1

Sometimes when I download a compressed tgz file from a repo to build from source, I see this sentence

Foo is gpg-signed, you should check the signature by downloading the accompanying sig file and do gpg --verify foo.tgz.sig.

The question is why bother? What if I downloaded the file from their official website or github page, should I still verify the signature? What can horribly go wrong if I don't?

Sergio Tulentsev
  • 226,338
  • 43
  • 373
  • 367
Masoud Ghaderi
  • 437
  • 5
  • 16
  • 2
    The main purpose is for you to be able to verify that you got the code/file content as originally intended by the provider, and that no one manipulated is somewhere along the way. Of course this does not offer too much protection, if an attacker can manipulate the file _and_ the checksum shown to you on the site, but it would be helpful in cases where any man-in-the-middle attack was able to successfully manipulate your download somehow (think government agencies, for example.) Or if a malicious piece of software on your system changed the file after you downloaded it. – CBroe Jun 09 '21 at 14:02
  • 1
    I myself don't do this either, but I imagine it's useful to really make sure that you do indeed have the content you want. Suppose, you downloaded the file from the official github page and it wasn't damaged in transit, but you have a cryptolocker running on your machine and it's no longer in incubation phase. So the file is encrypted and the malware is not decrypting it for you. – Sergio Tulentsev Jun 09 '21 at 14:03

0 Answers0