MD5 CheckSum, SHA1 CheckSum, PGP Verification

April 14, 2009 at 6:35 am 1 comment

In order to ensure that the files that are downloaded from a site has been saved in its entirety and to give the added security that no intruders have modified the content of the files, various techniques have been used source providers like MD5 checksum, SHA1 checksum, PGP verification. To explain how MD5 checksum, SHA1 checksum or PGP verification of the files happen, I will go ahead by explaining the steps by using a copy of openSSL program.

First, download openSSL source
$ cd /tmp
$ wget

To get MD5 checksum file
$ wget (MD5 checksum)

Execute the following commands to verify if the download matches the MD5 checksum
$ cat openssl-0.9.8k.tar.md5

$ md5sum openssl-0.9.8k.tar.gz
e555c6d58d276aec7fdc53363e338ab3  openssl-0.9.8k.tar.gz

Another way to check this is to edit “openssl-0.9.8k.tar.md5” and have the entries as follows
e555c6d58d276aec7fdc53363e338ab3  openssl-0.9.8k.tar.gz
(Separation between the checksum and program name is 2 spaces)

Now execute,
$ md5sum -c openssl-0.9.8k.tar.md5

To get SHA1 checksum file
$ wget (SHA15 checksum)

Execute the following commands to verify if the download matches the SHA1 checksum
$ cat openssl-0.9.8k.tar.sha1
$ sha1sum openssl-0.9.8k.tar.gz

To get PGP checksum file
$ wget (PGP)

Then go to website and check for the link from where you could download the PGP key. Create a file called openssl.pgp from that key and then execute

$ gpg –import openssl.pgp
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key F295C759: public key “Dr Stephen Henson <>” imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found

$ gpg –verify openssl-0.9.8k.tar.gz.asc
gpg: Signature made Wed 25 Mar 2009 09:13:54 AM EDT using RSA key ID F295C759
gpg: Good signature from “Dr Stephen Henson <>”
gpg:                 aka “Dr S N Henson <>”
gpg:                 aka “Dr Stephen Henson <>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D0 5D 8C 61 6E 27 E6 60  41 EC B1 B8 D5 7E E5 97

Check for the message indicating that the signature is good. For self-signed certificates there may be warning messages.

It is always advisable to download the checksum and the source from two different sources in order to avoid a hacker in the middle. For programs which require authenticity, it is always ideal to go with pgp signatures as it shows who owns the signature adding to the awareness of the person who installs the software.


Entry filed under: LINUX Tips, Security. Tags: , , , , , , .

Free Cryptography Tools MySQL Create User Grant Rights

1 Comment Add your own

  • 1. Savy  |  August 8, 2011 at 11:56 am

    There is a simple application “Checksums calculator” a GUI tool to calculate md5, sha1, sha256, sha384, sha512 witch can run under Linux, Windows and MacOS x operating systems on both 32 and 64bit architectures. For more info take a look here:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

April 2009
« Mar   May »

Blog Stats

  • 25,873 hits

%d bloggers like this: