3

My memory isn't great but I think five or six years ago, when I downloaded some package, there was never a checksum line under the download icon on the webpage. And no instructions to "check the checksum" to make sure your download is correct. Now these things are everywhere. I have two questions about them (whether MD5 or whatever).

  1. When did they start becomeing so popular and why are they used? I mean, if I'm downloading a package from server X, then it is up to the server to make sure it is giving me the correct package (I think, anyway).

  2. How do you check the checksum? Usually I download the package and install it immediately. Maybe this is stupid.

slhck
  • 235,242
P_Q
  • 1,135

4 Answers4

5

When did they start becomeing so popular and why are they used?

I can't tell you when, but they are used for at least two good reasons.

1. File integrity

When downloading a huge binary file, you can't make sure there is not a single bit error during transmission. This could be due to various reasons, from the server sending the file to your computer saving it on the drive. You can't assume that every transmission is error-free.

If you use this file to install something on your computer, it might propagate this single error up until the point where a program crashes for no obvious reason.

Another common scenario would be: You download an ISO file to burn it to a DVD and install Linux. During setup, the installer notices that there is a broken file on the disk. This could be due to a single bit error that occured during the download.

2. Your own security

If you know the supposed checksum of a file, and you download another file that doesn't match this checksum, you either have a file with errors (see above), or somebody wants to trick you.

Imagine the download site of a famous software distributor being hijacked. Although this might not happen all to often, consider it a security concern.

How do you check the checksum?

Depends on the checksum method used. MD5 and SHA checksums can easily be checked on any *nix system using the md5 or sha1sum commands. On Windows there is a File Checksum Integrity Verifier.

Usually I download the package and install it immediately. Maybe this is stupid.

You can download and install it anyway. Normally, an installer should check whether the data contained is error-free and completed. You can try to remove single bytes from an executable installer using a Hex editor and see if it still completes. I hardly doubt so.

Summarizing, it's not necessary to verify checksums (I've never done it), but it doesn't hurt if you have the time.

slhck
  • 235,242
2

One of the major use cases is in distributing software. For example, some of the popular software such as the ones by Apache Software Foundation are distributed using mirror sites. There will be multiple mirror sites to download the software. In such cases, the checksum/hash provided on the original apache site can be used to verify that the downloaded software is indeed the same. Mirror sites can be created by any person and not necessarily by the original creator. The checksum is a good way of verifying the downloads from third-party sites in such cases.

karthik
  • 121
1

It's an additional layer of security to ensure that the download is intact and also that the download link or source hasn't been hijacked in some way so you are downloading a copy of the app that's been modified by, for example, having a virus payload inserted.

A Web search for 'Windows md5' will turn up tons of free MD5 checkers. Whether you check the MD5 sum is up to you.

Linker3000
  • 28,240
1

A checksum is a fixed-length value computed from all of the bits in a file, or any given input. The value of the checksum will change dramatically with only a minor change in the source, which makes checksums ideal for checking file integrity. If your computed checksum on a downloaded file matches the checksum given on the page, you can be sure that your downloaded file is intact and not corrupt.

Under Windows, you can easily check MD5 sums using MD5Summer. Generally speaking, I don't bother checking the checksums unless the file I am downloading is of extreme importance.

BogStandard
  • 1,944