1

Let's say that I'll download an installer for a program on Windows and the publisher has released PGP Signature for the file.

The installer file does not have any code signing certificates.

If I connect to the publisher's website with https and check that the URL is correct, do you think I should still verify the hash?

From what I understand, the purpose of this is to make sure that the download was not intercepted by a third party and to make sure that I downloaded the correct file.

Is that still a threat even if I connect with https and check the URL?

John Deters
  • 33,650
  • 3
  • 57
  • 110
Emre Kenci
  • 163
  • 1
  • 1
  • 5

1 Answers1

1

Yes, you should verify it.

If an attacker can replace the installer file on the server with a malicious version, https (TLS) will not protect you because you're downloading from the correct site, but you're getting a malicious file.

If the publisher has kept their private key truly private, even though the attacker has compromised the server, the attacker cannot create a new, signed hash because doing that requires the signing (private) key. (Of course, the implication is that the publisher must not keep the signing key on the server, but we can hope publishers know that.)

Bob Brown
  • 5,283
  • 1
  • 19
  • 28