I noticed that people tend to upload checksums even when the download is configured to use secure connection. For example, GitHub redirects all traffic to HTTPS, but the SHA sums are nevertheless provided. https://github.com/prometheus/node_exporter/releases/tag/v0.18.1 Isn't this entirely superfluous?
Asked
Active
Viewed 53 times
2 Answers
2
Checksums can be used to verify that a file downloaded correctly, but they can also be used to verify that the file downloaded from mirrors or third-party sites outside the authors control are hosting the correct and unmodified file. As such it is used to verify that the file has not been tampered with.
Whether or not it is "superfluous" depends on what the use case.
Mokubai
- 95,412
0
A checksum enables you to verify that a file is "intact". A file might not just become damaged by malicious modification but might also simply be "damaged" by faulty hardware, a short connection outage, a bit flip or security software that tampers with it. Which are things that are not covered by SSL/TLS.
Seth
- 9,393