How to get your users to verify downloaded files every time

Give them just one command that does it all. Safeget downloads and verifies your file in a single step. It's free and open source.

 

How it Works

Publish a safeget command for your file. Here's an example of using Safeget for Bitcoin Core:

        safeget \
            https://bitcoin.org/bin/bitcoin-core-0.21.0/bitcoin-0.21.0-x86_64-linux-gnu.tar.gz \
            --pubkey https://raw.githubusercontent.com/bitcoin-core/bitcoincore.org/master/keys/laanwj-releases.asc \
            --signedhash SHA256:https://denova.com/open/safeget/hashes/bitcoin-core-0.21.0/SHA256SUMS.asc

Include as many checks as you like. The more checks you specify, the safer your users are.

Safeget will:

  1. Download the file
  2. Download public keys
  3. Import public keys
  4. Download signed messages with hashes
  5. Verify signed messages
  6. Verify file hashes
Most people skip everything after "Download the file". Safeget never does.

Requirements

Safeget requires python3. You can run it on Windows, Linux, or Mac OS X.

Install

If your operating system offers a safeget package, install it.

But safeget isn't in many package managers yet. Get it from PyPi with:

    pip3 install safeget

Or download the safeget-installer and run it:

    python3 safeget-installer

Windows users: If you do not have GPG installed on your Windows computer, then you'll need to run Safeget as an administrator the first time you run it so that Safeget can install GPG onto your system. To open a command prompt as an administrator, start to search for "command prompt". An area near the search box appears with an option to "Execute as administrator". Select that option and then you can issue any Safeget command.

With Safeget, users get your files, not malware

Most people don't verify. Maybe they don't quite understand how or why. Even security pros sometimes skip it.

Instead of telling your users to follow a long and complex procedure they'll often skip, download and verify with Safeget.

It doesn't matter if they don't know what a pgp/gpg sig or hash is. With Safeget, users verify files.

More

 
 

Legal

Copyright 2019-2021 DeNova. Safeget is open source, licensed under GPLv3 .