Verify both checksum and PGP signature?

danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
tl;dr: Is there a reason to verify both a checksum (e.g., SHA256) and a PGP signature for a downloaded file?

It's not unusual for F/OSS documentation to recommend checking both the SHA256sum of the downloaded file, and its PGP signature--I'm thinking specifically of Nextcloud here. But that seems kind of redundant to me--unless I badly misunderstand PGP signatures, they start with a hash of the data in question (the file in this case), and then (with hand-wavey stuff that I don't think is relevant) confirm it with the relevant private key. And if that understanding is correct, then verifying the PGP signature necessarily includes verifying the checksum. Right?
 
dak180

dak180

Patron
Joined
Nov 22, 2017
Messages
310
danb35 said:
Is there a reason to verify both a checksum (e.g., SHA256) and a PGP signature for a downloaded file?
Click to expand...
The only thing I can think of off the top of my head is if you want to know that both the checksum and the sig are for the same file.
 
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
danb35 said:
Is there a reason to verify both a checksum (e.g., SHA256) and a PGP signature for a downloaded file?
Click to expand...
Checksum? *Good. (And probably good enough.)

PGP signature? Better.

If the signature verifies the file, then there's no need for the redundant step of also checking with the provided checksum.


* Unless you know that the website or service was hacked, and you trust the developers, I don't see why a user should have suspicions that the provided SHA256 (or any hash) is maliciously generated. (If the website truly is compromised, then the attacker can just generate a SHA256 checksum for the malicious file. At this point, you'd probably hear about it in a news article, blog post, social media, or YouTube video, and so on.)


EDIT: Let me try to explain it a different way.

Let's say you download a file from WinnieSoft. On the download page is a SHA256 hash for the file. When you check the downloaded file, it matches! You should be satisfied.

Why would you be unsatisfied? You'd have to assume that the WinnieSoft website, with a good SSL certificate, was hijacked, and the attackers hosted the malicious file with a matching SHA256 hash (for the bad file), and... somehow you never heard about WinnieSoft being breached?
 
Last edited:
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
winnielinnie said:
If the signature verifies the file, then there's no need for the redundant step of also checking with the provided checksum.
Click to expand...
That's what I was thinking.
 
You must log in or register to reply here.

Similar threads

K
Verify Cloud Sync Task (B2, encrypted) against local hashes
Replies
1
Views
602
kalidus
K
NugentS
Docker Run error
Replies
0
Views
807
NugentS
NugentS
B
FreeNAS public key - .iso verification
Replies
6
Views
3K
bar17
B
A
  • Locked
[SOLVED] apply service pack (8.0.1 rc1 to rc2) user error
Replies
2
Views
2K
anthony
A
A
  • Locked
Apply System Updates not applying after reboot and checksum differences on verify install
Replies
1
Views
1K
Robert Trevellyan
R
Top