Thursday, January 05, 2012

MD5 Checksum and Cryptographic Signature Checks on Code

I just wanted to post a generally good idea on downloading code. I recently downloaded some code from an Apache mirror site which I checked against its MD5 checksum and it failed. At first I thought that the file was corrupt and re-downloaded it. Again it failed the MD5 check, so I checked its cryptographic (GPG) signature and it failed.

I downloaded the code from another mirror and everything worked correctly. I notified the mirror site of the inconsistency, and carried on. However, I often wonder how much we shortcut our work, and fail to check that vital information.

Here is a gentle reminder. If the code has an MD5, SHA, and cryptographic signature, please take the extra 5 minutes to check all three. It will verify your downloads, are safe.

Also keep in mind that if you don't, and make a war file that contains these potentially infected sources, you are propagating the problem.


Hernan Echegoyemberry said...

I wonder, why is easy to infect a file, but is hard to change the MD5 code you are seeing in the page?

John Yeary said...

I had a discussion at lunch with a colleague about this exact issue.

Usually the files and signature are located in different areas and/or servers. This is not always the case, but can add a little level of security.

The better solution is to check the cryptographic signature with the armor files which often accompany the files and are verified using the public key from the signer.

In my case, the MD5 check was sufficient to tip me off, but since the SHA and ASC files were available I would have checked them anyway.

I think I will consider doing the same thing for all the code I publish since it is a good practice.

Thanks for the thoughtful comment.

Popular Posts