对下载软件/文件进行校验的工具（Checksum and GPG）

本文主要是介绍对下载软件/文件进行校验的工具（Checksum and GPG），希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

前言

之前装软件一直都没有验证安装文件的习惯，信息安全意识不高，碰巧最近没啥事，微微写篇文章记录下校验工具（互联网http、https、ftp 服务并没有那么安全，是可以被劫持篡改。老装软件选手了，是该养成个校验文件的习惯了）。

在互联网下载软件/文件的时候经常会看到官方提供了一段⌈校验和（checksum）⌋或包含校验和的文件供校验。常见的校验和有 md5、SHA 家族等。还有部分软件/文件会提供 GPG 校验文件（signature file, SIG）给下载者进行校验。

来看看这两种校验方式相关的工具。

校验和校验工具

校验和（英语：Checksum）是冗余校验的一种形式。它是通过错误检测方法，对经过空间（如通信）或时间（如计算机存储）所传送数据的完整性进行检查的一种简单方法。 -来自维基百科

Windows CertUtil

CertUtil 是 Windows 自带的文件校验和计算程序，我们可以通过它计算下载的软件/文件的 checksum 与官方提供的 checksum 作对比。

在 PowerShell 或 CMD 中可以执行 CertUtil -? 命令查看 CertUtil 支持的参数。CertUtil 的计算文件校验和命令的一般形式为

CertUtil -hashfile <path to file> <hash algorithm>

CertUtil 支持的校验和计算的哈希算法有 MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512 等。

Usage:CertUtil [Options] -hashfile InFile [HashAlgorithm]Generate and display cryptographic hash over a fileOptions:-Unicode          -- Write redirected output in Unicode-gmt              -- Display times as GMT-seconds          -- Display times with seconds and milliseconds-v                -- Verbose operation-privatekey       -- Display password and private key data-pin PIN                  -- Smart Card PIN-sid WELL_KNOWN_SID_TYPE  -- Numeric SID22 -- Local System23 -- Local Service24 -- Network ServiceHash algorithms: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

让我们看个例子，就装个 Go 吧（嘿嘿，最近在装系统，什么软件都没了），直接官方（https://golang.org/dl/）下载 Go 的安装程序，下载页面给出了 SHA256 Checksum。

{% gallery %} Go 下载页 {% endgallery %}

使用 Certutil 计算 go1.16.5.windows-amd64.msi 安装程序的校验和。

CertUtil -hashfile go1.16.5.windows-amd64.msi SHA256

{% gallery %} CertUtil 计算结果 {% endgallery %}

CertUtil 计算结果（322dd8c585f37b62c9e603c84747b97a7a65b56fcef56b64e3021ccad90785b2）和下载页提供的校验和（322dd8c585f37b62c9e603c84747b97a7a65b56fcef56b64e3021ccad90785b2）比对，emmm，没毛病，微微放心安装了。

文档：microsoft windows-commands certutil

Linux md5sum

md5sum 是大多数 Linux 系统都预装的校验 128 位 MD5 哈希值，用于检查文件完整性的校验和工具。

命令的一般形式如下，使用 md5sum --help 查看更多操作：

md5sum <file-path or files-path>

输出格式一般示例如下（校验和 + 文件名）

{% gallery %} md5sum 计算校验和 {% endgallery %}

部分软件下载时会拿到一个类似如下内容格式的 checksum 文件，姑且命名为 demo_hash.md5

f4e81ade7d6f9fb342541152d08e7a97  .profile
0f077c02d1303b89b9c5cb92e5d7d112  .bashrc

那么使用 md5sum 进行校验时可以这么操作，md5sum 会自动根据 demo_hash.md5 里面的文件逐个检查 md5：

$ md5sum -c demo_hash.md5 # 加个 `-c` 参数
.profile: OK
.bashrc: OK

文档：md5sum-invocation

GPG key 校验工具

GPG（GnuPG）是一个实现了 OpenPGP 标准的用于数据加密和数字签名的工具。

互联网上存在着部分软件/文件通过 GPG 密钥进行签名来证明其来源。GitHub 也有着一种使用 GPG 密钥来检验 Git Commit 来源可靠性的手段，如果可靠，会在前端页面 commit log 历史那里显示一个如下的小绿标：

