{{Header}} {{#seo: |description=Discover how digital signatures enhance security. Learn about verifying software signatures, understanding their limitations, conceptual challenges, and real-world attacks. |image=Verifyingsignature1231233.png }} {{verification_tools_mininav}} [[File:Verifyingsignature1231233.png|50px|thumb]] {{intro| Digital signatures are a key component of online security, providing a way to verify the authenticity and integrity of software. But what does that really mean, and why should you care? This guide is here to answer those questions. We'll walk you through the process of software signature verification, help you understand the strengths and limitations of digital signatures, and navigate you through the potential pitfalls. Whether you're a seasoned tech professional or just starting to dip your toes into the world of digital security, this guide has something for you. }} = Introduction = '''Digital signatures are a digital tool to ensure the authenticity of software and the absence of any third party modifications. These digital signatures and the habit of always verifying these signatures is critical to enhance system security'''. It's crucial to avoid installing unsigned software and instead following these best practices: * Always opt for verifiable software that allows for [[Warning#Always_Verify_Signatures|confirmation of signing keys and signatures]]. This ensures the software you're installing is authentic and hasn't been tampered with. * Utilize mechanisms like [[Operating_System_Software_and_Updates#Updates|apt upgrades]] that simplify and automate the verification process. This makes it easier to maintain system security without requiring extensive technical knowledge. = Risks of Not Verifying Digital Signatures = Neglecting to verify digital signatures can expose users to a variety of risks. While the [[#Attacks in the Wild|"Attacks in the Wild"]] section provides specific instances of these risks, it's important to understand the general implications of not adhering to this security practice: * '''Compromised Software:''' Without verification, you may unknowingly install compromised software. This could include malware, spyware, or other malicious code that can harm your system, steal sensitive information, or perform unwanted actions. * '''Loss of Data Integrity:''' Digital signatures ensure the integrity of the software, confirming that it hasn't been tampered with since it was signed. Without verification, there's no guarantee that the software you received is the same as the software that was originally distributed. * '''Identity Spoofing:''' Digital signatures authenticate the identity of the software provider. Without verification, you may fall victim to identity spoofing, where an attacker poses as a legitimate software provider to distribute malicious software. * '''System Vulnerabilities:''' Unverified and potentially compromised software can introduce vulnerabilities into your system, making it a target for further attacks. * '''Loss of Trust:''' On a broader scale, failing to verify digital signatures can erode trust in software distribution channels. If users can't be sure that the software they're receiving is genuine and untampered, they may be less likely to use these channels in the future. * '''Related:''' [[Basic_Security_Guide_Introduction#Motivation|Essential Security Guide Introduction chapter Motivation]]. In summary, verifying digital signatures is a crucial step in maintaining the security, integrity, and trustworthiness of software and should not be overlooked. = Verification Procedure = In this chapter we will explain the verification procedure. Please read the warnings below too. This is sort of a cheat sheet of overall warnings regarding the verification process that you should internalize. {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = Important: Do not proceed if verification fails! This could risk using infected or erroneous files. The purpose of verification is to ensure file integrity. }} {{gpg_signature_timestamp}} {{GnuPG_file_names}} == Checking Digital Fingerprints of Signing Keys == {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = '''Warning:''' Only install software after verifying the key's fingerprint and ensuring good signatures for files/repositories. }} The first critical step in verifying software legitimacy is confirming the authenticity of the signing key, which requires inspecting the key fingerprint. For instance, anyone could generate an OpenPGP key pair and pretend to be the "{{project_name_long}} Project", but only [[Signing Key|Patrick Schleizer's key pair]] is legitimate. Always perform this operation before importing keys or placing trust in OpenPGP output when verifying files or repositories. Our standard advice is to carefully obtain copies of the [[Trust#OpenPGP|OpenPGP fingerprint]] from multiple secure websites and to use [[OpenPGP#The_OpenPGP_Web_of_Trust|other authentication systems]] to check for a match. Website checks are only as secure as the imperfect TLS system, which is based on certificate authorities that have been compromised frequently in recent years. In this context, "other authentication systems" refers to: https://www.qubes-os.org/security/verifying-signatures/ * Utilize [[OpenPGP#The_OpenPGP_Web_of_Trust|The OpenPGP Web of Trust]]. * Verify the key against different keyservers. * Use various search engines to search for the fingerprint. * Employ various VPNs and proxy servers. * Access different Wi-Fi networks (work, school, internet cafe, etc.). * Request people to post the fingerprint in various forums and chat rooms. * Check against PDFs and photographs where the fingerprint appears (e.g., slides from a talk or on a T-shirt). * Repeat all of the above from different computers and devices. * See also [[OpenPGP#Bootstrapping_OpenPGP_keys_from_the_web|Bootstrapping OpenPGP keys from the web]]. == Checking Digital Fingerprints of Signed Software == Before you can safely verify file signatures with the signing key, ensure the following prerequisites are met: '''1.''' The correct signing key pair has been downloaded. '''2.''' The signing key's fingerprints have been checked against multiple sources. '''3.''' The key pair has been imported. For example:
user@host:~/Downloads$ gpg --import KEY gpg: key 61B7B526D98F0353: 24 signatures not checked due to missing keys gpg: key 61B7B526D98F0353: public key "Mozilla Software Releases'''4.''' The software package intended for installation has been downloaded. '''5.''' The accompanying signature file for the software package (" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
.asc
files are GPG signatures) has been downloaded.
For instance, to check the file signature for Firefox v97.0.1, downloaded directly from The Mozilla Firefox website, run the following command in a terminal:
{{CodeSelect|code=
gpg --verify firefox-97.0.1.tar.bz2.asc firefox-97.0.1.tar.bz2
}}
The OpenPGP output should show a "good signature", with the primary key fingerprint matching the one you verified earlier. For example:
gpg: Signature made Wed 16 Feb 2022 06:52:12 PM GMT gpg: using RSA key 4360FE2109C49763186F8E21EBE41E90F6F12F6D gpg: Good signature from "Mozilla Software ReleasesYou can now safely install the software. If the output states "bad signature", then remove the files and digital signatures and download them again. = Common Misconceptions = == What Digital Signatures Prove == It's important to understand that using digital signatures to verify the trustworthiness of software isn't infallible. Digital signatures increase the likelihood that no backdoor was introduced by a third party during transit, but they don't guarantee the software is entirely "backdoor-free". Below is a summary of what digital signatures can and can't prove. '''Table:''' ''Digital Signatures Properties'' {| class="wikitable" |- ! scope="col"| '''Property''' ! scope="col"| '''Description''' |- ! scope="row"| Digital Signatures Prove | * A signature was made by someone with access to the private key. * The file contents haven't been tampered with, preserving integrity. * May indicate the given file is authentic. |- ! scope="row"| Digital Signatures do not Prove | * Any other property, for example, that the file isn't malicious. Nothing prevents a person from signing a malicious program. Digital signature or not, for example in the case of ** intentional breakage, supply chain attacks: [https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps] ** [[Malware_and_Firmware_Trojans#Backdoors|backdoors]]: [https://www.synopsys.com/blogs/software-security/malicious-dependency-supply-chain/ bitcoin copay wallet “direct” backdoor] "{{Code2|If more than 100 BTC, steal it. Otherwise, don’t bother.}}" * https://github.com/dominictarr/event-stream/issues/116 * https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047 ** a digital signature would not have helped. * That the persons signing the file are inherently trustworthy, for example: Debian, {{project_name_short}} developers and so on -- but trust must be eventually placed in someone. Digital signatures are still useful in this case, because it is possible to limit trust to a few select people/organizations such as {{project_name_short}} developers. |- |} Verifying all files downloaded from trusted vendors eliminates threats from server compromises, dishonest staff at hosting companies or ISPs, Wi-Fi attacks, and so on. This is because tampered files will produce bad digital signatures, provided the public keys used for signature verification are the authentic, original ones (see below). == System Security Level == System security can be categorized into one of three levels, from strongest to weakest: *" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353 Subkey fingerprint: 4360 FE21 09C4 9763 186F 8E21 EBE4 1E90 F6F1 2F6D
Always use software signatures verification
: Software signatures are consistently verified using [[OpenPGP]], [[PQCrypto#Codecrypt|codecrypt]], [[Install_Software|APT]], or similar mechanisms.
* Always use TLS
: Files are always [[Secure_Downloads|securely downloaded]] over [[SSL|TLS]].
* Plaintext
.
If you've ever installed or started software without successfully verifying its signatures, your system's security level drops from the OpenPGP standard to either TLS or plaintext.
Without implementing a [[Disaster Recovery|Disaster Recovery Procedure]], it's impossible to elevate the security level of a machine or VM (for example, from TLS to the OpenPGP standard).
If you agree with the {{project_name_short}} view that [[SSL|Transport Layer Security (TLS)]] provides weak protection, then you must verify software signatures consistently and without exception.
== Conceptual Challenges in Digital Signatures Verification ==
Verification of software digital signatures presents many educational challenges. Often, implicit assumptions are made in the relevant literature, which are seldom spelled out. Without proper education, it's unrealistic to expect the majority of users to successfully verify software signatures and simultaneously notice attacks by advanced adversaries.
