Author

Topic: MD5 checksum for programs (Read 779 times)

newbie
Activity: 30
Merit: 0
June 24, 2011, 04:24:20 PM
#5
The sha1 and md5 cecksums for the packages are here:

http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.23/

They are signed with Jeff Garziks PGP signature.

As an reservation I have to say while Jeff is contributing
to the Linux kernel and has signed code there,
*this* signature is not within the "strong set" of
the GnuPG web of trust (whi you can look up here:
http://pgp.cs.uu.nl/ ).

That means it just could be another guy who
happens to have that mail address ;-)
newbie
Activity: 30
Merit: 0
June 24, 2011, 07:30:13 AM
#4
I think it is a good ideal.

Not ideal but one of the most basic of things.

Quote
I would use it to check if the file was not corrupted during download. This would not mean that a file is not a virus.

If a hacker was good enough to replace a file on a site,  they would also replace the md5 (or whatever hash that was used) with the hash of the virus.

Those hackers are clever like that.


That's why in the Debian project and all Linux distributions, software downloads are digitally signed and there exists a web of trust of GnuPG keys just for these signatures. I haven't seen the git source code archive, but releases should be signed as well, git is build exactly for that.

I've seen that people put bitcoin software on their own website for download without possibility for verification. It is a facepalm thing to install that. If you do that ever, it may well be that you don't own neither your wallet nor your PC anymore, even if it seems to behave like a bitcoin client.
newbie
Activity: 56
Merit: 0
June 24, 2011, 03:36:25 AM
#3
I think it is a good ideal.

I would use it to check if the file was not corrupted during download. This would not mean that a file is not a virus.

If a hacker was good enough to replace a file on a site,  they would also replace the md5 (or whatever hash that was used) with the hash of the virus.

Those hackers are clever like that.
newbie
Activity: 6
Merit: 0
June 23, 2011, 10:23:23 PM
#2
Yeah, that's a very good idea and should be more widely adopted. It'd be easy hax to replace some popular miner executables (for instance) with miners that also steal wallet.dats.
full member
Activity: 161
Merit: 100
June 22, 2011, 04:59:27 AM
#1
Please please add md5 checksum for important file like bitcoin, guiminer, what  if some one hacke some server and replace(compiled) file whit viruses or some difierent code ?
Jump to: