This topic contains 1 reply, has 2 voices, and was last updated by palhety 1 month ago.
- October 23, 2020 at 2:11 am #321557
This is more of a general computer security question, so this might be off topic, but I figure you nerds might know a thing or two about this.
- October 23, 2020 at 2:11 am #321558
It’s a good practice. If in windows, 7-zip allows you to easily generate common checksums by right clicking the file.
- October 23, 2020 at 2:11 am #321559
If the source of the checksum is on the same web page you used to download the package, I doubt it has any merit. Whoever can mess with the download, can mess with the checksum displayed.
What really helps is PGP signatures. If you once get an uncompromised key, in the future you will check downloads against this one key. Ideally the key would be signed by someone you already trust (see WOT: web of trust) but as far as I can tell this rarely happens.
- October 23, 2020 at 2:11 am #321560
Yes, people do compare and I think you should too. To verify, it depends on the algorithm used, but usually you can run the hash on the file you’ve downloaded and compare both values.
- October 23, 2020 at 2:11 am #321561
You can verify the checksum in the command prompt or the terminal. Very easy
- October 23, 2020 at 2:11 am #321562
Yes but also there are hash collision where you can edit the file check the hash and the hashes are the same even tho the file was edited.. And considering there are only x amount of hashes and basically 2^infinty ways you can edit a file you can edit one keep it within the normal filesize and arrive at the same hash you just gotta find the correct changes to the file to make.
You must be logged in to reply to this topic.