If you download and install open source software you are used to seeing a long string of hexadecimal numbers
somewhere near the download link or in a file with a .md5 suffix. It will look something like this:
Maybe you trust the site because it looks legit, has a nice design, good font, and so forth or maybe you trust the site because your teacher or friend, or some website told you to go there. In that case ignore the string. You’ll probably be fine. What’s the worst that can happen beyond all the files and personal information on your computer being sold on some pirate website in a bulk data package for identity thieves to peruse?
That said, you might want to make sure that the software you’re downloading is what it claims to be, even though you are a trusting soul. The MD5 hash is an easy way to check that the code you have received is the code the website says it is sending you. The MD5 hash is a string of hexadecimal characters that is generated uniquely (in practical terms), based on the contents of the file. So if a hacker was able to intercept or substitute the file somehow even a change in a single character would be detectable in the hash string, as the algorithm makes radical changes to the string for even a single character of difference in the source file.
The good news is that it’s easy to do.
On linux and macs it’s just a matter of using the builtin md5 tool.
Here’s an example usage and output:
autopia-2:Downloads jb$ md5 Anaconda-1.9.0-MacOSX-x86_64.sh
MD5 (Anaconda-1.9.0-MacOSX-x86_64.sh) = ddd474c01696cc02dcaea91da1d72389
Given the string, I just compare them visually and make sure they are the same. This isn’t very hard because even a single byte change in file from what it’s supposed to be will result in wildly different MD5 hash. I can always tell by looking at the first 6 characters.
For those of you on Windows, you may have an md5 tool if you’re on Cygwin, or you can use FCIV, which can compute md5s.
Checking your md5’s is smart and easy. Make it a habit.