Tutorial: How to Check the Digital Signature of a File (in Linux and Windows)
Home » Tutorial: How to Check the Digital Signature of a File (in Linux and Windows)
(4 votes, average: 5.00 out of 5)
Did you just download a file or a program from your favorite website? How do you know that it’s safe? Explore how to check file signatures to verify if your file has been hijacked since it was signed
In its latest report, SpyCloud identified more than 22 million devices infected by malware in 2022 alone. How did cybercriminals manage to infect so many devices? SEO poisoning (i.e., search engine optimization poisoning) was one of the common malware distribution vectors used by attackers.
With this technique, attackers exploit Google Ads campaigns to promote the download of infected files and apps through phony websites. Knowing this, it shouldn’t come as a surprise to know that 43% of CISOs interviewed Red Access consider “browsing threats” their top concern for 2023.
So, how can you or your customers ensure that software programs and updates are safe, and haven’t been modified? By checking their digital signatures (i.e., blocks of cryptographic data that are used to validate the origins, authenticity, and integrity of files). In this tutorial, we’ll show you how to verify file signatures both in Linux and Windows, so that what you download is always the real deal. Ready to ramp up the security of your software downloads? Let’s get started.
How to Check if a File Is Signed in Windows and Linux
67% of organizations interviewed by Fortinet have been targeted by ransomware attacks at least once in 2023, and 65% of the victims were unable to completely recover their data.
Cybercriminals are getting sneaky and spreading malware in every possible way. They’re con artists who exploit users’ trust in well-known brands like Microsoft OneNote and Adobe Acrobat Sign. How? By sending out malicious attachments to users to trick them into downloading and opening infected files.
Verifying a file’s digital signature will help you protect your devices and/or organization from downloading and installing compromised code. How do you do it? Let’s break it down.
How to Check a Digital Signature of a File in Linux
If you’re using Linux and you think that you’re immune to malware infections, you may be in for a shock. Elastic Security Lab revealed in its latest report that, more than 54% of malware infections in 2022 targeted Linux endpoints!
Yup. Linux might have been considered a safe haven a few decades ago but, the tide is changing rapidly.
Let’s say you want to install software that isn’t available in Linux repositories, like for example, VeraCrypt, an open-source, multiplatform disk encryption tool. After you’ve downloaded the Linux package from the official website, it’s time to start the steps to check the file’s digital signature (VeraCrypt uses PGP and X.509 digital signatures).
Note: The steps indicated below will work for most signed software. The process may slightly vary in some exceptional cases, for example, when the public key and/or the PGP signature file (more on that in a moment) are stored elsewhere or are included in a bundle.
1. Check If Gnu Privacy Guard (i.e., GnuPG or GPG) Is Already Installed on Your System
GnuPG is usually included in Ubuntu and other Linux operating systems; however, to play it safe, you may want to confirm it’s there. To do so:
Press Ctrl+Alt+T to open a terminal window.
Type “gpg –version” and then press enter.
If it displays the information about the version installed, you can move to the next step. If you get an error message (e.g., “command not found”), you’ll have to install it by typing the following commands in your terminal:
sudo apt-get update
sudo apt-get install gnupg
2. Download the Publisher’s Public Key
On the software download page, you’ll usually find a link to the publisher’s public key.
To download it
Right-click on the link to copy it.
In the terminal type: “wget” followed by the link you’ve just copied.
Hit enter.
3. Import the GPG Key
Now you can import the public key to your local keyring (i.e., a virtual keychain used by the operating system to safely store your keys).
In the terminal, navigate to the Download folder.
Type “gpg –import filename” into the commandline.
Before moving on, don’t forget to compare the downloaded public key’s fingerprint to the one available on the publisher’s page. This will help you ensure:
You’re using the correct one.
The key you downloaded is original and hasn’t been compromised by a malicious third party.
To do so:
In the terminal, navigate to the Download folder.
Type the command “gpg –fingerprint.” The command will show you all the fingerprints included in your local keyring.
Look for the one related to the software you want to install and compare it with the fingerprint published on the website you downloaded it from.
Good news: They match! Now, you can feel confident that the VeraCrypt software you’ve installed hasn’t been tampered with. Now, it’s time to ensure that the software application is legitimate (i.e., authentic).
