Verifying Binaries

Steven Soloff edited this page Oct 7, 2017 · 3 revisions

Every release contains checksum files that can be used to verify the integrity of the binary files in the release. Currently, MD5, SHA-1, and SHA-256 checksums are provided in the files md5sum.txt, sha1sum.txt, and sha256sum.txt, respectively.

To verify that a downloaded binary file matches the checksum, run the appropriate checksum file through the corresponding checksum tool. For example, to verify the SHA-256 checksum of the Unix installer for version

$ sha256sum -c --ignore-missing sha256sum.txt OK

You must ensure "OK" is printed, otherwise the binary was corrupted or modified by a malicious third-party.

The --ignore-missing switch is recommended because it is likely you will download only a single binary file from the release (e.g. the installer for your platform). The checksum file contains an entry for every binary file in the release, and, without this switch, the checksum tool will report a warning for each file not present, which can obfuscate the output.

Additionally, every release contains the GPGv2 detached signature for each checksum file in an associated file named <checksum_file_name>.asc. The gpg2 tool can be used to verify that the checksum file itself has not been tampered with.

To verify that a checksum file has not been altered, you will first need to import the GPG public key of the tripleabuilderbot account used to create releases (you only need to do this once). Copy the key below to a new file on your system (you must be viewing this page via HTTPS to ensure the integrity of the displayed public key):

Version: GnuPG v2


Next import the key into your GPG keyring (this command assumes you saved the above public key to a file named tripleabuilderbot-public.asc):

$ gpg2 --import tripleabuilderbot-public.asc
gpg: key BC7A01365B474E6A: public key "tripleabuilderbot <>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Once the key is imported, you need to verify its fingerprint:

$ gpg2 --edit-key tripleabuilderbot
pub  rsa2048/BC7A01365B474E6A
     created: 2017-10-02  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  rsa2048/F86D2732621F466B
     created: 2017-10-02  expires: never       usage: E   
[ unknown] (1). tripleabuilderbot <>

gpg> fpr
pub   rsa2048/BC7A01365B474E6A 2017-10-02 tripleabuilderbot <>
 Primary key fingerprint: 475F ABA4 0A16 B41B 27FB  A643 BC7A 0136 5B47 4E6A

The important line is in bold. The fingerprint should match:

475F ABA4 0A16 B41B 27FB  A643 BC7A 0136 5B47 4E6A

If the fingerprint matches, you may optionally sign the key to validate it:

gpg> sign

pub  rsa2048/BC7A01365B474E6A
     created: 2017-10-02  expires: never       usage: SC  
     trust: unknown       validity: unknown
 Primary key fingerprint: 475F ABA4 0A16 B41B 27FB  A643 BC7A 0136 5B47 4E6A

     tripleabuilderbot <>

Are you sure that you want to sign this key with your
key "John Doe <>" (6D9A732692B2F623)

Really sign? (y/N) y

Finally, exit the GPG key editor:

gpg> quit
Save changes? (y/N) y

After importing the public key, you may now verify any of the checksum files. For example, to verify the SHA-256 checksum file:

$ gpg2 --verify sha256sum.txt.asc
gpg: assuming signed data in 'sha256sum.txt'
gpg: Signature made Thu 05 Oct 2017 06:58:39 AM EDT using RSA key ID BC7A01365B474E6A
gpg: Good signature from "tripleabuilderbot <>" [full]

The important line is in bold. You must ensure "Good signature" from "tripleabuilderbot" is printed, otherwise the checksum file was corrupted, modified by a malicious third-party, or not signed by the TripleA development team.

Note that if you chose to not sign the tripleabuilderbot key when you imported it, a warning will be displayed during verification noting that the key used to sign the checksum file has not been certified along with the key fingerprint:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 475F ABA4 0A16 B41B 27FB  A643 BC7A 0136 5B47 4E6A

This warning can be safely ignored as long as the key fingerprint matches the published value above.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.