The program md5sumis designed to verify data integrity using the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash. MD5 hashes used properly can confirm both file integrity and authenticity.
In terms of integrity, an MD5 hash comparison detects changes in files that would cause errors. The possibility of changes (errors) is proportional to the size of the file; the possibility of errors increase as the file becomes larger. It is a very good idea to run an MD5 hash comparison check when you have a file like security software that has to be 100% correct.
In terms of security, cryptographic hashes such as MD5 allow for authentication of data obtained from insecure mirrors. The MD5 hash must be signed or come from a secure source (an HTTPS page) of an organization you trust. See the MD5SUMS file for the release you're using under Red Bird SFX - download.
While security flaws in the MD5 algorithm have been uncovered, MD5 hashes are still useful when you trust the organization that produces them. Moving to more secure hashes like SHA-256 and Whirlpool is under discussion.
MD5SUM on Linux
Most Linux distributions come with the md5sum utility so installation is usually unnecessary. We are going to use the Red Hat for the following example:
First go to the correct directory to check a downloaded sh file:
Then run the following command from within the download directory.
- md5sum redbirdsfx_unix_2_5_0_5.sh
The md5sum should print out a single line after calculating the hash:
- 13a8c14d16ab79731fb8a41828712048 redbirdsfx_unix_2_5_0_5.sh
Compare the hash (the alphanumeric string on left) that your machine calculated with the corresponding hash on the Red Bird SFX download page. When both hashes match exactly then the downloaded file is almost certainly intact. If the hashes do not match, then there was a problem with either the download or a problem with the server. You should download the file again from either the same mirror, or from a different mirror if you suspect a server error. If you continuously receive an erroneous file from a server, please be kind and notify the webmaster of that mirror so they can investigate the issue.
If you have the correct md5sum in a file in the same directory as the sh, you can then check the md5sum semi-automatically with md5sum. You will typically find the md5sum file on the download page where you obtained your sh. Red Bird SFX distributes the md5sums in a file "MD5SUMS" on this file is on the download page. md5sum -c MD5SUMS
MD5SUM on Mac OS X
There are three methods of using md5sum on an OS X machine.
Method 1 - The easiest (if MD5 is available) is using the Disk Utility program (Applications > Utilities, or by choosing "Utilities" from the Finder's "Go" menu). Open Disk Utility and wait for it to gather information about your disks. Go to the directory where you downloaded the Red Bird SFX disk image, and drag it to Disk Utility's dock icon (displays on the left-hand side of Disk Utility, underneath your physical drives). Select the dmg file. Go to the "Images" menu and select Checksum > MD5. Be sure to choose "MD5" and NOT "MD5 image checksum" or "CRC-32 image checksum", as they are not the same and will give you different results.
Method 2 - If MD5 is not available in the Images > Checksum menu, open a terminal window (Applications > Utilities > Terminal.app). Type "md5", type a space, drag the dmg file into the terminal window (appends command with dmg file path), and press Enter. The command line returns the hash number.
Method 3 - You can use the Terminal.app and follow the instructions for MD5SUM on Linux, except use the command "md5" instead of "md5sum".
Each method returns a hash number. Compare the hash number with the corresponding hash on the Red Bird SFX download page. When both hashes match exactly, then the downloaded file is almost certainly intact.
If the hashes do not match, then there was a problem with either the download or a problem with the server. You should download the file again from either the same mirror, or from a different mirror if you suspect a server error. If you continuously receive an erroneous file from a server, please notify the webmaster of that mirror so they can investigate the issue.
digest(1) on Solaris
Use the Solaris digest(1) command, specifying the md5 algorithm with the -a flag. For instance:
- $ digest -a md5 redbirdsfx_unix_2_5_0_5.sh
MD5SUM on Windows
Windows does not come with md5sum. You must download one from another location, preferably one that you trust. There are command line utilities (md5sum.exe) that work similarly to the Unix utility; one public domain version with source is available from Fourmilab, but the version available from Cygwin is probably easier to install and update, and Cygwin is also recommended and trusted as the source for many more Unixy utilities. Once installed, Cygwin's md5sum behaves exactly as described in MD5SUM on Linux above.
There are also graphical tools such as the one used in the walk-through provided below.
- Download and install winMD5Sum, a free and open source hash verification program.
- Right-click the exe file.
- Click Send To, then winMD5Sum.
- Wait for winMD5Sum to load and finish the checksum (this may take a significant amount of time depending on your computer's performance).
- Copy the corresponding hash from Red Bird SFX download page into the bottom text box.
- Click "Compare"
- A message box will say "MD5 Check Sums are the same" if the hashes are equal.