Hello once again, > > yes, I can enlighten you all a littel bit about MD5 hashs. The basic is > that > > Ok, thanks for that. I get the gist, I get the premis. Now, more > practically... > > What are the inputs to the algorythm? Meaning, we have the file, we have > the > MD5 resultant hash (assuming the file on the server has not been > modified), > and we have the algorythm, but do we need anything else (e.g. keys) in > order > to re-compute/check the resultant hash?
Basically the MD5 Hash does not need keys. It is generated from the file itself without any password or something like that. The code is just a hashcode of the file (a hex-Number). > > Hmm, what makes folk think that the file could be changed without the MD5 > hash file being changed also. I feel there has to be some private key from > the originator, to ensure that nobody could fake both. > Like stated earlier, there are no keys there. Since a normal user uses a mirror to download apache.org sources or binaries, you can then check if the file has the same hash-code as the original file from apache.org (can be checked by using the original .md5-file from apache). Also apache.org delivers a file named .asc (at least some projects, like ant do this). In this file there is a signiture for the original file. This can be checked then by using the public key stored in the root-directory of each project in the KEYS-file. But this has nothing really to do with the MD5 stuff. MD5 just ensures integity basically during the download, but does not, like you said, ensures, that the file is really the one, which was published or intended to be published. > So, if there are such keys, how do we acquire them? How do we trust them? > > regards > > Adam > R, Markus
