1

Now, I understand how PGP signatures work and why they can be useful to check if a file has been manipulated but this has always bugged me, if I download a file from a site/server, and read:

"always make sure to verify your download!!1!"

with a PGP signature from the same site (tails offers a browser extension for noobs),

Tails: Verify your download; Tails Verification extension
then how does this add any kind of security?

If you have access to the server and can change one file, surely you can update the signature-file accordingly. So does this make sense?

Penguin9
  • 111
  • 5
  • I'd rather have this be a duplicate of this tho: https://security.stackexchange.com/questions/1687/does-hashing-a-file-from-an-unsigned-website-give-a-false-sense-of-security, as that actually answers my question. – Penguin9 Jul 24 '19 at 19:11

1 Answers1

1

It would be possible for a hacked website to host a fraudulent key that has signed a fraudulent piece of software, however, one could verify they have the correct key from other places on the internet, and many time these signing keys are signed as valid by somebody else. Once they are confirmed as valid, they will be used for years into the future until the key expires or the certificate is revoked. These keys many times are available on a key server as well, available with a verification signature, or you might already have the key in your keyring ahead of time as previously mentioned. Also, if an attacker did this, it would be an unexpectedly used key, versus every other time they signed software, which would be very noisy and detectable. It would mainly be an attack on everyone who didn't already have the real key.

Since there is a wide array of places the public key can be verified and acquired from, it is much less likely that someone will receive and use a bad public key, and if this attack succeeded, it would be very short lived.

john doe
  • 648
  • 4
  • 15