2

I thought the point of distributing md5 checksums was so the end user could verify the integrity of the download.

If a high traffic site points me to a mirror site for download, why would I want to verify my download against a checksum that is provided on the mirror?

If someone were going to tamper with binaries on the mirror site, couldn't they also tamper with the checksums? Shouldn't the authoritative site give me the checksum before I download from a mirror so I can check against the main source?

Joe Holloway
  • 280

4 Answers4

4

You are right in your expectation.
Check this example at Apache.

And this Ubuntu md5sum reference.

In terms of security, cryptographic hashes such as MD5 allow for authentication of data obtained from insecure mirrors.
The MD5 hash must be signed or come from a secure source (an HTTPS page) of an organization you trust.

nik
  • 57,042
1

well, it would at least give you confidence that your copy is exactly the same as on the mirror.

you are right, that such information is kind of useless if the main source does not provide such checksum

akira
  • 63,447
1

Usually, ethical mirrors doesn't want to be interpreted as "spoof" ones. They want to be mirrors because of visibility among other advantages.

They show checksums as the authorative source do to give them some sort of credibility: "hey, we recommend you to check your checksums as the official website says!".

I believe this is the mirror's POV. As a user, I usually check with both sources.

GmonC
  • 2,402
1

Well, you can check if the download completed successfully - checksums arn't just a defense against malicious tampering- they also help verify if a file was completely and correctly downloaded

Journeyman Geek
  • 133,878