The md5 checksum is used to verify that the package you have downloaded is actually untampered-with, and is in its original form as packaged by the designer.
Once you download a package, you would navigate to the folder where the package is saved, open a console if you aren't in one already, and type:
substituting the actual filename of the archive for my example name.
Thiis will calculate the md5 checksum of the package, which you will verify against the published MD5 file which is available for download or viewing where you got the package.
SIG, or signature files, are sort of for the same purpose. Using the GnuPG, or PGP functionality in Linux systems, you can verify that a file, or an email, which is digitally signed by someone, has actually been signed by that person, and that it is not a forgery.
In a console, you would type:
gpg --verify file-ending-in.sig-or.asc file-you-are-verifying
specifying first the SIG or ASC file, and second, the file you are checking.
For further info, check the manual pages (type man gpg or man md5 or man md5sum) for full details on these functions.