{% gallery %} GitHub commit signature {% endgallery %}

btw，之前微微写过一篇文章 -> 给 GitHub commit 加个小绿标。

使用 GPG key 进行软件/文件校验的一般步骤如下：

step 1：获取软件/文件作者的公钥（public key），导入到 GPG key 管理器；
step 2：根据作者的 gpg key 指纹（fingerprint）验证公钥（public key）的可靠性；
step 3：根据软件/文件的签名文件（signature file，SIG）校验来源是否可靠。

Gpg4win

Gpg4win 是官方的 Windows GnuPG 发行版，全家桶软件，官网为 gpg4win.org。通过自带的 GUI 客户端 Kleopatra，我们可以很方便的完成文件的校验。直接官网下载安装即可 -> Download Page。

{% gallery %} Kleopatra {% endgallery %}

这里我们以 Windows 下 Python 3.9.6 的安装为例，看下使用 Kleopatra 进行校验的过程是怎么样的 ⌈以下操作下载的文件均在同一个目录下⌋。

先到官方下载页release/python-396下载 Windows Python 3.9.6 的安装文件和对应的 GPG 密钥签名文件（sig）：

{% gallery %} 安装文件和签名文件下载 {% endgallery %}

curl -sSlO https://www.python.org/ftp/python/3.9.6/python-3.9.6-amd64.exe
curl -O https://www.python.org/ftp/python/3.9.6/python-3.9.6-amd64.exe.asc

下载 installer & sig 文件

现在开始对着之前所的校验步骤操作一下。

Step 1：获取软件/文件作者的公钥（public key），导入到 GPG key 管理器；

从 https://www.python.org/downloads/ 页面大概四分之三的地方，我们可以看到之前下载的 Windows Banaries 的 release manager 是 Steve Dower，我们根据官网提供的链接获取公钥。

{% gallery %} 获取 Steve Dower 公钥

keybase 上的公钥 {% endgallery %}

下载公钥。

curl -O https://keybase.io/stevedower/pgp_keys.asc

使用 Kleopatra 导入下载好的公钥 pgp_keys.asc。

{% gallery %} 导入公钥 {% endgallery %}

Step 2：根据作者的 gpg key 指纹（fingerprint）验证公钥（public key）的可靠性；

{% gallery %} 验证指纹 {% endgallery %}

导入的公钥指纹与提供的指纹一致，一般就无问题了。

Step 3：根据软件/文件的签名文件（signature file，SIG）校验来源是否可靠。

使用之前下载好的 signature file（python-3.9.6-amd64.exe.asc）进行校验，如下：

{% gallery %} SIG 校验 {% endgallery %}

emmm，没问题。Good job！

GnuPG(GPG)

GnuPG 是之前提到的 Gpg4win 的后端，适合命令行选手。大部分 Linux 系统自带。下面我们在 WSL（Ubuntu-20.04）感受下。

这里我们以对 GnuPG（LTS） Tarball 的下载校验为例子。

mkdir gnupg_tarball
cd gnupg_tarball
# 下载 GnuPG（LTS） tarball
curl -O https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.29.tar.bz2
# 下载校验文件
curl -O https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.29.tar.bz2.sig

Step 1：保存公钥，导入公钥。在 https://www.gnupg.org/signature_key.html 拿到作者的 signature key，保存到 gnupg-2.2.29.asc。

