to be. So let’s go through the tools and methods that we can use to check and verify the authenticity of downloaded files on Linux.

HASH checking to verify downloaded files

When you download something from the internet, let’s say you need an office suite for your system. So you visited LibreOffice and downloaded the package file using the yellow download button as shown in the screenshot.

If you pay attention then you will also find an info link below the button. If you click on that link you will visit a page that contains the hashes for the file that you are downloading. In the image above you can see, SHA-256-Hash, SHA-1-Hash, MD5-Hash.

These are unique hash keys for a particular file. So if we take the downloaded file and generate the same hash then it would print the same hash string. That way we can be sure about the authenticity of the file.

To verify, you can use the hashSum or gpg tools. For example, we are using the above-downloaded file.

~ sha256sum is the utility command ~
sha256sum LibreOffice_6.4.0_Linux_x86-64_deb.tar.gz

~ Output ~
4227866f5554bb59411118efc0f0d996804c90dbaf79cb39576056009feb1e30  LibreOffice_6.4.0_Linux_x86-64_deb.tar.gz

~ Using gpg utility ~
gpg --print-md SHA256 LibreOffice_6.4.0_Linux_x86-64_deb.tar.gz

~ Output ~
LibreOffice_6.4.0_Linux_x86-64_deb.tar.gz: 
4227866F 5554BB59 411118EF C0F0D996 804C90DB AF79CB39 57605600 9FEB1E30

There are many hashing algorithms such as SHA-256, SHA-512, SHA-384, SHA-224, MD5, etc. So you can replace it like sha512sum, md5sum to output the hash string.

Note: As in this example there is info link for the hash string, on different website you will find links like vefity the downloads, SHA-256 Hash or by similar name.

Verifying the downloaded files with PGP key

In order to verify the file with the PGP key. You first have to download the PGP/ASC & KEYS files and then use the gpg utility to verify the downloaded file.

~ importing the keys from KEYS file ~
gpg --import KEYS

~ verify ~
gpg --verify Apache_OpenOffice.tar.gz.asc Apache_OpenOffice.tar.gz

~ output ~
gpg: Signature made Monday 16 September 2019 05:15:00 AM IST
gpg:                using RSA key A93D62ECC3C8EA12DB220EC934EA76E6791485A8
gpg: Good signature from "Jim Jagielski (Release Signing Key) " [unknown]
gpg:                 aka "Jim Jagielski " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
Primary key fingerprint: A93D 62EC C3C8 EA12 DB22  0EC9 34EA 76E6 7914 85A8

It should print “Good signature” in the output, which means the file is authentic.

Video guide on Youtube

Alternatively, For a step-by-step video guide, check out this tutorial on Youtube for better understanding.

Endgame

That was it on how to verify the downloaded files using hash and pgp key. Don’t forget to subscribe to our Youtube channel. Till then keep enjoying Linux.

---