download verification with md5?

Steffen Nurpmeso steffen at
Fri Jan 3 13:29:49 PST 2020

Edgar Pettijohn wrote in <20200103150805.EBA4B8E0537 at crater.dragonflybsd\
 |On Jan 3, 2020 8:21 AM, Justin Sherrill <justin at> wrote:
 |> On Fri, Jan 3, 2020 at 4:51 AM Michael Neumann <mneumann at> wrote:
 |>> Given that your private key stays secured this adds another layer of
 |>> security. Right now, even using SHA256 checksums would be no more secure
 |>> in case you download the checksum file (md5.txt or sha256.txt) from the
 |>> same mirror server as the file itself.
 |>> If you need help setting this up, please let me know.
 |> This is a good idea, and a very helpful writeup.  I'm low on time (as
 |> is everyone, always) but I'm not working this weekend - let me see how
 |> far I get.
 |Don't forget to post the public key and the hash of the key and sign \
 |the key and arrange delivery of the key by armed escort to everyone \
 |wishing to download it to ensure security.

The CRUX Linux distribution switched from MD5 hashs to signify.
Compared to GPG this is _very_ small and easy, and only meant for
exactly this purpose.  Mind you, i for one could live with
improved OpenSSL tools -- they have the theoretical capability to
cover TLS / S/MIME / file checksumming and more, even multiple of
the latter in batch.  Unfortunately that is not true in practice.
(And i won't be the one who implements it.)

Leah Neukirchen maintains up-to-date portable code on github, not
only of that.

Please let me, as a non-mathematician non-cryptographer, wonder
how unsafe MD5 for the purpose of file-checksumming really is.

 --End of <20200103150805.EBA4B8E0537 at>

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Users mailing list