Check downloaded file integrity

Question

I am working a lot with vagrant boxes and virtual machines and software outside of the OS repositories.

Scenario:

http://apache.mirror.digionline.de/hadoop/common/stable/

I downloaded the file hadoop-2.7.3.tar.gz. To check its integrity I need to validate against hadoop-2.7.3.tar.gz.mds. As both files are downloaded via unsecure transport, and the domain is not available via TLS - how does this even work, when the binary and the signatures could be faked?

See if you can find a download mirror that lets you verify the checksum after download. — Limit, Dec 15 '16 at 16:37
A hash is not a signature because nobody signed something. To check a signature you would also need to trust the signer. And when you have a proper signature and the signers certificate TLS does not matter at all. As for the rest of the argumentation see How can I check the integrity of the downloaded files?, What security purpose do hashes of files serve? and lots of others -- marked as duplicate. — Steffen Ullrich, Dec 15 '16 at 16:55
@SteffenUllrich thanks for your comment, that makes sense. I would need the issuers certificate and then it does not matter how the signature itself is transfered, because all of the three (file, signature, certificate) have to match to be valid. — Daniel W., Dec 16 '16 at 08:59

Check downloaded file integrity

0 Answers0