Often we get a software from a source, with another files (.md5, sha etc...)
How this works?

No idea what you're asking, about what software, from what source, and we can't guess as to your question. Can you clarify??? The things you mention in the 'etc.' are typically checksums...how to check them depends on what the sum is, and typically the sender will tell you what to run to verify the archive.

"No idea" doesn't make sense. You got it.
for example
https://imgur.com/a/ECHKfQD
no dialog or more instructions.
I just want to use my PC, and eventually work with that but i'm almost giving it up (because you 'no idea' exists)! Not for prouding
Thanks

The checksum verifies you downloaded the ISO file without errors and the PGP key verifies the ISO file and checksum file have not been tampered with.

https://www.howtogeek.com/246332/how...tampered-with/

And you are still not asking a clear question. You are still not providing any details, such as what version/distro of Linux, where you're getting this software, etc. Posting a screen shot of a web page doesn't tell anyone, anything.

No idea what you mean by "Not for prouding", but the page you showed has ISO images. Again, the download sites have INSTRUCTIONS on how to use the md5/sha checksums....did you read them?? Step 3 that says, "How to verify the ISO"????
https://mxlinux.org/download-links/
https://mxlinux.org/wiki/system/iso-...ksumsignatures

Tells you what to type in. Again, you need to ask a clear question and provide details. If you're downloading things on Windows/Mac, these instructions probably won't work, and you'll need to do something else. And we can't help you since you DO NOT TELL US anything.

A "checksum," usually SHA1 or MD5, is an arithmetic calculation which is designed to detect the slightest change in a file. If even one bit has been altered, the checksum will be completely different.

A "cryptographic digital signature" is slightly different. Here, the checksum is wrapped in an encrypted payload that can be decrypted using a readily-available public key. This payload can only be generated by a possessor of the corresponding private key, which is secret.

When you verify a "signed" package, the software first decrypts the signature payload – and finds that it can successfully do so. (Which necessarily means that it was prepared by a holder of that secret private key.) Then, it verifies the checksum that is contained within that payload. This is evidence that the package contents are, indeed, exactly the same as what the signer originally vouched for, and that you know who signed it.

Now, strictly speaking, there are still clever ways that a clever nasty-person could trick you. ("Nasty-persons" are remarkably clever and resourceful ...) But it is acceptably unlikely.

All software-update processes used for Linux use digitally-signed packages, and from time to time the set of public keys are also updated. Most conventional software installers, and many applications, are also signed, and the operating system can be set to refuse to launch any application that isn't signed by a known source.

I usually do not check the downloaded files, especially if it is an ISO file. I almost never had a failed download, at least I do not remember. Also I prefer to download from a torrent file if that exists because the download is checked and correct. Life is simple sometimes.

You could also ask these questions in a single thread, as it makes it more easy for you and for the ones who answer to you, since it is basically the same subject/goal to be achieved.

1 members found this post helpful.