Best practice for artifacts downloading
Jane
Posted on March 2, 2023
Here comes another post related to security. Well, I don't think it is new. I am writing this blog thinking that any new software engineer might find it useful like I did. To me this is not the thing that I learned from school (I guess anyone that is doing security major already has a decent insight about it). Anyway, my point is I am learning things from working in my current projects and working with a bunch of experienced engineers. I hope everyone else also has the same privilege otherwise I am trying to share what I learned here as much as I can.
Let's get to the point!
With the daily usage of computer comes a bunch of software or application on the Internet that helps enhancing the users' usability. Those add-ons are unavoidable unless you choose to build everything on your own. We're pulling thing from the Internet everyday no matter as a common user or as part of our job. Until this point, I want to point out that security bridge could be plugged in here while our network traffic is in progress of dragging those app/software to our local machine. One small thing that I adapt for myself as for security sake is to always use software verification method such as checksum or GPG (you may need to install them if you don't have them locally already).
What is checksum?
Wikipedia stated here
A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data integrity but are not relied upon to verify data authenticity.
It looks like this 56430090dd471e106fdc48463027d89de624759f8757248ced9776978854e4f6
. This chunk of number works in pair with another object for example the application or the software you download from the Internet. How it works is that it tells whether the target object is actually the original one and it was not going through any modification while downloading.
For example, if you intend to download pycharm and install it on your machine, you obviously don't want to install any other malicious software however who knows an attacker might get control to your network and replace that pycharm with some virus software. So for best practice, you should verify that software before you run the installation. Here how you can use checksum with pycharm example:
In your terminal, navigate to path where your download locates and you can run:
shasum -a 256 pycharm-professional-2022.3.2.tar.gz
It will return this sha256:
56430090dd471e106fdc48463027d89de624759f8757248ced9776978854e4f6
You can compare it to the original checksum that may be provided in the download page of the application/software you intend to pull.
In my case, pycharm has it here.
Another way of checking the integrity of software is to use GPG. Here is more info about GPG.
For this option, in addition to downloading the software, you will have to download the signature file as well.
For example, in your terminal, you can run the following command
gpg --verify gnupg-2.2.41.tar.bz2.sig gnupg-2.2.41.tar.bz2
Some softwares like zoom provide public key and you will have to import it. Here is what I extracted from the download instruction page of zoom for Fedora:
*Zoom's rpm packages are signed with a GPG key. Please run "rpm --import package-signing-key.pub" to import the key in case package management utility asks for a missing public key.
Checkout the original page here
I think there are more ways to verify the authenticity of the software out there. Feel free to leave the comments to let me and other know all the options out there.
Lastly, what I find pretty useful is when engineers who write Container file where it is required to install some library or package always make sure to include such a verification step. This one little thing can prevent a loophole in our application and enhance a huge security of software/application.
Posted on March 2, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.