MD5 CheckSum, SHA1 CheckSum, PGP Verification
In order to ensure that the files that are downloaded from a site has been saved in its entirety and to give the added security that no intruders have modified the content of the files, various techniques have been used source providers like MD5 checksum, SHA1 checksum, PGP verification. To explain how MD5 checksum, SHA1 checksum or PGP verification of the files happen, I will go ahead by explaining the steps by using a copy of openSSL program.
First, download openSSL source
$ cd /tmp
$ wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz
To get MD5 checksum file
$ wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz.md5 (MD5 checksum)
Execute the following commands to verify if the download matches the MD5 checksum
$ cat openssl-0.9.8k.tar.md5
$ md5sum openssl-0.9.8k.tar.gz
Another way to check this is to edit “openssl-0.9.8k.tar.md5″ and have the entries as follows
(Separation between the checksum and program name is 2 spaces)
$ md5sum -c openssl-0.9.8k.tar.md5
To get SHA1 checksum file
$ wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz.sha1 (SHA15 checksum)
Execute the following commands to verify if the download matches the SHA1 checksum
$ cat openssl-0.9.8k.tar.sha1
$ sha1sum openssl-0.9.8k.tar.gz
To get PGP checksum file
$ wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz.asc (PGP)
Then go to openssl.org website and check for the link from where you could download the PGP key. Create a file called openssl.pgp from that key and then execute
$ gpg –import openssl.pgp
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key F295C759: public key “Dr Stephen Henson <firstname.lastname@example.org>” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
$ gpg –verify openssl-0.9.8k.tar.gz.asc
gpg: Signature made Wed 25 Mar 2009 09:13:54 AM EDT using RSA key ID F295C759
gpg: Good signature from “Dr Stephen Henson <email@example.com>”
gpg: aka “Dr S N Henson <firstname.lastname@example.org>”
gpg: aka “Dr Stephen Henson <email@example.com>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D0 5D 8C 61 6E 27 E6 60 41 EC B1 B8 D5 7E E5 97
Check for the message indicating that the signature is good. For self-signed certificates there may be warning messages.
It is always advisable to download the checksum and the source from two different sources in order to avoid a hacker in the middle. For programs which require authenticity, it is always ideal to go with pgp signatures as it shows who owns the signature adding to the awareness of the person who installs the software.