How to verify the integrity of a plugin package

Category:

User guides

Topic:

Installation and setup

We add a hash value processed on each plugin package file to add a way to check that the content is transferred OK and has not been damaged during the download process.

In addition if you did not obtain the Maps Marker Pro plugin package directly from https://www.mapsmarker.com you can verify that no files have been edited and e.g. malware has been added.

If you are unfamiliar with verifying file hashes, the easiest way to verify the integrity of the plugin package is to proceed as follows:

  1. Open https://www.virustotal.com/
  2. Upload the plugin package (leaflet-maps-marker-pro.zip) you want to verify:
    virustotal-step-1
  3. As next steps, a SHA-256-checksum gets generated and in addition the package also gets scanned for known viruses (useful if you retrieved the package from another source than https://www.mapsmarker.com):
  4. open the file with all SHA-256 hash values for all plugin packages and compare the hash value in that file with the hash value generated by virustotal. If the values are different, do not install the package and re-download the original package from https://www.mapsmarker.com/download-pro instead.

In order to add another security layer, we additionally signed the file with all SHA-256 hashes with our PGP-release-key (for the unlikely case that the hash file on www.mapsmarker.com got compromised). To verify the digital signature of the file, please proceed as follows:

  1. Download our PGP Public Key from https://www.mapsmarker.com/PGP-PUBLIC-KEY.asc and add the certificate to your keystore
  2. Download the signature file from https://www.mapsmarker.com/SHA256SUMS.txt.sig
  3. Use the signature file to verify the file with all hashes from https://www.mapsmarker.com/SHA256SUMS.txt

Please note that there are different tools available for executing that signature verification, for Windows I recommend the freeware tool http://www.gpg4win.org/ – a good overview of other plattforms and tools can be found at https://www.torproject.org/docs/verifying-signatures.html.en

Updated on 29 May 2022