{% folding open red, 保存公钥 %}

➜ cat>gnupg-2.2.29.asc<<EOF
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> mQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQP6Q7JoyxtaG6/ckAKWHYrqFTQk3I
> Ue8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8E9tYQqAOlpSA25bOb30cA2ADkrjg
> jvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//IdShFFVQj+QHmXYBJggWyEIil8Bje7
> KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x8jpwh4V/yEODJKATY0Vj00793L8u
> qA35ZiyczUvvJSLYvf7STO943GswkxdAfqxXbYifiK2gjE/7SAmB+2jFxsonUDOB
> 1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIhABEBAAG0Fldlcm5lciBLb2NoIChk
> aXN0IHNpZymJAVUEEwEIAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE
> 2GkhI8QGXepeDzq1JJs50k8l47YFAl4MxBkFCRShVzYACgkQJJs50k8l47YImQf9
> HaqHWor+aSmaEwQnaAN0zRa4kPbAWya182aJtsFzLZJf6BbS0aoiMhwtREN/DMvB
> jzxARKep/cELaM+mc7oDK4mEwqSX/u6BE8D7FaNA9sut8P+4xjpoLPU+UzILMg29
> t1remjyT9rs6sbu8BqufIxueArkjoi4WCOSRiVTdw+YDd88volPkXlPfS8hg9Rct
> wZ8kEEDywa+NrxiLx+kDgDNTNdk3PJdfcnesf8S1a+KLUTNRds5+xGTYz0JSQ9BZ
> 7Q9r4VQ/NL55muQZi5W7lVxdp3HxQFUNjHzzBfGtkpS4xqZpJvNjW50Wh5Vi5RYZ
> LZ3M1EuIHXHmRiY4dmqqcpkBDQRUUDsjAQgA5hBwN9F3OqKf+9mXCXUDK4lb5wMj
> dti96xG04gAn7wWo7On6c5ntriZQuRdR5GHcdw73XC6CFehHeo/eSVYiWqBNBAfE
> 9UzbkES+cY+4wDzqVacqhKxd70XmHQgyK7ppRG/MwkL1UyArCGGAKN6MV/2fzO6I
> GQw3jntRue3/2PGGnGaisNAKlvttHWZ91uy4KY5fBM19uQCgZdx4v8/rP0+yQqsW
> TwJUKvymx5GIfNaCJvgF+v+aPrwspxBMf9jpHXqDXnh4Lo8C/GsQMD6GClVfQjsv
> vzUHKH2eoL4oNfku+Ua5BuAHYi+uAuzqV9TdpF9PCpQMyPfuuZclMPLdMwARAQAB
> tDJOSUlCRSBZdXRha2EgKEdudVBHIFJlbGVhc2UgS2V5KSA8Z25paWJlQGZzaWou
> b3JnPokBPAQTAQgAJgIbAwULBwgJAwQVCAkKBRYCAwEAAh4BAheABQJYDxRZBQkL
> S5A2AAoJECBxsIozvT8GvG8IAMBIlGz9voYcSSXAdQOuvz2gM2kOjvMHzN6VlS9V
> P06IjnTz2DnejFZwLmxJw8e8mZjUo0jw22uo1HREQhDrne3S1IazPMeTUCUNzpWF
> MxXNc6SAyrw9apWa8gouGUWJv3HOwVs8EFA2E9UdtDJ2uG7MY/+eC5K/aeOAyudZ
> EbvS8rgZypTFrBtBcNKUWZhz7FRn63HxEmYLE3p6I19ZDXrc1WTazF2oz18zym6c
> uURr6waRbdSemUTshpLnKCBZXzJ82bXBgXNnfdmc3gtS24ZmM3ZfK/rYztEDkiTk
> s2R1gwDwf5RtDpaf5LD2ufESdbLuT+8blAlscbgYLBcwDquZAY0EWMu6rgEMAKcz
> vM1IhpUwBpxPCNdrlMZh7XeLqKUd7hUvQ1KHOuDONxCDnfXdxGCKKI0Ds5I7Kkyp
> Wzvcl7PplRy2fYZWwcGtL+Kj01y4L2lXB/xrrVaVwRr4S0FrcbseUGYRafBpR0C1
> Yo24CL1ef4ivsfbER2SyaZ3lrT9Ccv6xfvTluhU8X+2li1ssak/Frvy02u3EORLD
