Return to the main mkusb/plug page


The simple check is to run

md5sum mkusb-plug-plus-tools.tar.gz

in the directory where you downloaded the tarball ../mkusb-plug-plus-tools.tar.gz.

and compare the result with the corresponding line in the checksum file ../mkusb-plug-plus-tools.tar.gz.md5.asc

Higher level of security

You may want a higher level of security. The checksum file is signed with gpg and you can verify it according to the following commands.

gpg --keyserver --recv-keys EB0FC2C8
gpg --verify mkusb-plug-plus-tools.tar.gz.md5.asc

The warning "This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner." means that there is no chain of trusted keys between your computer's keyring and the key, that was used to sign the checksums (the key of sudodus). Check that the result matches with the following output, when you verify it,

lubuntu@lubuntu:~$ gpg --keyserver --recv-keys EB0FC2C8
gpg: keybox '/home/lubuntu/.gnupg/pubring.kbx' created
gpg: /home/lubuntu/.gnupg/trustdb.gpg: trustdb created
gpg: key BD43C742EB0FC2C8: public key "Nio Sudden Wiklund (sudodus) <>" imported
gpg: Total number processed: 1
gpg:               imported: 1

lubuntu@lubuntu:~$ cd Downloads/

lubuntu@lubuntu:~/Downloads$ gpg --verify mkusb-plug-plus-tools.tar.gz.md5.asc 
gpg: Signature made Fri Feb 14 18:44:48 2020 UTC
gpg:                using RSA key 0303EA77E34C52F2295847C6BD43C742EB0FC2C8
gpg:                issuer ""
gpg: Good signature from "Nio Sudden Wiklund (sudodus) <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0303 EA77 E34C 52F2 2958  47C6 BD43 C742 EB0F C2C8

Then there is reason to trust that nobody else has written the checksums. The date of the signature will change at updates, and the text might be translated to your local language, but it should be clear that it is a 'Good signature from "Nio Sudden Wiklund (sudodus)"'.

Convenient way to check the md5sum

If you have the tarball and the md5sum file in the same directory, you can use the md5sum program to check it like this,

$ md5sum -c mkusb-plug-plus-tools.tar.gz.md5.asc
mkusb-plug-plus-tools.tar.gz: OK
md5sum: WARNING: 14 lines are improperly formatted

The 'improperly formatted lines' are the lines belonging to the gpg signature.

Return to the main mkusb/plug page

mkusb/plug/md5sum (last edited 2020-02-14 20:42:49 by nio-wiklund)