Home » Jolly Roger’s Security Guide for Beginners » HOW TO VERIFY YOUR DOWNLOADED FILES ARE AUTHENTIC
Click Here To Hide Tor


I just had a realization about something that is pretty important and I wanted to share it with you, regarding security. Verifying your downloads

As a general rule of thumb, you should always download files from the home pages of their respective developers.

TOR: https://www.torproject.org
Tails: https://www.tails.boum.org
Virtual Box: https://www.virtualbox.org/

The reason this is so important, is that there are people who host maliciously modified versions of these programs and will host legitimate looking sites to try and get you to download their version, which can install things like backdoors into your computers, keyloggers, and all types of nasty surprises. Sometimes developers will offer mirrors for their projects, which are simply just alternative links to download from in case the main server is too slow, or down. Sometimes these mirrors can become compromised without the knowledge of the developers.

Maybe you do not have TOR or Tails on your laptop and you are traveling out of the country and the hotel that you are staying at has TOR’s homepage blocked. There are times when you may need to find an alternative mirror to download certain things. Then of course there is the infamous man-in-the-middle attack where an attacker can inject malicious code into your network traffic and alter the file you are downloading. The TOR developers have even reported that attackers have the capability of tricking your browser into thinking you are visiting the TOR home page when in fact you are not.

So what do you do about it? You can verify that the file you downloaded is in fact legitimate. The best tool for this is GnuPG. The TOR developers recommend you get it from the following page (Windows Users).


You can install this program on your USB drive or on your actual computer, you will hear your actual computer’s operation system referred to as your Host OS. So download it, run it, install it and we will start showing you how to use GnuPG.

If you remain on the GnuPG download page you will see something under the big green box that is called OpenPGP signature. Download that into the same folder as the GnuPG file, this is the file that the download was signed with. Basically someone’s signature saying, I made this file. And you also need a PGP public key to verify the signature. So to sum it up so far, the signature is created from the PGP private key, and can be verified by the PGP public key. The signature file is used to verify the program itself. So let us grab the PGP public key for GnuPG as well.

If you look on the same download page, under the heading Installation, you will see a link where it says verify the integrity of the file. It will lead to you the following page.


Note where it says the following statement. The signatures have been created with the following OpenPGP certificate Intevation File Distribution Key (Key ID: EC70B1B8). This is the link to the page that hosts the PGP public key file that you need to download, go there. On the page we just navgiated to, go to the bottom right where it says Intevation-Distribution-Key (public OpenPGP key for signing files) and download that file. This is the PGP public key file, save it to the same place as your signature file for ease of use.

Okay, now that we have both the signature file and the PGP public key, let us now verify our download. First thing you need to do is navigate to the PGP public key file, called Intervation-Distribution-Key.asc, right click it and go to More GpgEX Options and down to Import Keys. This will import the PGP public key into your key ring, and now you can verify the file with the signature.

Right click your actual file you want to verify, in this case gpg4win-2.2.1.exe and go to  More GpgEX Options and down to Verify and it should automatically detect the signature file where it says Input File, but if it does not, navigate to the signature file and make sure the box below it where it says Input file is a detached signature is checked. Look at the bottom and click Decrypt/Verify and you will likely get the following message.

Not enough information to check signature validity. Check details.

Believe it or not, this is completely fine. Click on show details, you are looking for a specific result.

Signed on 2013-10-07 08:31 by [email protected] (Key ID: 0xEC70B1B8). The validity of the signature cannot be verified.

If you navigate back to the page from Gpg4Win that says Check Integrity where you found the link to the page that contained the PGP public key you will see on that page.

Intevation File Distribution Key (Key ID: EC70B1B8)

Note the key ID from your decrypt result and the key ID from the Check Integrity page and note the email address ending in the same URL that we downloaded the PGP public key from. We have a match! I will explain the reason for this warning message later.

Now that we verified that our verification program is legit. Let us try and verify our Tails ISO file, since if we have a compromised Tails OS, then nothing we do will be anonymous. Let us get right to the Tails download page.


Scroll down to where it says Tails 0.22 signature and download that to your Tails folder where you have the ISO file that we already downloaded. Next scroll down to where it says Tails signing key, this is our PGP public key. Exact same procedure, import the key, then click Verify and specify the signature file if it has not already been specified for you, exact same settings and you will get the same warning message. As explained by Tails


If you see the following warning:

Not enough information to check the signature validity.
Signed on … by [email protected] (Key ID: 0xBE2CD9C1
The validity of the signature cannot be verified.

