LinuxQuestions.org - MD5 and SIG

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - MD5 and SIG (https://www.linuxquestions.org/questions/linux-newbie-8/md5-and-sig-537564/)

Hello,

I noticed that most opensource installers for Linux that you download come with .MD5 and .SIG files. I assume they have something to do with security, but I do not know how to use them.

Can anyone help me out?

Hello there!

The md5 checksum is used to verify that the package you have downloaded is actually untampered-with, and is in its original form as packaged by the designer.
Once you download a package, you would navigate to the folder where the package is saved, open a console if you aren't in one already, and type:
md5sum package-name-1.2.3-arch.tgz
substituting the actual filename of the archive for my example name.
Thiis will calculate the md5 checksum of the package, which you will verify against the published MD5 file which is available for download or viewing where you got the package.
SIG, or signature files, are sort of for the same purpose. Using the GnuPG, or PGP functionality in Linux systems, you can verify that a file, or an email, which is digitally signed by someone, has actually been signed by that person, and that it is not a forgery.
In a console, you would type:
gpg --verify file-ending-in.sig-or.asc file-you-are-verifying
specifying first the SIG or ASC file, and second, the file you are checking.
:)
For further info, check the manual pages (type man gpg or man md5 or man md5sum) for full details on these functions.

You are correct. They are used for verifying the integrity of the file you downloaded. The .md5 files are used to verify the MD5 sum of a file, while .sig and .asc files are signature files containing a GPG (Gnu Privacy Guard -- somewhat similar to Pretty Good Privacy) signature. The signatures are much better for protecting against malicious alteration of files than MD5, but that discussion would be too long for here. Besides, I am not an expert. You might want to do some reading on the Internet about these -- possibly check Wikipedia articles.

You will typically have the file to be verified and the .md5, .sig, or .asc file in the same directory and from that directory you would give one of the following commands:

Code:

md5sum -c somefile.md5

gpg --verify somefile.sig

gpg --verify somefile.asc

(BTW .sig and .asc files are just two representations of the same thing. The first is a binary representation and the second is an ASCII representation.) In the case of gpg, it may tell you that you don't have the necessary public key on your keyring. In this case you will need to download that key and add it to your key ring. You should check out the gpg man page and materials on the web to flesh this out.

I know this has been rather sketchy, but I hope it points you in the right direction.

Note the difference between the 2 suggested methods of md5 verification. Both will work, but the 2nd will automatically check all files' sums listed in the .md5 & either give an "Ok" or complain. Much easier, doesn't require you to visually scan 2 long hex #'s.

I may be wrong but I believe that the .sig & .asc files do NOT verify the d/l'd file, but rather the .md5 file, so running g/pg/p on them is NOT a substitute for running md5sum -- that must always be done in order to verify the file itself. That is, if my memory is correct.

BTW, if you d/l a master .md5 file from a site, but only a few of the files it references, it can be very helpful to create an edited copy of it that contains only the lines for the files you actually got. If you do that, then run md5sum -c on the edited file, not the original, its output will not be cluttered w/ complaints about missing files, files that are missing because you didn't d/l them.

Quote:

Originally Posted by archtoad6

I may be wrong but I believe that the .sig & .asc files do NOT verify the d/l'd file, but rather the .md5 file, so running g/pg/p on them is NOT a substitute for running md5sum -- that must always be done in order to verify the file itself. That is, if my memory is correct.

Good catch. If the file comes with both, you are probably right. Verfiy the signature on md5 file and then verify the md5. The OP mentioned installers, which if he means what I think, I have limited experience with. For other files that I've dealt with, if a signature file is involved, it is usually directly for the file you downloaded, and either no md5 file is involved at all, or else it is an alternate (and less desirable) path.

If you pay attention, you should be able tell what the signature file goes to. If it is a signature to the MD5 file, then I woud hope it had the name somefile.md5.asc (or .sig). If it just has the name somefile.asc and you use the form of the gpg command I gave, then it will try to match the signature to somefile. If that was not what the signature was for, it will fail! You could then try it with the md5 file, using the form of the command GrapefruiTgirl listed.