Version 0.4; May 17, 2000
Download
Tarball: MH-checksums-0.4.tar.gz
MD5 sum: d7dae7fe492cdef25e0df31115164a34
GPG Signature: MH-checksums-0.4.tar.gz.asc
MD5 sum: 7592b115c07f6e3db0c831cc2c5445da
Overview
In this age of Internet-based software distribution, there have always been concerns of incomplete downloads, damaged downloads, and malicious file tampering. To combat these issues, many authors provide a list of cryptographic checksums for files they distribute. These sums provide a reference point against which the end-user or software redistributor may verify file integrity.
checksums.pl may be used directly by an end-user or be incorporated into a script; it seeks to simplify the process of validating files against a list of cryptographic sums.
Help
Information regarding the command-line options of checksum.pl may be obtained by executing: 'checksum.pl --help'
Error Codes
checksum.pl should return '0' on successful match/non-error, '1' on mismatch, and error codes as specified by perl (or the OS) on system error.
Installation
checksum.pl is not dependent on living in a specific place; for ease of use, you may wish to place it within /usr/bin or /usr/local/bin, though this is not mandatory.
Expected format of sums files
checksum.pl expects sums files to contain two fields (separated by whitespace). This file layout is used very frequently by authors distributing md5.sum files; the common 'md5sum' utility generates output with this field order and delimitation.
[cryptographic sum (MD5 or SHA1)] [filename]
. . .
MD5 and SHA1
The MD5 and SHA1 cryptographic hashes are documented in the following online resources.
RFC 1321 (MD5)
http://www.faqs.org/rfcs/rfc1321.html
FIPS PUB 180-1 (SHA1)
http://www.itl.nist.gov/fipspubs/fip180-1.htm
An excellent overview of cryptographic hashes, including descriptions and sources for MD5 and SHA1, may be found in Bruce Schneier's, "Applied Cryptography". Details regarding this book (and where to purchase copies) may be found at: http://www.counterpane.com/applied.html
Insecurity
It is important to recognize the functional limitations of using cryptographic hashes alone for validating file integrity. Though cryptographic hashes do provide a mechanism to validate file contents against a known hash of the same file, public key cryptography tools such as Pretty Good Privacy and GNU Privacy Guard must be employed to prevent malicious modification of files (including the sums files) at the distribution point. (A malicious person with access to modify the files on a server could also update the sums file containing the cryptographic hashes to match the modified copies of those files.) This tool is provided for a variety of reasons; validation of files against cryptographically signed sums files remains a viable security option.
Required perl modules
This program has been written and tested using perl 5.005_03 on RedHat Linux 6.1, though should work on any version of perl5 on nearly any perl-supported platform.
checksum.pl makes use of MD5 and SHA1 routines included in the Digest::MD5 and Digest::SHA1 modules, available from CPAN (http://www.cpan.org). Instructions for installing these modules may be found in the README included within the Digest-MD5 archive.
The latest version at time of this writing is 2.09. It may be obtained from: http://www.cpan.org/modules/by-module/Digest/Digest-MD5-2.09.tar.gz
License
checksums.pl, a cryptographic checksum validation tool
Copyright (C) 2000 Jacob Moorman (roguemtl@marblehorse.org)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Authors
Program authored and maintained by Jacob Moorman of the Marble Horse Free Software Group. He may be reached at roguemtl@marblehorse.org
QA, testing and enhancement suggestions by Erik Peterson and David Burley of the Marble Horse Free Software Group.