Keeping Your Computer Safe and Usable by Verifying Downloads

When you install or upgrade software on your computer, try to make it safer.

It only takes a little effort and pays off big rewards in privacy and ease of mind. Although this example is on a Mac, it is general enough to translate to Windows or Linux easily.

Update your network:

Your wifi router is a computer. It runs an operating system. When’s the last time you updated it? Check if it needs updates and apply them. Be sure to back up your router’s operating system first.

Update your computer:

  • Update as many applications that make sense for you. It is better to keep them updated, so security fixes are applied.
  • Update your operating as it makes sense to you. Sometimes you do need to stay on one version of the operating system. Therefore, you will not update. Another reason is that you might be waiting for a week to confirm that there are no issues with the update. Those are good reasons. When the time is right, do upgrade your operating system. First, create a backup of your drive. Carbon Copy Cloner or Time Machine work well here.

Install software verification tools:

How do you know that what you downloaded is what you think it is?

You want to verify, and there is software to do it.

Two ideal tools are:

  • shasum, it comes built-in with macOS, your need to install it like this. Now is an excellent opportunity to get a little more technical for you.

    xcode-select --install
  • GPG Suite, it helps with everything from software downloads to sending emails. It will change your life in good ways, no matter how small or large. You will use this for the rest of your life.
    • Take time with studying and learning the tool.
    • Before moving forward, make sure that you have your key and a general understanding of how the software works.

Verify your software:

You’ve reached the last step: make sure the software downloaded is what you expect.

This example uses Bitcoin Core. Because the software is extremely valuable to me, it needs to be verified to be true. Here is how:

Study the download page to find out how to install and verify the software. Bitcoin-Core’s documentation is perfect.

Download it into the directory of your choice.

By now, you should have shasum and GPGTools installed and configured.

Open a terminal window.

Download the SHA256 checksums. They are normally in a file. Here is how one looks:

3b3e2680f7d9304c13bfebaf6445ada40d72324b4b3e0a07de9db807389a6c5b  bitcoin-22.0-osx-signed.dmg

The filename should be the same as the one you downloaded.

Verify it:

shasum -a 256 --check SHA256SUMS

In the output, look for the file you downloaded. It should say that it is OK.

bitcoin-22.0-osx-signed.dmg: OK

That means the file is unmodified. However, we still need to find out if we can trust it based upon who signed it.

The vendor should have provided signature(s). Choose the signer that you want to check.

Having studied how this works go ahead and perform the verification. It is easy to do it in the GUI and the command-line tool like this:

gpg --verify SHA256SUMS.asc

You should see Good signature by the name you chose.

That is it: you verified the software.

Now install it and have some fun.

Leave a Reply

Your email address will not be published. Required fields are marked *