To check if the file came from a legitimate source, we often need to compare file signature and checksum. But how do we do that? As an example, we will download a Cygwin installation file. Then we will check if the file came from a legitimate source by comparing a public signature provided by the software distributor. We will use gpg utility.

Go to url: https://cygwin.com/install.html

Run setup-x86_64.exe any time you want to update or install a Cygwin package for 64-bit windows. The signature for setup-x86_64.exe can be used to verify the validity of this binary using the public key here.

Step 1 – Download and install public key

Save public key to pubring.asc file and add it to local key repository

gpg --import pubring.asc
gpg --list-keys

Step 2 – Download file and signature

Once the public key were installed, you can now download the installation file and corresponding signature file. File convention should look as fallow: setup-x86_64.exe.sig setup-x86_64.exe.

Step 3 – Run file signature verification

Once the files are in place in terminal, run the signature comparison with an installation file.

gpg --verify setup-x86_64.exe.sig setup-x86_64.exe

https://superuser.com/questions/773138/how-to-verify-the-validity-of-the-binary-using-the-public-key

GPG why is my trusted key not certified with a trusted signature?https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature

0
Would love your thoughts, please comment.x
()
x