When digitally signed software is available, most websites simply state that the signing key should be downloaded to verify software signature(s). This approach has limited usefulness and {{project_clearnet}} is not alone in this regard -- the same is true for any software that provides software signatures.
The responsibility of verifying software signatures falls entirely on users, and cannot be offered by vendors who make software and associated signatures available for download. This is because the threat model of software signature verification is closely linked with the [[#System Security Level|system security level]]; this section attempts to make this explicit.
=== Threat Model Assumptions ===
In this threat model, signing keys and software signatures are considered to provide a higher security level. Conversely, everything the user can see on a website (including instructions) is on a lower security level because [[Dev/OpenPGP Signed Website|(OpenPGP) signed websites]] do not yet exist. Moreover, [[SSL|TLS]] provides a lower security level than verification of digital software signatures.
Consider an example of signed software available on a random website secured by TLS (in this case, TLS vs non-TLS doesn't matter). Due to the software's file size and economic constraints, it's impossible to host the software downloads on the same server. Instead, downloads are offered on a mirror network operated by third parties. In such a scenario, it could be argued that mirrors are less trusted than the main project website. If the main website offered a signing key, but a malicious file was shipped by a third-party mirror, then this could be detected if software signature verification was utilized by the user.
In other cases, the software downloads, signing key, and software signatures are all provided by the same server over [[SSL|TLS]]; this is the situation for {{project_name_short}} and other projects. {{project_name_short}} also offers all three components over [[Forcing .onion on Project|.onion]]; see also [[Download Security]]. While this may appear more secure than the first example, no project can guarantee that its server will never be compromised; see [[Trust#Distrusting_Infrastructure|Distrusting Infrastructure]] for further details.
The preceding discussion makes it clear that it's unwise to blindly trust whatever a project website says about software signature verification. Relevant threat model questions include:
* What if the website I am currently viewing is already compromised?
* What if a malicious third party has already modified instructions concerning how to verify signatures or which signing key should be used?
Also, after compromising a project web server, advanced adversaries are capable of showing fake website contents to specifically targeted users.
=== Potential Adversary Attacks ===
Competent adversaries are capable of various attacks, including malicious modifications of a project website. Consider the following vectors:
* Removal of any mention of software signature verification and replacement of software downloads with malicious counterparts.
** Users unfamiliar with software verification would fail to notice this, leading to compromise.
** Users who already understand the threat model of digital software verification and enforce the security level "always use software signatures verification" would ask for software signatures and remain safe.
* Insertion of false information such as "From now on, software signatures are no longer required. This process is now automated, because ...".
** Gullible users would believe this statement and be compromised.
** Diligent users would search for a digitally signed message by the vendor confirming this change. If it was not found, they would report the issue and remain safe.
* Replacing the genuine signing key and software signatures with a signing key and software signatures created by the adversary.
** Users who did not previously receive the signing key and who did not do further research on the plausibility of having received the correct signing key would fail to notice this and be compromised.
** Diligent users would follow the recommendations in earlier chapters on this page and therefore stay safe.
To counter these threats, user intelligence and due diligence is necessary as a sanity check.
Due to the complexity of this issue and very low user awareness, it is unlikely the majority of users are enforcing the "always use software signatures verification" security level. To date, the author of this section has not seen the security level concept explicitly described elsewhere, probably because the relevant information is not widely known. Unfortunately, the existing tools used for manual verification of software signatures have poor usability and [[Software_Signature_Verification_Usability_Issues_and_Proposed_Solutions|better technical solutions]] that are required do not exist.
== Information Security Level ==
The information security level (similar to the [[#System Security Level|system security level]]) can be categorized into one of three levels. From the strongest to the weakest, these are:
* Signatures Verification
: Signatures are verified with [[OpenPGP]], [[signify]], [[PQCrypto#Codecrypt|codecrypt]], [[Authenticode]], or similar mechanisms.
* TLS
: Information was received over [[SSL|TLS]].
* Plaintext
.
Other properties and categories are also conceivable, such as:
* Third-party server not involved or cannot tamper with information due to security by design.
* Offline signing key.
= Attacks in the Wild =
== Cryptocurrency Theft via Compromised Binaries ==
Towards the end of 2019, a malware attack threatened the security of Monero cryptocurrency users, leading to significant unauthorized fund transfers. Binaries for the Monero cryptocurrency (CLI) wallets were compromised by a malicious party and uploaded to a popular third party software download provider. Checking the signature as provided by the Monero team and realizing that the file was not authentic would have saved a lot of users from having their funds stolen.
* [https://www.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/ Security Warning: CLI binaries available on getmonero.org may have been compromised at some point during the last 24h.]
