Do you verify digital signatures for downloaded files before opening them?

I'm very surprised by the poll results as well !

It just takes a couple of sec's to check and the poll only covers the files which have a hash posted so ...

Anyhow if you don't like installing stuff , I use a stand alone tool called WinMD5.exe , I forget where I got it.

Its certainly no guarantee of security , but if the site has a hash , why not check it

 

I always check. It is easy with PGP and FileAlyzer.

 

I know there's been a long time since the last comment, but I found this thread on google search researching for MD5, SHA-1, etc.

I have a question:

You download X file/program/etc from the Internet. The MD5 and SHA-1 are provided. When you finish downloading you check against those provided by the site where you downloaded your files. They're a match.

Are you feeling safe? Are you feeling confident that those files haven't been tampered? How can you be 100%? How can you tell that file hasn't been tampered?

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

 

If the hashes match, the file hasn't been compromised. Even a very small change will completely change an MD5 or SHA-1 hash. Try it with a text document sometime. Just move, remove or add a period or space somewhere in the document and watch how much that hash changes. The one exception would be if an attacker also hacked the site and altered the posted hash to match the compromised file. If the site is at all security conscious, they should notice that change. Assuming the hashes match and the site hasn't been hacked, it then becomes a question of whether you trust the vendor to release a clean application to begin with.

Verifying hashes isn't just for security reasons. It's also possible for a file to get corrupted during the download. It's just as much for saving the individual the hassle of trying to install a corrupted application. Imagine the hassle and wasted time if that downloadis an entire OS. That's one reason most linux OS downloads have the hash posted. There's no way to take all of the risk out of installing or updating a system or application. Compromised and/or corrupted files are only part of the risk. There's always the possibility that a new or updated application will conflict with something else on your system. The best thing you can do is make a system backup before installing or updating anything. If anything goes wrong, it's easy to get back to where you started from.

 

Never LOL

 

Very rarely, the last time was when Win7 RTM .iso leaked.

 

i download from Trusted sources.
So NEVER

 

Well I do check hashes from sites that are not trusted or well known