Then the ISO image is still correct, and valid according to the Tails signing key that you downloaded. This warning is related to the trust that you put in the Tails signing key. See, Trusting Tails signing key. To remove this warning you would have to personally sign the Tails signing key with your own key.

In other words, you need to basically promise that the PGP public key you downloaded is safe by signing the PGP public key with your own private key, but we do not really need to do that and I will not be including a tutorial on how to do that. Tails explains that if you are worried about a compromised PGP public key, just download the key from multiple sources and compare them, if they all match, it is a good chance you are using a legit PGP key. Now let us finally move on to TOR because this one will be a little less straight forward, but once you do this one, you should be able to figure out how to verify anything. Navigate to their download page and find the package that you want.


To keep things simple let us choose Tor Browser Bundle 3.5, and under the orange box you will see a link (sig). This is the link for the signature file, I hope by now you know what to do with it. Next we need the PGP public key right? Well it turns out that with so many developers working on TOR, there are multiple PGP public keys, and certain bundles were signed with different keys than other bundles. So we need to find the PGP public key that belongs to our Tor Browser Bundle. Check out this page.


It has a list of all the signing keys that they use and you can certainly use these key IDs to get what we want by simply right clicking on the signature file and click verify. You will get a warning.

Not enough information to check signature validity. Show Details

And in details it will say the following warning.

Signed on 2013-12-19 08:34 with unknown certificate 0x416F061063FEE659

Keep this entire number in mind for later, it is called a fingerprint. But for now if you just compare the last 8 digits to Erinn Clark’s key ID (0x63FEE659) provided on the above page, and since she is the person who signs the Tor Browser Bundles you will see they match. But we want to be a bit more thorough, never settle for mediocrity.

Go to your task bar in Windows, and find the program called Kleopatra, it looks like a red circle with a small white square in it. Right click it and go to Open Certificate Manager. We are going to import the full keys using this manager. Also note, if you go to the tab that says Other Ceriticates you will find the Tails and Intevation (GnuPG) keys we used earlier stored for the future when you need to download a new version of those programs and verify them again.

We are going to be following the instructions from the verifying signatures page on the TOR Project website. Feel free to follow along from that page so you know what I am talking about and where I am getting my URL and numbers from.


In order to import keys, we need to first add an online directory where they are stored. So let us first add the online directory where the PGP public keys are stored according to the TOR website. Click Settings then Configure Kleopatra. Next, click New and we are going to enter the following URL which I took right from the page above. pool.sks-keyservers.net, and leave everything else as default and click OK.

Finally, click the button that says Lookup Certificates On Server and we will be searching for Errin Clark’s PGP public key by searching for her fingerprint provided on the TOR website page called Verifying Signatures above, remember, she is the developer who signs the Tor Browser Bundle. The fingerprint we are entering is 0x416F061063FEE659, does this number look familiar? It should, it is the number we got back the first time we tried verifying but without the actual PGP public key. if you get any warnings that pop up when searching just click OK and it should bring up Errin Clark’s key, select it and click Import. You should now have her key listed under Imported Certificates.

Now let us go back and verify that signature one more time and see what happens. You should get something like the following.

Not enough information to check signature validity.

Signed on 201-12-17 12:41 by [email protected] (Key ID: 0x63FEE659).
The validity of the signature cannot be verified.

TOR also explains this warning message in their words in case you are still not happy with the warning message.


Notice that there is a warning because you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

I do not know about you, but I am happy with the result here, and I am certainly not going to track down Erinn Clark to get her key fingerprint, and it looks like our TOR Browser Bundle is legitimate as well! Now you know what to do when the PGP public key file is not directly hosted on the site itself, you have no more excuses to not verify your downloads.


  1. go to the bottom right where it says Intevation-Distribution-Key (public OpenPGP key for signing files) and download that file”
    I cannot download it, for what appears is a screen showing the following info:
    pub 1024D/EC70B1B8 2010-03-19 [expires: 2020-03-16]
    Key fingerprint = 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8
    uid Intevation File Distribution Key

    Version: GnuPG v1.4.9 (GNU/Linux)


    How should I proceed.
    Thanks in advance!

