Let’s say you have an installer, and before you run it, you’d like to prove it was packaged by a developer you trust. It’s not enough to download from the app’s official download page… maybe the server was hacked, maybe someone is rerouting your traffic… To better verify the source of this installer, use PGP’s web of trust: Provided you have the developer’s public key and no reason to think his private key was compromised, then you can authenticate the file as his.
Since KeePass is a program to store passwords, it’s one we ought to verify and I’ll use it as an example:
1.\ Here’s the official download page. The download buttons redirects to SourceForge.
2.\ Now go to the file signatures page
and download your file’s corresponding key. I’m going to install
KeePass-2.28-Setup.exe, so I downloaded
Take note of the developer’s public key. This is the public identity that
will be embedded in files they sign. For KeePass, the developer’s name
Dominik Reichl’ and his key fingerprint
2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC’.
His key looks like this:
… without the ‘blah blah blah’, of course.
Here we assume that anything signed by this key was signed by the guy Dominik Reichl whom we trust for KeePass installers. If that’s confusing, see Wikipedia’s web of trust.
Encryption is not magic – it can’t tell you if someone forced Dominik to sign a malicious file. It can’t tell you that he keeps his key safe or that he is trustworthy to begin with. Encryption can only prove that this particular file was signed by someone who had access to “Dominik”’s private key. I put his name in scare quotes because “Dominik” could be a pseudonym, or a group, etc. This part of public key cryptography seems to confuse a lot of people. Anyway…
3.\ The last step is to verify the file. I will use Windows PowerShell:
I’ve yet to sign Dominik’s key, so
WARNING: This key is not certified with
a trusted signature! reminds me that his key is not part of my web of trust.
Should I ever want to add his key, I would ask him to tell me the fingerprint
in person, over the phone, or in some other offline communication. Then I have
a real world identity to go with that key.