How do check digital signature or hash of install file?

[Huyly]

I searched first but didn't find an answer to this question. Also I'm a newbie with first post and don't understand a lot of this, so go easy on me, please

I just downloaded the install file and saw that it was not digitally signed. Why is that? When I download Firefox and some others, it has digital signature, so I thought it would be with this, too.

In any case, so my computer warns me it is risky and asks me if I want to install it anyway. So I deferred until I could look at the site some more, and I see there is displayed for reference an SHA-512 file hash.

What kind of program do I need to generate a SHA-512 hash of the download file to see that it matches? I found one that must be old and only does MD5 and SHA1 as part of Win XP. Thanks for info on this.

[botg]

What meaning does a signature carry on its own if you do not know the authenticity of the signer?


To check the provided SHA-512 hash you can use sha512sum, it's part of the GNU coreutils.

[boco]

I use HashTab for checking SHA512.

[Huyly]

What meaning does a signature carry on its own if you do not know the authenticity of the signer?

I'm the newbie here. That's what I'm trying to find out. Since most things I install (like Firefox, some antispyware programs, etc.) have a dig.signature from some certificate authority that my OS checks and keeps as root certificates for trusted servers, or something like that. Firefox will check for dig. signatures to help determine the authenticity, and so will (I believe) IE. Why do they do that if it's a waste of time, and alert you if a file doesn't have it?

In a similar vein, what meaning does a sha512 have if you don't know the authenticity of whoever provided the sha512? It only shows that it matches the file you downloaded and no data was lost or changed during transmission, but not if it came from the right source or even if it was the right file that does what it was supposed to do. Thanks to all for the info.

[boco]

Since most things I install (like Firefox, some antispyware programs, etc.) have a dig.signature from some certificate authority that my OS checks and keeps as root certificates for trusted servers, or something like that. Firefox will check for dig. signatures to help determine the authenticity, and so will (I believe) IE. Why do they do that if it's a waste of time, and alert you if a file doesn't have it?

These "trusted" certificates stem from CAs (Certificate Authorities). I don't know anything about them, except that they paid big money to be "trusted". So, why should I trust them? Because they paid (and earn) big money with issuing certificates? No way. What keeps a bad guy from investing into a certificate to spread his stuff? Likewise, FileZilla NEVER silently trusts an FTP certificate and always notifies the user - YOU decide. And you should always check before you trust.

The ultimate trust FileZilla has is that you can get the complete source code and check for yourself. If you are especially paranoid then you can even compile it yourself! It can't get better than that. The SHA512 checksum is not about security, but solely about integrity. If it matches you can be sure the file on your HDD is the same as on the server. Nothing else.

[botg]

Regarding trust, have a look at TLS/SSL. All it takes is a single rogue CA to undermine the complete system. Common browsers for example already trust CAs that belong to the Chinese government. That CA issues cert for microsoft.com. Someone redirects your internet traffic, you go to microsoft.com to download a patch but instead you get a signed trojan seemingly originating from microsoft and everything on your system tells you that file is authentic. Whoops.

[Huyly]

I use HashTab for checking SHA512.

I tried HashTab and for filezilla install file it only showed CRC, MD5, and SHA1 in Windows XP. Is there some other trick to it to get it to calculate SHA512? Thanks.

[boco]

Use the little "Options" link or right click the CRC window and choose "Settings...". Then a window will appear where you can select the hashes you would like to be computed. Be aware that the operation becomes slower the more hashes you select here.