* [https://web.archive.org/web/20220511004124/https://lists.getmonero.org/hyperkitty/list/monero-announce@lists.getmonero.org/thread/DXJ223SBTCWKP7EDHVS7X73VP6WWX4S4/ Warning: The binaries of the CLI wallet were compromised for a short time]
* [https://github.com/monero-project/monero/issues/6151#issuecomment-555694443 Wrong hashes (from getmonero.org)]
* [https://bartblaze.blogspot.com/2019/11/monero-project-compromised.html Monero download site and binaries compromised]
== Counterfeit Tor Browser Attack ==
The following instance exemplifies the potential risks of installing unsigned software. A recent cyber-attack utilized a [https://en.wikipedia.org/wiki/Trojan_horse_(computing) "trojanized" Tor Browser] to spy on users and steal Bitcoin. The orchestrated attack involved several key components:https://www.eff.org/deeplinks/2019/10/phony-https-everywhere-extension-used-fake-tor-browser https://www.eset.com/us/about/newsroom/press-releases/eset-discovers-a-campaign-stealing-bitcoins-from-darknet-users/
This case emphasizes the potential dangers of installing unsigned software, resulting in loss of anonymity and financial theft in this instance. Had the victims only installed signed Tor Browser software from trusted sources after: verifying the correct key pair, confirming the key's fingerprints, and checking the consistency of the signature file for the software package, they could have sidestepped this scam entirely.
* Advertisements for the counterfeit Tor Browser were disseminated in Russian forums dedicated to topics such as privacy, circumvention of censorship, darknet markets, and cryptocurrencies.
** Messages included promises to bypass Russian censorship bodies and to overcome CAPTCHAs.
** Users were directed to bogus domains for downloading the Tor Browser (tor-browser.org
and torproect.org
), rather than the official website: torproject.org
.
* After accessing the fraudulent websites, users were falsely alerted that their Tor Browser was outdated. Users who fell for this ruse were redirected to another website offering an installer.
* The malicious version of the Tor Browser that was downloaded was outdated (version 7.5) compared to the real current release (version 9.0 at the time of the attack). Additionally, it had disabled the digital signature check for installed Tor Browser add-ons (xpinstall.signatures.required
was set to false
). The updater tool was also renamed to prevent victims from updating to a genuine version of the Tor Browser.
* While the browser used the Tor proxy, effectively anonymizing the user's IP address, user activities could still be monitored. This was due to a unique user-agent (a text-based identifier) being set, which revealed the software and operating system, thereby providing a unique browser fingerprint enabling network observers to track activities.
* The attackers had bundled the HTTPS Everywhere extension with a modified manifest.json
file. This allowed the web extension to gain broader permissions and to introduce content scripts into various web pages. Consequently, a [https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-server Command and Control server] could load further scripts when users browsed certain Darknet markets and a popular Russian money transfer service (QIWI), substituting cryptocurrency wallet addresses to those controlled by the criminals, thereby facilitating theft.
* It is also speculated that the settings for the NoScript extension were altered to enable JavaScript when browsing.
== hacked github.com ==
* '''1.)''' ''2012'' Unauthorized github repository write access: [https://github.blog/2012-03-04-public-key-security-vulnerability-and-mitigation/ Public Key Security Vulnerability and Mitigation]
* https://homakov.blogspot.com/2012/03/how-to.html
* https://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted
* https://github.com/rails/rails/commit/b83965785db1eec019edf1fc272b1aa393e6dc57
* '''2.)''' ''2014'' [https://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html How I hacked Github again.]
https://www.reddit.com/r/netsec/comments/1xa5xh/comment/cf9qjcl/
* '''3.)''' ''2022'' Hacked logins and private github repository data leak: Mike Hanley, Chief Security Officer at GitHub, wrote in a [https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/ blog post]: We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.https://www.developer-tech.com/news/2022/apr/19/github-notifies-victims-of-oauth-token-theft/ = See Also = * [[Trust|Placing Trust in {{project_name_short}}]] * [[OpenPGP]] * [[signify]] * [[Verify the images]] * [[Download Security]] * [[Signing Key|{{project_name_short}} Signing Key]] * [[Software Signature Verification Usability Issues and Proposed Solutions]] * discussion: [https://github.com/flatpak/flatpak/issues/5657
flatpak remote-add --from=https://….flatpakrepo
relies on TLS CAs to bootstrap trust path]
= Attribution =
Gratitude is expressed to [https://www.qubes-os.org Qubes OS] ([https://groups.google.com/g/qubes-devel/c/zALZnu9pTuU Permission]). The [[#What Digital Signatures Prove|What Digital Signatures Prove]] chapter contains content from the [https://www.qubes-os.org/security/verifying-signatures/#what-digital-signatures-can-and-cannot-prove Qubes OS: What do the Digital Signatures Prove and What They DO NOT Prove] page.
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]