Do people actually compare checksums and/or signatures when they download stuff? Is it really necessary? If so, how do you verify these things? – Digitalmunition




Home Forums Do people actually compare checksums and/or signatures when they download stuff? Is it really necessary? If so, how do you verify these things?

This topic contains 1 reply, has 2 voices, and was last updated by  palhety 1 month ago.

  • Author
    Posts
  • #321557

    anonymous
    Participant

    This is more of a general computer security question, so this might be off topic, but I figure you nerds might know a thing or two about this.

  • #321558

    palhety

    It’s a good practice. If in windows, 7-zip allows you to easily generate common checksums by right clicking the file.

  • #321559

    nibbl0r

    If the source of the checksum is on the same web page you used to download the package, I doubt it has any merit. Whoever can mess with the download, can mess with the checksum displayed.

    What really helps is PGP signatures. If you once get an uncompromised key, in the future you will check downloads against this one key. Ideally the key would be signed by someone you already trust (see WOT: web of trust) but as far as I can tell this rarely happens.

  • #321560

    xSudEx

    Yes, people do compare and I think you should too. To verify, it depends on the algorithm used, but usually you can run the hash on the file you’ve downloaded and compare both values.

  • #321561

    cyb3r_dan

    You can verify the checksum in the command prompt or the terminal. Very easy

  • #321562

    [deleted]

    Yes but also there are hash collision where you can edit the file check the hash and the hashes are the same even tho the file was edited.. And considering there are only x amount of hashes and basically 2^infinty ways you can edit a file you can edit one keep it within the normal filesize and arrive at the same hash you just gotta find the correct changes to the file to make.

You must be logged in to reply to this topic.