I have a question for those who are “in the know” on these sorts of things. Maybe this is a stupid question. (I am *so* glad I log in under an alias!)
It’s regarding the inclusion of an MD5 signature on the website with a download of Open Source software. Or even proprietary software, for that matter. Sometimes it’s a PGP signature.
My question is — WHY?
The instructions always say to be sure to check the MD5 signature against the download, to make sure you didn’t get a hacked version. It is possible to spoof a website and provide a hacked download filled with viruses and other nasties. The MD5 or PGP signature is supposed to protect against that.
Ok —
But —
If a hacker is going to go through all the trouble to get a download, install a virus, then spoof the website — wouldn’t he also provide the correct MD5 signature for that hacked download?
So when I check the signature made against the hacked download, it’s going to match, right? Meaning I *still* don’t *really* know whether I got The Real Thing or a Viral Infestation.
Am I missing something here?