md5sum for egd, gnupg

Neil Williams
Wed Aug 13 20:20:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Wednesday 13 Aug 2003 6:33 pm, Ross Druker wrote:
> Hi,
> I'm trying to verify the md5sum for egd.  When I download the sum file fr=
> this page:

The md5sum isn't downloaded, it's generated on your own system from the fil=
you've downloaded and then compare it digit by digit with the printed md5su=
on the webpage.

$ md5sum <filename>

In your case it could be:
$ md5sum egd-0.8.tar.gz

What's you've download is, as it says, the PGP Signature block. This is an=
ASCII or binary signature made from the file. It is more rigorous than md5=
because the signature can be dated and verifiably attributed to a particula=
person as well as eliminating the possible problem of md5 not catching=20
certain amendments to the file - IIRC it is possible for two files to have=
the same md5?

To verify the PGP signature, you need to have GnuPG or PGP installed, then=

gpg --verify egd-0.8.tar.gz.asc

> This does not match at all with what md5sum displays for the actual file,
> nor does the content even look right.

It isn't anything to do with md5 - that's why.

> I asked another user to try and he couldn't even display this in his
> browser. He had to download it.  Then, when he tried to display it, it was
> binary.
> I get the same problem with the md5sum file for gnupg, but at least its s=
> is posted on another page, so I could use that.
> Anybody know what the problem is?  I did notice that the gnupg file ends =
> .sig, which the egd file ends in .asc.

PGP signatures can end in .sig or .asc - there isn't an md5 file.

> Thanks,
> Ross


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)