Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 03-14-2007, 09:15 PM   #1
LQ Newbie
Registered: Mar 2007
Posts: 1

Rep: Reputation: 0
MD5 and SIG


I noticed that most opensource installers for Linux that you download come with .MD5 and .SIG files. I assume they have something to do with security, but I do not know how to use them.

Can anyone help me out?
Old 03-15-2007, 12:45 AM   #2
LQ Guru
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 551Reputation: 551Reputation: 551Reputation: 551Reputation: 551Reputation: 551
Hello there!

The md5 checksum is used to verify that the package you have downloaded is actually untampered-with, and is in its original form as packaged by the designer.
Once you download a package, you would navigate to the folder where the package is saved, open a console if you aren't in one already, and type:
md5sum package-name-1.2.3-arch.tgz
substituting the actual filename of the archive for my example name.
Thiis will calculate the md5 checksum of the package, which you will verify against the published MD5 file which is available for download or viewing where you got the package.
SIG, or signature files, are sort of for the same purpose. Using the GnuPG, or PGP functionality in Linux systems, you can verify that a file, or an email, which is digitally signed by someone, has actually been signed by that person, and that it is not a forgery.
In a console, you would type:
gpg --verify file-ending-in.sig-or.asc file-you-are-verifying
specifying first the SIG or ASC file, and second, the file you are checking.

For further info, check the manual pages (type man gpg or man md5 or man md5sum) for full details on these functions.

Last edited by GrapefruiTgirl; 03-15-2007 at 12:46 AM.
Old 03-15-2007, 12:48 AM   #3
Senior Member
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
You are correct. They are used for verifying the integrity of the file you downloaded. The .md5 files are used to verify the MD5 sum of a file, while .sig and .asc files are signature files containing a GPG (Gnu Privacy Guard -- somewhat similar to Pretty Good Privacy) signature. The signatures are much better for protecting against malicious alteration of files than MD5, but that discussion would be too long for here. Besides, I am not an expert. You might want to do some reading on the Internet about these -- possibly check Wikipedia articles.

You will typically have the file to be verified and the .md5, .sig, or .asc file in the same directory and from that directory you would give one of the following commands:

md5sum -c somefile.md5
gpg --verify somefile.sig
gpg --verify somefile.asc
(BTW .sig and .asc files are just two representations of the same thing. The first is a binary representation and the second is an ASCII representation.) In the case of gpg, it may tell you that you don't have the necessary public key on your keyring. In this case you will need to download that key and add it to your key ring. You should check out the gpg man page and materials on the web to flesh this out.

I know this has been rather sketchy, but I hope it points you in the right direction.
Old 03-15-2007, 10:15 AM   #4
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
Note the difference between the 2 suggested methods of md5 verification. Both will work, but the 2nd will automatically check all files' sums listed in the .md5 & either give an "Ok" or complain. Much easier, doesn't require you to visually scan 2 long hex #'s.

I may be wrong but I believe that the .sig & .asc files do NOT verify the d/l'd file, but rather the .md5 file, so running g/pg/p on them is NOT a substitute for running md5sum -- that must always be done in order to verify the file itself. That is, if my memory is correct.

BTW, if you d/l a master .md5 file from a site, but only a few of the files it references, it can be very helpful to create an edited copy of it that contains only the lines for the files you actually got. If you do that, then run md5sum -c on the edited file, not the original, its output will not be cluttered w/ complaints about missing files, files that are missing because you didn't d/l them.
Old 03-15-2007, 10:53 PM   #5
Senior Member
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Originally Posted by archtoad6
I may be wrong but I believe that the .sig & .asc files do NOT verify the d/l'd file, but rather the .md5 file, so running g/pg/p on them is NOT a substitute for running md5sum -- that must always be done in order to verify the file itself. That is, if my memory is correct.
Good catch. If the file comes with both, you are probably right. Verfiy the signature on md5 file and then verify the md5. The OP mentioned installers, which if he means what I think, I have limited experience with. For other files that I've dealt with, if a signature file is involved, it is usually directly for the file you downloaded, and either no md5 file is involved at all, or else it is an alternate (and less desirable) path.

If you pay attention, you should be able tell what the signature file goes to. If it is a signature to the MD5 file, then I woud hope it had the name somefile.md5.asc (or .sig). If it just has the name somefile.asc and you use the form of the gpg command I gave, then it will try to match the signature to somefile. If that was not what the signature was for, it will fail! You could then try it with the md5 file, using the form of the command GrapefruiTgirl listed.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sig jstephens84 LQ Suggestions & Feedback 6 06-24-2006 02:36 AM
How to use a *.sig file? jerryvb Linux - General 2 11-26-2004 01:03 PM
Sig Images lexy LQ Suggestions & Feedback 3 10-27-2002 08:00 PM
How come my sig doesn't appear? DaDdY SnEb General 6 06-20-2002 09:28 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:13 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration