How to Verify Software Authenticity

Downloading software from the Internet can be very risky if you don’t take precautions. Modified or malicious files can compromise your security. In this article, you will learn how to verify the authenticity and integrity of any software using the command line on  macOS, Windows, and Linux .

Why Verify Software?

Before installing any program, it is essential to confirm two things:

1. Integrity : That the file has not been altered during download.
2. Authenticity : That it was created by the official developer and not a third party.

For this, the following are used:

• Checksums (Hashes) : Such as SHA-256 or MD5. These are unique “fingerprints” of the file.
• PGP/GPG Signatures : Asymmetric encryption that validates authorship.
• Code Signed Certificates : On macOS and Windows, some programs include built-in digital signatures.

---

What is a Checksum or Hash?

Imagine you have a file, such as a program or a document. A  checksum  or  hash  is like a  unique “fingerprint”  of that file. It is a string of characters (numbers and letters) that is generated from the contents of the file.

If the file changes  even a single bit  (for example, if someone modifies it or if it gets corrupted during download), its  checksum  will change completely.

If the file is identical to the original, its  checksum  will be exactly the same.

What is it for?

The checksum is used to:

Verify integrity : Make sure the file has not been altered or damaged during download or transfer.

Confirm authenticity : Compare the checksum with the value provided by the developer to ensure that the file is legitimate and has not been tampered with by third parties.

How does it work?

The developer creates the file and calculates its checksum using an algorithm (such as SHA-256 or MD5).

Post the file and its checksum on your official website.

You download the file and calculate its checksum using a tool (like  sha256sum on Linux or  CertUtil Windows).

You compare the checksum you calculated with the one provided by the developer.

• If they match : The file is authentic and has not been modified.
• If they don’t match : Something is wrong (the file is corrupt or has been altered).

Example

Suppose you have a file called  foto.jpg. Its checksum (using SHA-256) might look something like this:

a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6  

If you modify the photo (for example, add a filter), the checksum will change completely:

z9y8x7w6v5u4t3s2r1q0p9o8n7m6l5k4j3i2h1g0f9e8d7c6b5a4  

If the file is identical to the original, the checksum will be the same:

a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6  

Common Checksum Algorithms

• SHA-256 : Very secure and widely used. Generates a 64-character hash.
• MD5 : Less secure, but still useful for quick checks. Generates a 32-character hash.

Necessary Tools

Terminal or Command Line : Integrated into all operating systems.

Checksums : Provided by the developer on their official website.

Developer Public Key : To validate GPG signatures (optional but recommended).

Verification on macOS

1. Using Checksums (SHA-256)

Command :

shasum -a 256 /ruta/al/archivo.dmg

Expected output :

a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6 /ruta/al/archivo.dmg 

Compare this value with the official checksum provided by the developer. If they match, the file is valid.

2. Verification with PGP Signature

Install  GnuPG  (if you don’t have it):

brew install gnupg

Import the developer’s public key:

gpg --import clave_publica.asc

Command to verify :

gpg --verify firma.sig archivo.dmg

Expected output :

Firmado el [fecha] por [nombre del desarrollador] gpg: 
Firma correcta de [clave pública del desarrollador] 

If you see  “Good signature” , the signature is valid. If you see  “BAD signature” , the file is not authentic.

3. Signed Code Verification

Command :

sign --verify --verbose /ruta/a/la/aplicacion.app

Expected output :

/ruta/a/la/aplicacion.app: valid on disk 
/ruta/a/la/aplicacion.app: satisfies its Designated Requirement 

If  “valid on disk” appears , the code is correctly signed.

---

Verification in Windows

1. Using Checksums with PowerShell

Command :

Get-FileHash -Algorithm SHA256 .\archivo.exe

Expected output :

SHA256  A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0U1V2W3X4Y5Z6 .\archivo.exe 

Compare the Hash value   with the official checksum.

2. Integrated Digital Signature Verification

Steps :

Right-click the .exe file >  Properties  >  Digital Signatures tab . Select the signature and click  Details .

Expected output : A message like  “The digital signature is valid” should appear . The name of the signer should match the official developer.

3. Using CertUtil (Alternative)

Command :

CertUtil -hashfile archivo.exe SHA256

Expected output :

SHA256 hash de archivo.exe: 
a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6 
CertUtil: -hashfile comando completado correctamente. 

Compare the hash with the official value.

---

Verification on Linux

1. Checksum with Terminal

Command :

sha256sum archivo.tar.gz

Expected output :

a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6 archivo.tar.gz 

Compare this value with the official checksum.

