How to verify your downloaded files are authentic...

anon76879206 · January 26, 2016, 12:21pm

Yes, I also wanted to do this, I read 2 posts, doubting the procedure. I am not sure, if they are right and I would be grateful to read your opinions.

"how you can trust this?!?!?
1- you download a program to verify other programs
2- you use a .sig + public key to verify that your verifier program is valid
3- you use that valid program to verify other files

now here we have 2 problems:
1- what if the program is fake, the sig file and public key too? seems all ok but isn’t
2-let’s say that the verifier program is correct how can you use it?
it will tell you that program and .sig file match but it doesnt tell you who made exe and sig file

the only way to trust it is to meet everyone.
you meet GnuPG author to get public key to be sure that everything is correct but this way you don’t need anymore to verify download you can simply get exe from him

same with tor you have to meet author to get VALID public key"

“No.No.No. Don’t trust this security model. WHY? Just because it is wrong in one important point …HTTPS and SSL/TLS and certificate trust chain is compromised by default. Your Windows if fully of backdoored APIs and undocumented too!!! You all know by WHO! What is compromised first in SSL TLS and every standard key generation API?..This is random number generator used for key generation and protocol implementation by itself.
What this means?=>> All your standard secured connection can be intercepted MITM injected with what is need for successful attack of your system! What can be injected? ->>Fake content like backdoor in you downloaded file from legit domain with SSL and fake corresponded well to this file MD5/HASH128-512 or PGP key or Spy can inject valid signed but backdoored file or just inject poisoned JS, java drive by, flash exploit or else. Is not very good idea to trust every file or page if you want to be more protected. VS this you can use sandbox and monitoring tools to check you downloaded file behavior, or you can catch this file with strong setup rules in your behavior ruled antivirus tool and firewall, or you can install this file first in freezed OS with tools like deepfreeze and then monitor for one day its behavior to make decision is it clean or not and then do install in real OS. Captured before test Virtual OS can be used too for the same test task.
Be good”

bernhard · January 28, 2016, 2:59pm

Hi Pet,

the procedure how to gain some(*) trust into the Gpg4win offering is
described here: https://www.gpg4win.de/package-integrity.html

Of course one basic assumption is that you can run a Windows operating
system safe enough for your purposes.

Note that we are offering three ways to try to check if the file you have gotten
is the file we have send:
a) code signing, trust anchor root cert fo codesigning in windows.
If this is fundamentally broken, you probably get prompromised easier by other install.
b) OpenPGP certs. Of course depend on your “Web of Trust”.
c) sha1 sums over the TLS website. Of course depends on sha1 crypto strength
and the TLS cert and implementation strength.

There is probably a lot more to the general questions you ask,
which is discussed at a lot of places. Gpg4win cannot get a lot better than
your other IT you need to run it.

Best,
Bernhard