Child pages
  • CERT Incident Note IN-2001-06: Verification of Downloaded Software

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
HTML


The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Verification of Downloaded Software</h2>

Release Date: June 8, 2001<br/>
<p>The CERT/CC has received
reports and inquiries regarding the integrity of downloaded software.</p>
<h3>Background</h3>
<p>When downloading software from online repositories, it is important
to consider the possibility that the site has been compromised.  One
of the threats that users face is that intruders could include
malicious code in the software packages distributed by those
sites. This code could take the form of Trojan horse programs or
backdoors.</p>
<p>There are precautions that users can take when downloading
software. There are also ways that software publishers and
distributors can provide verification of the authenticity of their
software.</p>
<h3>Users</h3> <p>We strongly encourage users to verify cryptographic
signatures (e.g. PGP) of all downloaded software. Cryptographic
signatures provide reasonable assurance that the files have not been
modified either on the server or in transit. They also allow for
verification of the signer's identity.</p>
<p>In situations where cryptographic signatures are not provided but
some other form of checksum (e.g. MD5 hash) has been included, we
encourage users to verify the software against these
checksums. Although checksums alone provide no information about when
the checksum was generated or who generated it, they do provide some
evidence that the files have not been modified.  However, it is
possible that an intruder could have replaced both the software and
checksums. Therefore, when possible, we recommend that users compare
the checksums provided by multiple sources, such as mirror sites.</p>
<p>If no signatures or checksums are provided, we
recommend that users perform a thorough examination of all downloaded source
code before compilation and installation. In the case of binaries where
examination is difficult or impossible, users may wish to perform offline
testing before installing downloaded binaries into production environments.</p>
<h3>Software Publishers &amp; Distributors</h3>
<p>We encourage anyone publishing or distributing software to use
cryptographic signatures and checksums. Publishers and distributors
should generate the signatures and checksums on a non-public machine
to reduce the risk of compromised private keys.</p>
<h3>For more information</h3>
<p>General information about Pretty Good Privacy (PGP), including some
free software implementations, can be found at</p> <dl><dd><a href="http://www.pgpi.org/">http://www.pgpi.org/</a></dd></dl>
<p>The commercial version of PGP, from PGP Security, Inc., can be found at
<dl><dd><a href="http://www.pgp.com/">http://www.pgp.com/</a></dd></dl>
<p>Information about GNU Privacy Guard, a freely available
OpenPGP-compliant implementation, can be found at</p> <dl><dd><a href="http://www.gnupg.org/">http://www.gnupg.org/</a></dd></dl>
<p>Information on Trojan Horse programs can be found
in the following document:</p>
<dl>
<dd>
<a href="http://www.cert.org/advisories/CA-1999-02.html">http://www.cert.org/advisories/CA-1999-02.html</a>
</dd></dl>
<p>
<b>Author(s)</b>: Chad Dougherty and Allen Householder<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2001 Carnegie Mellon University.</p>
</p></p>