General discussion


MD5 Signatures on Downloaded Software

By UncaAlby ·
I have a question for those who are "in the know" on these sorts of things. Maybe this is a stupid question. (I am *so* glad I log in under an alias!)

It's regarding the inclusion of an MD5 signature on the website with a download of Open Source software. Or even proprietary software, for that matter. Sometimes it's a PGP signature.

My question is -- WHY?

The instructions always say to be sure to check the MD5 signature against the download, to make sure you didn't get a hacked version. It is possible to spoof a website and provide a hacked download filled with viruses and other nasties. The MD5 or PGP signature is supposed to protect against that.

Ok --

But --

If a hacker is going to go through all the trouble to get a download, install a virus, then spoof the website -- wouldn't he also provide the correct MD5 signature for that hacked download?

So when I check the signature made against the hacked download, it's going to match, right? Meaning I *still* don't *really* know whether I got The Real Thing or a Viral Infestation.

Am I missing something here?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by sbrown95 In reply to MD5 Signatures on Downlo ...

Yes, you are correct on that one. It's still better to have some kind of security. You can't just give up on security because it can be circomvented. That's like not locking your car door because someone could just break the window. Of course it's easy, but it still helps. And MD5 hashing has helped against many virus infections. I wish more people would use it.

Collapse -

programmatically generate md5 hash in C++

by blacklight332 In reply to MD5 Signatures on Downlo ...

A lot of people use PHP for md5(), and when they use a C++ implementation it doesn't always return the same hash.

This implementation's hashes match that of php <a href=''></a>.

Collapse -

My thoughts

What happens is that the MD5 script allows you to to a hash checksum. From my notes:

"A 128-bit hash of a file using the MD5 algorithm is used to verify the integrity of files.

For example, some download sites list the MD5 checksum of a file so that after you download the file, you can run one of the tools listed below on the file and find the checksum of the file you received.

If the checksum does not match that published on the website, you can be sure that your download had been corrupted somewhere in transit."

Note that MD5 is an insecure hash function - you should not use it as a security measure. Use it only as a rough gauge to check things like unintentional file corruption either from downloading, or a failing disk media or something like that.

The reason it should not be used as a security measure is that it is possible for two different files to have the same MD5 checksum. But since it is unlikely that a file that is accidentally corrupted share the same MD5 checksum as the original, it is a useful tool for a casual check of file integrity. "

I hope that helps.

Related Discussions

Related Forums