Downloading software from the internet carries risk. Files can be tampered with in transit, mirrors can serve modified copies, and supply-chain attacks can replace legitimate installers with trojanised versions. Verification — checking that the file you downloaded is the file the developer published — is your primary defence.
Three Levels of Download Verification
Level 1: Checksum Verification (Integrity)
A checksum (hash) verifies that the file hasn’t been altered. The developer publishes a hash (SHA-256 is standard), and you compute the hash of your downloaded file to compare.
What it proves: The file you have matches the file that produced the hash.
What it doesn’t prove: That the developer’s server wasn’t compromised (if both the file and the hash are replaced together).
For a detailed walkthrough, see our guide on How to Verify Checksums.
Level 2: GPG Signature Verification (Authenticity)
A GPG (GNU Privacy Guard) signature proves that the file was signed by a specific private key. If you trust the developer’s public key, a valid signature confirms the file came from them.
What it proves: The file was signed by the holder of the private key, and hasn’t been modified since signing.
What it doesn’t prove: That the private key hasn’t been compromised (though this is a much higher bar for attackers).
Level 3: Signed Packages (Platform-Verified Authenticity)
Operating system package managers (Windows Package Manager, apt, brew) can verify code signatures against trusted certificate authorities. This is the strongest common form of verification because the trust chain is managed by the platform.
What it proves: The package was signed by a developer whose identity was verified by a certificate authority, and the OS trusts that authority.
Checksum Verification on Windows
Most developers provide SHA-256 hashes on their download pages.
Using PowerShell
Get-FileHash -Algorithm SHA256 "C:\Downloads\software-installer.exe"
Compare the output hash with the one published on the developer’s website. They must match exactly.
Using CertUtil
certutil -hashfile "C:\Downloads\software-installer.exe" SHA256
Automation Tip
Create a simple PowerShell function:
function Verify-Hash {
param([string]$FilePath, [string]$ExpectedHash)
$actual = (Get-FileHash -Algorithm SHA256 $FilePath).Hash
if ($actual -eq $ExpectedHash.ToUpper().Trim()) {
Write-Host "✓ Hash matches" -ForegroundColor Green
} else {
Write-Host "✗ Hash mismatch!" -ForegroundColor Red
Write-Host "Expected: $ExpectedHash"
Write-Host "Actual: $actual"
}
}
GPG Signature Verification on Windows
GPG signatures provide stronger assurance than checksums alone. Here’s the workflow:
Step 1: Install GPG
Download Gpg4win from gpg4win.org and verify the installer’s checksum (yes, verify the verifier).
Step 2: Import the Developer’s Public Key
Developers publish their public keys on their websites, keyservers, or GitHub:
gpg --import developer-key.asc
# Or from a keyserver:
gpg --keyserver hkps://keys.openpgp.org --recv-keys KEYID
Step 3: Verify the Signature
gpg --verify software-installer.exe.sig software-installer.exe
A “Good signature” message confirms the file is authentic. A “BAD signature” means the file was tampered with or the wrong key was used.
Step 4: Verify the Key’s Fingerprint
Compare the key fingerprint with what the developer publishes on their website (over HTTPS) or on their verified social media profiles:
gpg --fingerprint KEYID
This is the critical step most people skip. Without verifying the key belongs to who you think it does, you might be trusting an attacker’s key.
Code-Signed Packages on Windows
Windows SmartScreen and Authenticode
Windows executables can be Authenticode-signed. When you run a signed installer, SmartScreen verifies the signature. Unsigned executables trigger a warning.
To check a file’s signature manually:
- Right-click the file → Properties → Digital Signatures tab
- Select the signature and click Details
- Verify the signer’s name and that the signature is valid
Windows Package Manager (winget)
winget install --id VeraCrypt.VeraCrypt
Packages in the winget repository include manifest hashes. The package manager verifies integrity automatically.
When to Use Each Level
| Scenario | Minimum Verification |
|---|---|
| Downloading from the official website (HTTPS) | Checksum (SHA-256) |
| Downloading from a mirror or third-party | GPG signature |
| Security-critical software (encryption tools, password managers) | GPG signature + key fingerprint verification |
| Installing via package manager (winget, apt) | Automatic (built-in signature verification) |
| Any download where the developer provides a GPG signature | Always verify it — it’s free assurance |
Practical Checklist
- Always download from official sources via HTTPS
- Verify SHA-256 checksums for every download — make it a habit
- Use GPG verification for security-critical software
- Verify the GPG key fingerprint against the developer’s published fingerprint
- Use package managers when available — they handle verification automatically
- Be suspicious of downloads without checksums — reputable developers provide them
For more on safe download practices, see Avoiding Trojanised Installers.
Further Reading
- GnuPG Documentation — Official GPG reference
- Gpg4win — Email encryption and file verification — GPG for Windows
- Microsoft — Authenticode code signing — Windows code signing
- NIST SP 800-184 — Guide for cybersecurity event recovery — Supply chain integrity
- CISA — Software supply chain security — Government guidance on download integrity