When downloading GNU/Linux related files like distributions, it’s not uncommon to see an MD5 checksum value beside the file. This MD5 checksum is (hopefully) unique to that file. The idea is that you can download the file and then run your own MD5 check on it. If your checksum comes out to the same value as the author says it should, then you know the file hasn’t been tampered with or corrupted during the download process.
To quote Ron Rivest, the creator of the MD5 algorithm:
[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit “fingerprint” or “message digest” of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be “compressed” in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.
Yeah…OK. So how do you use it?
It’s likely that your GNU/Linux distro already has md5sum installed. To produce the checksum of any file on your system, type:
md5sum < filename >
This will produce the MD5 checksum for the < filename > file and you can then compare that to the known value from the author’s website.
Update: I’m not sure if I was clear on this. The MD5 alogrithm is generic in use in that it can be used to provide a digital signature in a variety of cases. It’s widely used in the GNU/Linux world, but the verification of ISO’s and other GNU/Linux files isn’t its only purporse.