Just a further comment in-passing:
"Digest checksums," such as MD5 or SHAx, are only good enough today (IMHO ...) for files that you know from a trustworthy source. Otherwise, IMHO, it is crucial that they be digitally signed, i.e. using GPG.
"Digital signatures" check a message-digest payload (a digest checksum) that has been encrypted using a certain private-key. They verify that the payload can be decrypted using the public key, and then use a digest-algorithm to verify the decrypted digest. (And they should obtain that public key from a key-server.) This is intended to verify that the package was, indeed, prepared by someone who possessed that (secret) private key.
|