0

Example use case:

  1. User is going to download a file (either text/binary/zip) from a trusted website
  2. Provide the downloaded file to a program running on a Linux system
  3. Program running on Linux will verify if the file is downloaded from the trusted website
  4. If the file is downloaded from the trusted web, then the program processes the file else error

How do we validate if the file is downloaded from a trusted source?

I thought of generating some predefined text key and encoding it using the private key on the web and adding it to the file, and then the program reads the key from the file and verifies using the public key. If the predefined text matches file is from a trusted source.

user2846469
  • 2,072
  • 3
  • 18
  • 32
User7723337
  • 11,857
  • 27
  • 101
  • 182

1 Answers1

0

You need to use checksum (hash) and verify it before launch the file.

  1. You need to have the checksum list before. Sometimes, the editor has a key server. So download the SHA256SUMS and SHA256SUMS.gpg files to the same directory as the file.
  2. Use the command sha256sum -c SHA256SUMS 2>&1 | grep OK to check if the SHA256 sum is OK.
  3. If OK, you can execute/open your file without any doubt.

So in Java, according to this post, you can calculate SHA-256 using this code :

MessageDigest md = MessageDigest.getInstance("SHA-256");
try (InputStream is = Files.newInputStream(Paths.get("file.txt"));
     DigestInputStream dis = new DigestInputStream(is, md)) 
{
  /* Read decorated stream (dis) to EOF as normal... */
}
byte[] digest = md.digest();
Anonymous
  • 468
  • 5
  • 26