In this lesson, we will learn how to verify the integrity of the software programs we downloaded from the internet. And ensure that they are not modified either during the retrieval or transmissions, or while they are saved in the repository and service side. We will also verify the authenticity of the software source, i.e., who created and designed the software. We will use common software tools to perform these verification tests. And show how they are done in Windows, Mac, and Linux platforms. A user with Apache HTTPD website, we will find there are four links. A user download, the full documents, the web server software, the PGP signature with a .asc file extension, the SHA-1 and the MD5 hashes. The user can use gpg--verify command to verify the signature by specifying the web service of where the filename, and the PGP signature file name as an input. If the related documents are not altered, the GPG will report when the signature was signed. In this case using which RSA key, the lower 8 byte of the primary key fingerprint will be shown. It will also indicate it is a good signature that checks out okay from Jim Jagelski. And this is one of his key called release sign in key use ball. So where it is sign in, and also with his email address. This is called user ID can be used to verify and download the public key by the individual user. It gives warning though that the key is not certified with the trusted signature. And the reason for that is because we haven't really signed the key, that's in first place. The other reason is that we haven't download and called people that can verify his key. And there is no indication in the message output that the signature belongs to the owner. We then need to easily compare it with the primary key fingerprint on the Apache website. Or directly talk to Jim or email to Jim and see whether he will reply and verify his public key. In Apache website it specifically asks user to download the PGP signature MD5 hashes directly from the main Apache Software Foundation website. And they don't want people to download those key credential information from the mirror side. The reason is that the mirror side is not controlled by Apache Software Foundation at all. And they are a volunteer organization for providing this service, they may not deploy and practice the best security practice. The software signature and hashes may be altered by hacker that break into those mirror site. Apache, however, encouraged the last software release, on the other hand, typically a few gigabytes or hundreds of megabytes. They will allow you to download it from mirror site, what is the reason? And I will give you ten seconds to think about it. And the reason is if they are older, the GPG software can use those MD5 and SHA-1 hash downloaded from the authentic Apache Software Foundation site to check against that and detect they are being altered. In Windows, Mac, and Linux, you can run the kernel commands to download the five documents related to HTTP software from Apache website. And make sure you use it so that there's no man in the middle attacks. We then use GPG or GPG2 versions of software to import the Apache key file to our local keystore maintained by GPG software program. The GPG verify command, will verify the cached httpd.tar.bz2.asc signature file is indeed produced by the private key related to the ISA key ID 791485A8 and belongs to jim@apache.org. Since we just imported its public key and has now verified the GPG warns us it has not trusted at all. We need to verify the signature, indeed, belongs to jim@apache.org. We can send him an email, or search for the key file. And the key file actually is one of the files we can download from Apache website and their distribution site. It turns out that there is an exact match in the long key file at line 6765. This concludes the proof that http.tar.bz2.asc signature is indeed signed by Jim Jagelski of Apache Software Foundation. But, it has not proved that content has not been altered, right? Could be by a mistake by Jim, or it could be by someone else. To make sure the software release was not altered, we compute the MD5 and SHA-1 message from the downloaded software ourself, not trusting what's been delivered. And then we compare with those MD5 and SHA-1 we download this from the Apache website. They turn out to be the same, and then we are okay, if they not equal, then something went wrong. http-2.4.25, tar.bz2 file maintains its integrity through this download process. Know that on Linux or Mac, instead of using Get-FileHash provided by PowerShell. We use Open SSL MD5 or Open SSL SHA-1 command to compute the message data of a file. Open SSL is a software package installed in most of the Unix systems, Linux and Mac OS included.