4. Download the Pretty Good Privacy (PGP) Signature File
If you haven’t already downloaded the PGP signature file with the installer, now it’s time to do it. In this example, we’ll download the file related to Ubuntu 20 as it’s the operating system version I have on the machine used for this demo.
Locate the PGP signature file link, click on it, and save it on your device.
5. Verify the Signature of the Installer
This is the moment of truth: Is the software you’ve just downloaded the original, authentic version? To certify this:
Navigate to the folder where you saved the installer and the PGP signature file (e.g., Download folder).
Use the command “gpg –verify” followed by the .sig file and the installer.
If you got an output like the one above, saying, “Good signature,” then the file hasn’t been modified since it was signed. You can install it with confidence.
Is the “Good signature” message followed by another message (“WARNING: This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner”), like in the example above? No worries — the key has been verified as valid. According to Ubuntu.com, the message is just there to inform you that you haven’t signed VeraCrypt’s key to mark it as being an item on your trusted keys list (i.e., web of trust). VeraCrypt.eu states that you must sign the imported key; otherwise, you’ll always see an error message stating that the signing key is invalid (as shown in the example below) when you try to verify its PGP signature.
What if you get a “BAD signature” message when you run the script? This means that something is wrong, and you should proceed with caution. To give you an example, I have downloaded Ubuntu 21 VeraCrypt installer and matched it with the incorrect PGP signature for Ubuntu 20. The result? A bad signature result, as demonstrated in the screenshot below:
That’s it! Quick, painless, and easy. Hold on, what if you have Windows? Can you check the digital signature of a file there too? Of course, you can! And it’s even easier. Read on.
How to Check a Digital Signature of a File in Windows 10
There are several ways to verify the signature of a code in a Windows operating system. We’ll use File Explorer, the most common method available to everyone, and that doesn’t require any additional software. This time, we’ll use the communication application Slack as an example to check its X.509 digital signature.
1. Navigate to the Folder Where You Saved the Installer
Once you’ve downloaded the installer file:
Click on the file icon on your taskbar.
Navigate to the location where the installer is saved.
2. View the File’s Digital Signature
Did you find the file? Good. Now:
Right-click on it and select Properties. This will open a new pop-up window.
In the new window, click on the Digital Signatures tab. If the file has been digitally signed, you’ll see the signer’s name, the algorithm used, and the timestamp (if any).
3. Verify the Digital Signature
To check if the signature is valid:
Click on the Details button.
A pop-up window will come up. Does it say, “This digital signature is OK?” Yippee! The signature is genuine.
Want to know more details about the signature? Go through the signer information listed, and click on the View Certificate button to check the public key infrastructure (PKI) certificate used:
Navigate to the Details tab to learn more specifics about the certificate’s cryptographic security components and certificate Subject.
So, now that you know how to check file signatures, make sure you do it every time you download new software, because as an ancient English proverb said, “If you trust before you try, you may repent before you die.”
Final Thoughts on How to Check the Digital Signature of a File in Linux and Windows
Ransomware, spyware, and keyloggers are just a few examples of malware that could be included in a compromised file or executable. This is why in today’s digital environment, it’s no longer enough to
Trust the developer without validating their digital identity,
Blindly assume that the vendor’s website is safe, or even
Rely solely on the file checksum.
Are you a Linux user? GPG will help you confirm the validity of a digital signature in five simple steps. Windows users will get it done and dusted even faster, through File Explorer.
Yup. No matter which operating system you use, what you’ve learned today will help you minimize the risks of downloading malware and keep your organization, and data secure. Goodbye unwanted, dangerous programs; welcome, secure downloads.
Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
Contact details collected by CodeSigningStore.com may be used to send you requested information, blog update notices, and for marketing purposes. Learn more…
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
suspension note
In order to comply with U.S. export control and economic sanctions laws and regulations, as well as our corporate policies, we do not support users accessing our applications from Cuba, Iran, North Korea, Syria, and the regions of Crimea, Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) of Ukraine without prior approval from the U.S. government.
Please be aware that these restrictions apply even when a user is on temporary travel to embargoed regions although the user may not normally reside there. If you believe that you have reached this page in error, please reach out to support.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.