--- pgp/contrib/md5sum/readme 2018/04/24 16:43:18 1.1.1.3 +++ pgp/contrib/md5sum/readme 2018/04/24 16:45:03 1.1.1.5 @@ -1,63 +1,82 @@ -This utility computes MD5 checksums of files, ignoring end-of-line -conventions unless the -b (binary) flag is set. The file "pgp261.md5" -contains the signatures of all the files in the source. If you are in -the source directory and run "md5sum -c ../contrib/md5sum/pgp261.md5", -you will get an error message if any files fail to match. If all -files match, nothing will be printed. - -You need to borrow some files from the PGP sources to compile this -utility (md5.c, md5.h, and possibly the getopt implementation); -see the md5sum.c file for details. - -The file pgp261.md5 is signed by jis@mit.edu, so you can be -reasonably sure it's correct. It would be possible for a hard-working -miscreant to fiddle with the distribution so all of this mutual checking -would not show any errors, but it's not going to happen accidentally. -And if you have a previous version of PGP that you trust, it's not going -to happen at all. - -The only other thing that's needed is a detached PGP signature of the -files md5sum.c, md5.c and md5.h, and anyone with a previous trusted -version of PGP can be sure that no tampering has occurred anywhere, and -that's here: - -md5sum.c: ------BEGIN PGP MESSAGE----- -Version: 2.6.1 - -iQCVAwUBLmkvh8UtR20Nv5BtAQGt6AP/S41H9gw7rfifG7W6ZlMviV4VVeov1C54 -wkS/rjG3+tCm2Gcixfcx7iPb6wIbg5IqWtjbuPd2xvpyLn8MrN3E4Llak7tOBVg7 -insTxrqzjmSNCxVPe3X5+QqnOY7TlI6qIjhZ74Wb9gKiQxKn3f5yjKzJKvpv20a1 -ngI7v5BADKQ= -=Qi79 ------END PGP MESSAGE----- -md5.c: ------BEGIN PGP MESSAGE----- -Version: 2.6.1 - -iQCVAwUBLmkvv8UtR20Nv5BtAQE/jgQAooUL4iKAeg5alJKGvbFqmFlFz0dakkne -HnX2dDihBHiapkZ/a2dMCMNbDuxWcUdS5/I4RQfhaLPis9WTeQr2d707c4x5+B4a -QPSEAA3fZ0GwX+q8JkZ4XSD3NZbcGJRdudtnp8sYnVY3n7PkzUm6xK7ZcxFxmKTf -lTh4Hf3EAaU= -=mxp3 ------END PGP MESSAGE----- -md5.h: ------BEGIN PGP MESSAGE----- -Version: 2.6.1 - -iQCVAwUBLmkvz8UtR20Nv5BtAQHvaAQAq0SZeeArKo5rcRSv25tqa5zFLRDtbZgc -dI8JD0st/Dfj8hZf9KWOBiPQbCD5K4U8SWTAJE4qfNkJGM6gf9hXixuZ/DaEzqQr -ruXxx0/0/pbx48oVKy08kNL2W3/cguJXQjkK0VbqlYUjgy5zApwbkRgjXw3R1mkF -46A7P51mRLg= -=DGCy ------END PGP MESSAGE----- - -These signatures were generated by Jeffrey I. Schiller . -Jeff's key is supplied in the keys.asc file in the PGP distribution -and is signed by various PGP developers including Phil Zimmermann, so -you know that we are who we say we are, and if there are any trojan -horses in the source, you know who put them there. Isn't security -fun?) --- - -Colin - Revised by Jeffrey I. Schiller +Instructions for the MD5SUM Utility +----------------------------------- + +This utility computes MD5 checksums of files, ignoring end-of-line +conventions unless the -b (binary) flag is set. + +This utility can be used to check the integrity of any files. For +this discussion, we'll be checking the files in the PGP source code +release. For PGP version 2.6.3i, the file containing all the MD5 +message digests is called "pgp263i.md5", but for other versions of PGP, +the filename will change to reflect the new version number. + +The file "pgp263i.md5" contains the signatures of all the files in the +source. If you are in the PGP base directory and run + + md5sum -c contrib/md5sum/pgp263i.md5 + +you will get an error message if any files fail to match. If all +files match, nothing will be printed. + +You need to borrow some files from the PGP sources to compile this +utility (md5.c, md5.h, and possibly the getopt implementation); +see the md5sum.c file for details. On some platforms, you may have +to compile md5.c with the -DHIGHFIRST flag, or the MD5 sums will be +wrong. Two makefiles, one for Unix and one for Amiga, are included. +These should be a good starting point for tailoring makefiles on +other systems. + +The file pgp263i.md5 is signed by stale@hypnotech.com, so you can be +reasonably sure it's correct. It would be possible for a hard-working +miscreant to fiddle with the distribution so all of this mutual checking +would not show any errors, but it's not going to happen accidentally. +And if you have a previous version of PGP that you trust, it's not going +to happen at all. + +The only other thing that's needed is a detached PGP signature of the +files md5sum.c, md5.c and md5.h, and anyone with a previous trusted +version of PGP can be sure that no tampering has occurred anywhere, and +that's here: + +md5sum.c: +-----BEGIN PGP MESSAGE----- +Version: 2.6.3i + +iQCVAgUAMPZzGrCfd7bM70R9AQH7PQQAiyd/myRHDk8IrzpB/4sVO3Slj8tZc3dE +5Swfe3GkBpTyTvZYbqxwq1HQu5mAJbJsMbZD2s8D3BWKYAJZfrkNmutVKE6n9UVu +eS2DXBPSalCZmQcv0UcHzbca9mExhgi4HGwy81kvUOAI6YWB22bYsk4DgciCRUx6 +6wcNUMPqN+Q= +=HUeq +-----END PGP MESSAGE----- + +md5.c: +-----BEGIN PGP MESSAGE----- +Version: 2.6.3i + +iQCVAgUAMPZzOrCfd7bM70R9AQHYQgP/aPMSp1knVNWkw/D3AW+WtE/qJ88M7FYN ++v9DZjwdNpCMETUFHBRqzL2gx+A9OXlCnIVf38fDlyHIdiJz1pOtYhataV9XtVp9 +iS+ayzB3Yv7dUrPhynXsKGjtD9YjQ0wgvuuFKqchq1B6Cn3yYkN4pwGhRvAXO8x1 +Vz/OU+Ywd4M= +=bzeZ +-----END PGP MESSAGE----- + +md5.h: +-----BEGIN PGP MESSAGE----- +Version: 2.6.3i + +iQCVAgUAMPZzS7Cfd7bM70R9AQH6EgQAqIlxNGYAq3Ynx8DdCeq32/2qZQoDdVHl +BwEQIv05clQsI01VnVsh4cNig3cTV+wg99UklOhzgiATQc3vFumgFkEJkF7bII1S +LZTNdBm561/029KIBv9dzMdArarNqAQQ6iJnaepVyNzC73xTyFCtEcTz4UFg+WV3 +nbw9gIGnx70= +=1cCa +-----END PGP MESSAGE----- + +These signatures were generated by stale@hypnotech.com. His key is +supplied in the keys.asc file in the PGP distribution and is signed +by various PGP developers, so you know that we are who we say we are, +and if there are any trojan horses in the source, you know who put +them there. Isn't security fun?) +-- + -Colin + Revised by Jeffrey I. Schiller + Revised by Stale Schumacher