It’s been two weeks since the publication of an article on ZDNet on illegal files found on the php.net server. The author wrote in the article:
PHP, utilized by millions of Web sites around the Web, has a not-so-hidden secret on their Web site: a directory full of pirated content, config files containing user name and password information, and more.
While the ZDNet article contains some factual errors (the “pirated content” was located only on the id.php.net server, which is simply a 3rd party mirror hosted by http://www.pesat.net.id/), the screenshot below demonstrates one major problem…
… If someone (even sysadmin) downloaded pirated and potentially malicious files to the trusted web server, someone else can with ease replace the valid content (ie. PHP binaries or documentation) with a tainted data.
With this in mind, and in the light of recent attacks on a kernel.org server (which hosts Android and Linux kernel source codes), the new question appears; how to verify, if the downloaded file is the original, uncorrupted file you wanted?
Use MD5 hashes
Websites often provide a pre-computed MD5 checksums for the files, so that a user can compare the checksum of the downloaded file to it.
An example of generating an MD5 hash from a file called “test.txt” follows, where $ is the shell’s command prompt:
$ md5 test.txt
MD5 (test.txt) = 123b04fbbf832a6914e159baff78d2ec
The OpenOffice.org website provides some instructions on how you can verify MD5 hashes on a variety of platforms.
However, now that it is easy to generate MD5 collisions, it is possible to create different files with the same checksum, so this technique cannot protect against some forms of malicious tampering.
Use PGP signatures
Creating and verifying signatures uses the public/private keypair in an operation different from encryption and decryption. A signature is created using the private key of the signer. The signature is verified using the corresponding public key.
The Apache website provides some examples on how you can verify PGP signatures.
Remember. Always check if someone has not arranged for your download to be compromised so that you get a modified or different file that can be used to crack security on your host when executed.