incubator-depot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Markus M. May" <m...@gmx.net>
Subject Re: MD5 Hash
Date Wed, 11 Feb 2004 16:00:37 GMT
Hello once again,

> > yes, I can enlighten you all a littel bit about MD5 hashs. The basic is
> that
> 
> Ok, thanks for that. I get the gist, I get the premis. Now, more
> practically...
> 
> What are the inputs to the algorythm? Meaning, we have the file, we have
> the
> MD5 resultant hash (assuming the file on the server has not been
> modified),
> and we have the algorythm, but do we need anything else (e.g. keys) in
> order
> to re-compute/check the resultant hash?

Basically the MD5 Hash does not need keys. It is generated from the file
itself without any password or something like that. The code is just a hashcode
of the file (a hex-Number).
> 
> Hmm, what makes folk think that the file could be changed without the MD5
> hash file being changed also. I feel there has to be some private key from
> the originator, to ensure that nobody could fake both.
> 
Like stated earlier, there are no keys there. Since a normal user uses a
mirror to download apache.org sources or binaries, you can then check if the
file has the same hash-code as the original file from apache.org (can be checked
by using the original .md5-file from apache).
Also apache.org delivers a file named .asc (at least some projects, like ant
do this). In this file there is a signiture for the original file. This can
be checked then by using the public key stored in the root-directory of each
project in the KEYS-file. But this has nothing really to do with the MD5
stuff. MD5 just ensures integity basically during the download, but does not,
like you said, ensures, that the file is really the one, which was published or
intended to be published.

> So, if there are such keys, how do we acquire them? How do we trust them?
> 
> regards
> 
> Adam
> 


R,

Markus


Mime
View raw message