Thursday 27 December 2018

webserver - How do I check the checksum of a download and why should I?


My memory isn't great but I think five or six years ago, when I downloaded some package, there was never a checksum line under the download icon on the webpage. And no instructions to "check the checksum" to make sure your download is correct. Now these things are everywhere. I have two questions about them (whether MD5 or whatever).




  1. When did they start becomeing so popular and why are they used? I mean, if I'm downloading a package from server X, then it is up to the server to make sure it is giving me the correct package (I think, anyway).




  2. How do you check the checksum? Usually I download the package and install it immediately. Maybe this is stupid.





Answer




When did they start becomeing so popular and why are they used?



I can't tell you when, but they are used for at least two good reasons.


1. File integrity


When downloading a huge binary file, you can't make sure there is not a single bit error during transmission. This could be due to various reasons, from the server sending the file to your computer saving it on the drive. You can't assume that every transmission is error-free.


If you use this file to install something on your computer, it might propagate this single error up until the point where a program crashes for no obvious reason.


Another common scenario would be: You download an ISO file to burn it to a DVD and install Linux. During setup, the installer notices that there is a broken file on the disk. This could be due to a single bit error that occured during the download.


2. Your own security


If you know the supposed checksum of a file, and you download another file that doesn't match this checksum, you either have a file with errors (see above), or somebody wants to trick you.


Imagine the download site of a famous software distributor being hijacked. Although this might not happen all to often, consider it a security concern.





How do you check the checksum?



Depends on the checksum method used. MD5 and SHA checksums can easily be checked on any *nix system using the md5 or sha1sum commands. On Windows there is a File Checksum Integrity Verifier.



Usually I download the package and install it immediately. Maybe this is stupid.



You can download and install it anyway. Normally, an installer should check whether the data contained is error-free and completed. You can try to remove single bytes from an executable installer using a Hex editor and see if it still completes. I hardly doubt so.


Summarizing, it's not necessary to verify checksums (I've never done it), but it doesn't hurt if you have the time.


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...