  2. how you can trust this?!?!?
    1- you download a program to verify other programs
    2- you use a .sig + public key to verify that your verifier program is valid
    3- you use that valid program to verify other files

    now here we have 2 problems:
    1- what if the program is fake, the sig file and public key too? seems all ok but isn’t
    2-let’s say that the verifier program is correct how can you use it?
    it will tell you that program and .sig file match but it doesnt tell you who made exe and sig file

    the only way to trust it is to meet everyone.
    you meet GnuPG author to get public key to be sure that everything is correct but this way you don’t need anymore to verify download you can simply get exe from him

    same with tor you have to meet author to get VALID public key

  3. How do i verify for example Tails iso suing gpg4usb???

  4. No.No.No. Don’t trust this security model. WHY? Just because it is wrong in one important point ..HTTPS and SSL/TLS and certificate trust chain is compromised by default. Your Windows if fully of backdoored APIs and undocumented too!!! You all know by WHO! What is compromised first in SSL TLS and every standard key generation API?..This is random number generator used for key generation and protocol implementation by itself.
    What this means?=>> All your standard secured connection can be intercepted MITM injected with what is need for successful attack of your system! What can be injected? ->>Fake content like backdoor in you downloaded file from legit domain with SSL and fake corresponded well to this file MD5/HASH128-512 or PGP key or Spy can inject valid signed but backdoored file or just inject poisoned JS, java drive by, flash exploit or else. Is not very good idea to trust every file or page if you want to be more protected. VS this you can use sandbox and monitoring tools to check you downloaded file behavior, or you can catch this file with strong setup rules in your behavior ruled antivirus tool and firewall, or you can install this file first in freezed OS with tools like deepfreeze and then monitor for one day its behavior to make decision is it clean or not and then do install in real OS. Captured before test Virtual OS can be used too for the same test task.
    Be good

  5. In Kleopatra I tried to add the directory service http://pool.sks-keyservers.net. I clicked “New” the preexisting directory doubled, selected “http”…that was all I could do. How to add the rest?

    Version: GnuPG v2


    How should i procced for samsung galaxy A36

  7. The average joe

    No wonder there are so many compromised systems out there. The average user would need a geek interpreter to decipher the instructions you give. (It sounds more like the legalese you find in contract law than an explanation – IE the party of the first part wishes the party of the second part and unsuspecting party of the third part, namely Got software and its wholly owned subsidiaries, were not nearly so pretentious and repleat with bull shit) The authors of technical tutorials often make the mistake of expecting their readers to have prior knowledge of the subject they are trying to offer instruction on.
    Unfortunately, there is a lack of well written beginner tutorials to fill this need. Consequently, the average user becomes frustrated trying to understand argot, just gives up and says to hell with it and downloads and uses potentially dangerous software.
    If you really want to greatly improve the validity of software on the net, how about penning a few simple and straight forward articles in layman terms that are geared at explaining how software verification works in the first place, rather than engaging in an intellectual circle jerk designed specifically to impress those already in the know.
    Maybe then, when the general public truly understands the vulnerabilities of software and how protection methods work, preventative techniques will be implemented more frequently, and exploits that rely on such vulnerabilities will lose their efficacy.
    REMEMBER: Bill Gates was wrong…security through obscurity really does not work at all.

  8. Instructions above about pgp is way off. poorly written at that. blew 5 hours trying.

    • MYfnNameIs

      Really rick? It’s not that difficult instructions were clear to me. But as the point stated above it’s really not secure. ESPECIALLY IN WINDOWS.

      I VM as 1 suggested check for suspicious anything. But using windows to do anything remotely nefarious isn’t a good idea.

      The above comment on running on a frozen box is best. If u do that no need to go thru the useless task of verifying your files without checking sites to verify the keys across many DLs

      If your going to go deep and/or dark. You need to have a basic understanding of GnuPGP signing anyways as its required for secure comms.

      They change crap so much and anyone reporting their backdoors (see Kaspersky team makers of antivirus who got kicked out of the US and all offices raided. For actually patching a backdoor a 0day and other security flaws) gets in trouble antivirus makers literally ignore Windows Sec Discoveries. I just say stay away from windows for that kinda stuff.

      Using tails verified or not is a risk. Like poster above said.. your still trusting the developers regardless and there really is no sure fire way to verify your DLs. Tor and Tails GNUs have some funding which is suspicious like having grants.. whoever gives the Grant is gonna want something for their money. You can never be to paranoid.

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *