Title
Create new category
Edit page index title
Edit category
Edit link
Verifying MetaDefenderDriveToolkit's files Digital Signature
Overview:
When you receive files from OPSWAT, you need to be sure they are genuine and haven’t been tampered with. This guide shows you how to independently verify OPSWAT-delivered files using detached digital signatures on Linux, macOS, and Windows.
By following the steps below, you can:
Confirm that your files were really produced by OPSWAT
Detect any modification or corruption during transfer or storage
Integrate a repeatable, automated verification step into your own processes
Detached digital signatures provide a cryptographic way to validate both integrity (no changes) and authenticity (signed by a trusted OPSWAT key).
What You Need:
To verify OPSWAT files, you’ll need:
Original files For example: MetaDefenderDriveToolkit.zip
Detached signature files Base64-encoded signature files matching the originals, for example: MetaDefenderDriveToolkit.zip.dig.signed
OPSWAT certificate file A certificate file that contains the public key used for verification, for example: cert.crt (You can request this certificate file from OPSWAT.)
With these three components in the same folder, you can fully validate that the files you received are authentic and unaltered.
Prerequisites
The verification process uses OpenSSL and simple platform-native scripting. Below are the minimal requirements for each platform.
Linux
Bash shell
OpenSSL installed and available on your PATH
macOS
Bash shell (included by default)
OpenSSL (install via Homebrew if needed: brew install openssl)
Windows
PowerShell
OpenSSL installed, for example:
Via Chocolatey: choco install openssl
Or via Git for Windows / official OpenSSL packages
Once these are installed, you’re ready to use the reference scripts below.
Reference Implementations
Our ready-to-run scripts for Linux, macOS, and Windows make verification fast and effortless—so you always know your downloads are genuine and tamper-free. Each script automatically:
Extracts the public key from the OPSWAT certificate
Finds all detached signature files (*.dig.signed)
Matches them with their original files
Decodes and verifies each signature using OpenSSL (SHA‑256)
Prints a clear summary showing which files are valid (OK), failed (FAIL), or skipped (SKIP)
Choose your platform, run the script, and get instant, trustworthy results. These reference scripts make it effortless to confirm your OPSWAT-delivered files are authentic and untouched—no guesswork, just clear pass/fail output you can rely on.
Linux / macOS (Bash Script)
Windows (PowerShell Script)
Usage Instructions
Place the original files, signature files, and certificate in the same directory.
Save the script into validate.ps1 (Windows) or validate.sh (Linux/macOS), place it into the same directory as your files, then run the appropriate script for your platform. For example:
Windows: .\validate.ps1
Linux/macOS: Add permission for the script with chmod +x ./validate.sh, then run it with ./validate.sh
Note: if you want to change the file name of the certificate, you need to
Review the output for OK, FAIL, and SKIP messages.
OK: File is signed with OPSWAT certificate.
FAIL: Fail to verify with OPSWAT certificate.
SKIP: The original file not found.
For example, on Windows platform
The folder contains:
MetaDefenderDriveToolkit.zip
MetaDefenderDriveToolkit.zip.dig.signed
cert.crt
validate.ps1
Output explanation:
VERIFY: file=MetaDefenderDriveToolkit.zip sig=MetaDefenderDriveToolkit.zip.dig.signed Verify the MetaDefenderDriveToolkit.zip file with detached signature MetaDefenderDriveToolkit.zip.dig.signed
OK: MetaDefenderDriveToolkit.zip Verification is OK
Summary: verified=1 skipped=0 One file is verified
Troubleshooting & Security Considerations
Common failure causes:
Wrong certificate used for verification
Missing or mismatched original files
Corrupted or truncated signature files
Algorithm mismatch (ensure SHA-256 is used)
Best practices:
Treat the certificate as a trust anchor; validate its source.
Keep OpenSSL and your OS up to date.
Automate signature verification in your build or deployment process.
Never bypass verification failures.
Summary
This guide enables you to independently verify detached digital signatures on Linux, macOS, or Windows using OpenSSL and platform-appropriate scripting. This ensures your files are authentic and unaltered, regardless of your environment.