2. Validation with GPG

Command to verify :

gpg --verify firma.sig archivo.tar.gz

Expected output :

gpg: Firmado el [fecha] por [nombre del desarrollador] 
gpg: Firma correcta de [clave pública del desarrollador] 

If you see  “Good signature” , the signature is valid. If you see  “BAD signature” , the file is not authentic.

---

How to Know the Process is Correct

1. Checksums : The generated value must exactly match the one provided by the developer.
2. PGP/GPG Signatures :  “Good signature” must appear  and the name of the signer must be that of the developer.
3. Signed Code (macOS/Windows) : Should display messages like  “valid on disk”  or  “The digital signature is valid . ”

---

Differences between verifying with Checksum, with the developer’s Public Key or with Integrated Digital Signature

1. Verification with Checksum (Hash)

What is it?

As I said a checksum  is a “fingerprint” of the file, generated using an algorithm (such as SHA-256 or MD5). It allows you to confirm that the file has not been altered or corrupted during download.

Security Level

Advantage :

It’s quick and easy. It ensures that the file has not been modified or damaged.

Limitation :

It doesn’t guarantee  authenticity . If an attacker modifies the file and also alters the checksum on the website, you won’t be able to detect the tampering. You’re relying on the developer’s website not having been compromised.

Summary :

The checksum is useful for verifying  integrity , but not for confirming  authenticity .

---

2. Verification with Developer Public Key (PGP/GPG)

What is it?

The  developer’s public key  is part of an asymmetric encryption system (such as PGP or GPG). The developer signs the file with his  private key , and you use his  public key  to verify that the signature is authentic.

How does it work?

The developer signs the file with his private key and publishes the signature (file  .sig or  .asc) along with his public key.

You import the developer’s public key and use a tool (like  gpg) to verify the signature.

If the signature is valid, it means that the file was created by the developer and has not been altered.

Security Level

Advantage :

It guarantees both  integrity  and  authenticity . It is much more secure than a checksum, since an attacker cannot forge the signature without access to the developer’s private key.

Limitation :

It requires a bit more effort (importing public keys, verifying signatures, etc.). You depend on the developer’s public key being authentic and not having been compromised.

Summary :

Public key verification is more secure because it guarantees that the file is authentic and has not been tampered with.

---

What is Integrated Digital Signature Verification?

An  embedded digital signature  is a security seal that developers add directly to their executable files (such as  .exe in Windows or  .app macOS). This signature is created using a  digital certificate  issued by a  trusted Certificate Authority (CA)  .

• In Windows : Files  .exe usually  .msi include a digital signature.
• On macOS : Apps  .app can be signed with an Apple developer certificate.

How does it work?

The developer obtains a  digital certificate  from a Certification Authority (CA).

Use your  private key  to sign the file.

When you run or install the software, the operating system automatically verifies the signature using the   certificate’s public key .

If the signature is valid, the system confirms that the file is authentic and has not been altered.

Security Level

Advantages

Authenticity : The digital signature guarantees that the file was created by the official developer.

Integrity : If the file has been modified after signing, the verification will fail.

Automation : The operating system verifies the signature automatically, without the need for additional tools.

Trust : Certificates are issued by trusted Certificate Authorities (CAs), adding an additional layer of security.

Limitations

CA Dependency : If the Certificate Authority is compromised, an attacker could forge signatures.

Not always available : Not all files have a digital signature built in, especially in open source software or software developed by individuals.

Security Comparison

Aspect	Checksum	Public Key (PGP/GPG)	Integrated Digital Signature
Integrity	Yes (verifies that the file has not been altered).	Yes (verifies that the file has not been altered).	Yes (verifies that the file has not been altered).
Authenticity	No (does not guarantee who created the file).	Yes (ensures the file was created by the developer).	Yes (ensures the file was created by the developer).
Ease of use	Very easy (just compare values).	Requires more steps (import keys, verify signatures).	Automatic (the operating system does it for you).
Resistance to attacks	Low (an attacker can modify the file and the checksum).	High (an attacker cannot forge the signature without the private key).	High (depends on the security of the Certification Authority).
Requirements	You only need the official checksum.	You need the developer’s public key.	You need a digital certificate issued by a CA.

When to use each method?

Checksum : For quick and easy verification. When no digital signature or public key is available.

Public Key (PGP/GPG) : When you need maximum security and the developer provides PGP signatures. For open source or community-developed software.

Integrated Digital Signature : When the software comes from companies or developers that use digital certificates. For commercial software or software distributed on official platforms (such as the Microsoft Store or Apple App Store).