Thursday, January 05, 2012

MD5 Checksum and Cryptographic Signature Checks on Code

I just wanted to post a generally good idea on downloading code. I recently downloaded some code from an Apache mirror site which I checked against its MD5 checksum and it failed. At first I thought that the file was corrupt and re-downloaded it. Again it failed the MD5 check, so I checked its cryptographic (GPG) signature and it failed.

I downloaded the code from another mirror and everything worked correctly. I notified the mirror site of the inconsistency, and carried on. However, I often wonder how much we shortcut our work, and fail to check that vital information.

Here is a gentle reminder. If the code has an MD5, SHA, and cryptographic signature, please take the extra 5 minutes to check all three. It will verify your downloads, are safe.

Also keep in mind that if you don't, and make a war file that contains these potentially infected sources, you are propagating the problem.