> LxaaLQgANgsjnIjv/JQZ4l3xFIJT98tEoL18btg5lGrS2w4yFU1aa1SNsbp7vcu7
> wsqcJmCzX98LyG8/IBGJ5JXmZ03yzWhZ3uhhy1+Avi4GV4Mi0ADwaGMp6O63Mc3w
> SL8A/DoCKJLISOc+D5xNfw6C8sYlaOSzQfqY9l4HW/+QbJmEFL2+bnjSHb8yaVU3
> ae2IIrlNkZ5Jamp12Kq6x9Vei0xGk3gd4sqhmHhECdxoJtkX9L5gt436QxdjiTcW
> q3V+NNfq94UJu2Ej2kN0fNT0t9RU2n0P/mS0L+1gw5Ex6BX7BIzGL0bZhYomQwAR
> AQABiQHOBB8BCAA4FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLwN0XDIABlKXJ
co7CV2> oDwv5co7CV2OH99yPPRitrECBwAACgkQvO9+KUsJLig2Cgv/T4rXEjHwlbsuTkzp
> tgK80Dh92URzBAhPhSJ0kUz2b6y7FgVYgZ95u8elGUS4lOB0GOQSK3y4sCgldTQF
> GQpMuvNMX6oNQTv1Z/H9H7Sc6AntozKRA6LQC+7DMxjPh2DEhVLYNqi7gMXtuH8o
> Xz5+quarw/xbVmuS4UNqcxakd4A/HW6PayRhuju4+oV2+UmGU0etzGVwKSN/UicC
> 3Re3mUy8SwJFQ9/3EAfiY0SGzSWH1z7bTRg9Ga2ctYDNzUpyQsgLxD6ZRHcONkOo
MEQ9> GUMEQ96BeSsjT4yW9ED70CcCbhg+pMxR+lnpk4BZ4WML/plBjEb8B1YaRvhYWKd3
> OSVB/JsS6J6Q/y9TTsAJDBLAfw9h7RQKibViuVFSNftAuSdktah5mDwFnL0ZMzVS
> 3tDVDa5PDqbHEhK55/5EWBg4eNbAukVZmmoLzzERGXuj+LOIRElG3/n3chy1uM73
> B6da3al4gDDNHifPsuozpkVN1EAROZx1K9hGGDZC3yFQTjsJtCRBbmRyZSBIZWlu
> ZWNrZSAoUmVsZWFzZSBTaWduaW5nIEtleSmJAdQEEwEIAD4WIQRbgMV1Qpjwy1XY
> 7Wq8734pSwkuKAUCWMu6rgIbAwUJEswDAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIX
> gAAKCRC8734pSwkuKEL9DACEIL5IS9wUty62Bnwd9wK2hmwihXNkTLsOOoi8aCdO
> ywPwcIucgAcIO+c/t0lbe4y4sJ1KrKbdyOUQiJAyxobLCSV/MkhIDAmsZB1ZIpF3
> nfmNekRdCVcMpqX8jAwoBS3Q9m2UJz1LeDCLFCvLF0nbyUnqHZP19UOvxmzAyZMA
> Ub3W5y1+GMo4yA+3xSFI8ZbjzhawixCCRs69/4p+zCXR4e7LBf6koAHllD/0ZULp
> SDjF+t2IkvRrMlM+e+Mxjklinr8v1FRGzmE/kCcdHaP88+iwC2wUKOZtFs4yIBLO
> SWdQk9tLPmR8uWgNZmatRJyNvOaxd6EbK3jfckbJGFkmXjH+M9vMqFpoAewZ359F
Us7AX> qjq+Us7AXLAMNUynom7IrtR5Rvsjx6RNtKQYUD6XY5rc7r9js9iGruHDAAW5lyRg
> j3wikc0IbV9L1bTsXIp29BsrU9sXUkVEp+xQJZgwqoOduoSjmOK88QdkibDqJiGF
> dzIRiXx+Nxv1Pr9L7A4/tq+YMwRfQ+WJFgkrBgEEAdpHDwEBB0DPvkeV6RzXomGF
> 8jQwp0RXEt2TGFwwI7RkbpYwECY2l7QfV2VybmVyIEtvY2ggKGRpc3Qgc2lnbmlu
> ZyAyMDIwKYiaBBMWCgBCFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoFAl9D7DUCGwMF
> CRKFxxEFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFKIl7gmQDraea4A
> /24v8c50HSC/Basf4WlREkuzhudplo8iT0BGtTQRdGAmAP9gIZ8dBekg9PRlpe7A
> l7ErThn6owVH9szWrUt6jkKOBg==
> =h7e4
> -----END PGP PUBLIC KEY BLOCK-----
>EOF

{% endfolding %}

接下来导入公钥到 gpg。

➜ cat gnupg-2.2.29.asc | gpg --import
gpg: key 249B39D24F25E3B6: public key "Werner Koch (dist sig)" imported
gpg: key 2071B08A33BD3F06: public key "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" imported
gpg: key BCEF7E294B092E28: public key "Andre Heinecke (Release Signing Key)" imported
gpg: key 528897B826403ADA: public key "Werner Koch (dist signing 2020)" imported
gpg: Total number processed: 4
gpg:               imported: 4

Step 2：查看导入的公钥的指纹是否与官网上公布的一致

➜ gpg --list-keys --keyid-format=long Werner Koch
pub   rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expires: 2021-12-31]D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
uid                 [ unknown] Werner Koch (dist sig)pub   ed25519/528897B826403ADA 2020-08-24 [SC] [expires: 2030-06-30]6DAA6E64A76D2840571B4902528897B826403ADA
uid                 [ unknown] Werner Koch (dist signing 2020)

如果一致的话，信任此公钥。

➜ gpg --edit-key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.pub  rsa2048/249B39D24F25E3B6created: 2011-01-12  expires: 2021-12-31  usage: SCtrust: unknown       validity: unknown
[ unknown] (1). Werner Koch (dist sig)gpg> signpub  rsa2048/249B39D24F25E3B6created: 2011-01-12  expires: 2021-12-31  usage: SCtrust: unknown       validity: unknownPrimary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6Werner Koch (dist sig)This key is due to expire on 2021-12-31.
Are you sure that you want to sign this key with your
key "yeshan333 <1329441308@qq.com>" (582AAB66132A3FDA)Really sign? (y/N) ygpg> save

这玩意还需要一个指纹 sign 公钥，可通过下面的命令快速操作

gpg --lsign-key "6DAA6E64A76D2840571B4902528897B826403ADA"

Signing a key tells your software that you trust the key that you have been provided with and that you have verified that it is associated with the person in question.

Step 3：使用 signature file 校验 Tarball

➜ gpg --verify gnupg-2.2.29.tar.bz2.sig
gpg: assuming signed data in 'gnupg-2.2.29.tar.bz2'
gpg: Signature made Sun Jul  4 22:54:50 2021 CST
gpg:                using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   2  signed:   0  trust: 2-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2021-12-31
gpg: Good signature from "Werner Koch (dist signing 2020)" [full]

emmm，问题不大。这里有一丢丢问号❓What is the exact meaning of this gpg output regarding trust?

{% folding, 微微提升下信任水平 %}

➜ gpg --edit-key 6DAA6E64A76D2840571B4902528897B826403ADA D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.pub  ed25519/528897B826403ADAcreated: 2020-08-24  expires: 2030-06-30  usage: SCtrust: undefined     validity: full
[  full  ] (1). Werner Koch (dist signing 2020)Invalid command  (try "help")gpg> trust
pub  ed25519/528897B826403ADAcreated: 2020-08-24  expires: 2030-06-30  usage: SCtrust: undefined     validity: full
[  full  ] (1). Werner Koch (dist signing 2020)Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)1 = I don't know or won't say2 = I do NOT trust3 = I trust marginally4 = I trust fully5 = I trust ultimatelym = back to the main menuYour decision? 4pub  ed25519/528897B826403ADAcreated: 2020-08-24  expires: 2030-06-30  usage: SCtrust: full          validity: full
[  full  ] (1). Werner Koch (dist signing 2020)
Please note that the shown key validity is not necessarily correct
unless you restart the program.gpg> save
Key not changed so no update needed.➜ gpg --edit-key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 1q, 0n, 0m, 1f, 0u
gpg: next trustdb check due at 2021-12-31
pub  rsa2048/249B39D24F25E3B6created: 2011-01-12  expires: 2021-12-31  usage: SCtrust: undefined     validity: full
[  full  ] (1). Werner Koch (dist sig)gpg> trust
pub  rsa2048/249B39D24F25E3B6created: 2011-01-12  expires: 2021-12-31  usage: SCtrust: undefined     validity: full
[  full  ] (1). Werner Koch (dist sig)Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)1 = I don't know or won't say2 = I do NOT trust3 = I trust marginally4 = I trust fully5 = I trust ultimatelym = back to the main menuYour decision? 4pub  rsa2048/249B39D24F25E3B6created: 2011-01-12  expires: 2021-12-31  usage: SCtrust: full          validity: full
[  full  ] (1). Werner Koch (dist sig)
Please note that the shown key validity is not necessarily correct
unless you restart the program.gpg> save➜ gpg --verify gnupg-2.2.29.tar.bz2.sig
gpg: assuming signed data in 'gnupg-2.2.29.tar.bz2'
gpg: Signature made Sun Jul  4 22:54:50 2021 CST
gpg:                using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
gpg: next trustdb check due at 2021-12-31
gpg: Good signature from "Werner Koch (dist signing 2020)" [full]

{% endfolding %}

更多 GPG Key 校验工具查看 GnuPG 主页：https://www.gnupg.org/download/index.html