How to check file integrity using public keys and MD5 checksums

To check that a file was sent by the correct person/entity, use the “gpg” program:

  1. Download the file as well as its signature (.asc) file into the same local directory
  2. Run: “gpg <file_signature.asc>” to check if the signature has not been tampered with
    1. If you don’t have the public key, download it: “gpg –keyserver pgpkeys.mit.edu –recv-key <ID>
    2. Try: “gpg <file_signature.ac>” again
  3. Verify the signature is from the correct person
    1. Run: “gpg –fingerprint <ID>”

To check that the file itself has not been tampered with, run an MD5 check

  1. Run: “fsum <file_name>”
    1. Compare the output with a trusted MD5 checksum file provided by the right person

Further links:

http://httpd.apache.org/dev/verification.html

http://www.gpg4win.org/

http://www.fastsum.com/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s