Open Source Software File Integrity

Do you check file integrity when you download open source software? This is normally accomplished by the software developer providing MD5 sums for the files. An MD5 sum is a computed signature for the chosen file. By providing you this signature, you are able to verify the integrity of the file by computing the signature on your own system and comparing it against the sum that was downloaded with the file. Many developers have recently started including GPG signed sums, which is even better, and prevents creating fake sum files in the event that the system that contains the software and sum files is compromised.

The reason I bring this up is that a popular open source application was recently compromised. An attacker was able to access a server that contained the downloadable distribution and changed some of the files to contain malicious code that could be exploited remotely. The altered files were found by a user that had downloaded the files and found a discrepancy in the sums, potentially saving many that had downloaded the altered software.

Doing this may sound like an inconvenience, but it is really easy to do, and helps ensure that you are getting software that was not tampered with. To do your part, you just need to acquire an MD5 digest generating program. Many distributions of Linux include one, and you can download them for virtually any OS. You could even create one, if you want. Now you just need to run the MD5 generating program against the files you downloaded. Compare your output against the MD5 sum provided by the developer.

If you have GPG and the developer provides signed MD5 sums, you can check that the MD5 sums were actually created by the developer.

Leave a Reply