Is it really necessary to check downloaded file certificate/key

I wander, because usually it is a lot of pain and this is not always possible.
I mean, if my thread level is normal (I am not journalist or leaving in China), than should I bother to waste time for that? What is a possibility somebody change the file from the server? Is it easy to do, very hard to do?
Ok, when you have a page /program where there are simple instruction which actually works but usually something dont work, you need to go to forums, waste half a day to find a solution, which is not 100% satisfactory, since key is not trusted anyway or there are other problems.

If you used https i don’t think thats necessary

There are at least two things two consider:

Data in transit

An attacker can (in theory) modify any unauthenticated or cleartext network traffic between your device and the web server. To avoid this, use authenticated and encrypted protocols like HTTPS (with TLS 1.2 or 1.3). HTTPS ensures that nobody can modify network traffic.

However, most “bad guys” also migrated to HTTPS since more and more web browsers enforce HTTPS or mark HTTP as insecure. Years ago, security people told you to look for the green lock icon in your web browser’s address bar and HTTPS when connecting to your bank. Nowadays, phishing websites come with HTTPS, too. So the sheer presence of HTTPS means that the network traffic is encrypted, but it doesn’t necessarily mean that you connect to the right domain. Here, you should ensure that you enter the correct domain when navigating to websites where you enter any credentials.

Data at rest

An attacker can (again in theory) replace files on the web server before they are transmitted to your device (example). HTTPS doesn’t help in this situation. In this situation, digital signatures are useful.

Digital signatures (authenticity + integrity)

This means the provider of these files has a private signing key, signs each file, and provides the corresponding public key + the digital signatures. If the attacker modifies a file, the signature check fails. If the attacker modifies a file and the signature, you see that somebody else signed the file. However, the attacker could still steal the private signing key and sign the replaced files. In this case, everything looks legitimate on your side. This is really hard to detect.

File hashes (integrity only)

Besides, some websites provide hashes of files, e.g., “ff68e87c516d112f2211ea827f5d319650e1618f.” If the attacker can only replace files but can’t change the hashes, then hashes roughly offer the same security as digital signatures (you can see that the file was replaced). However, if the attacker can also change the hash, this approach is less secure than digital signatures.


You should at least ensure that you download files from trustworthy websites only and that HTTPS is used to transmit them.

Normies probably need not to check.

People at risks (journalists, activists, defectors, spies, etc) should always as part of their routine.

Sysadmins and IT people must, because that should be part of their job.

Hashes are easy to check (via 7zip on Windows, Dolphin file propertis in KDE…) and I would advise everyone to do that, if hash is available. Few years ago, Mint Linux .iso was compromised (infected with malware), I think the same case was with some Handbrake binaries also.

Sometimes, I first run the binary and check hash after :d I still don’t check signatures, but I think I’ll start that soon. Better safe than sorry