Checksum

About

Files get corrupted and malicious actors tamper with files. There are many things that can go wrong when transfering files between two parties. Checksums and signatures are provided to help protect against these kinds of problems.

SHA2

The checksum algorithm known as SHA2 is utilized as a quick and simple integrity check on files. This also functions as a poor mans authentication but offers no real security that the checksum itself is valid. The GPG checksums are a more appropriate choice for authentication.

There are several variations of this algorithm.

  1. SHA512: A 512-byte version of SHA2 that results the largest, strongest, and slowest checksums.
  2. SHA385: A 384-byte version of SHA2.
  3. SHA256: A 256-byte version of SHA2.
  4. SHA224: A 224-byte version of SHA2 that results in the smallest, weakest, and fastest checksums.

GPG / PGP

The GPG is an open-source implementation, or perhaps version, of the PGP standard. This provides signatures and even encryption of files that are often called keys. There are several different forms of security and data integrity. Within the GPG key, checksums algorithms like SHA2 are also used.

There are public and private parts to a GPG key. The public part of a GPG key is given out publically so that the person receiving the files can verify the integrity and authenticity of the files. These keys are even used to verify and encrypt e-mails.

The following are public keys from Kevin Day and are themselves signed and checksumed.

  1. 2024 and earlier: Kevin Day 76E903396DAD0A83 (SHA256) (GPG).
  2. 2023 and later: Kevin Day 02E939B8F7EFE597 (SHA256) (GPG).

The key identified by 76E903396DAD0A83 is authenticated via the key identified by 02E939B8F7EFE597. This key will expire near the start of 2024 and will not be used again. This followed the old, and perhaps lazy, practice of using the master key for signing everything. This also utilizes older and less trusted algorithms.

The key identified by 02E939B8F7EFE597 is authenticated via the key identified by 76E903396DAD0A83. This key has been created near the start of 2023 and will be used until such time a replacement comes about. This follows the newer practice of signing using subkeys, making the master key unavailable. This key utilizes newer algorithms.

These public keys should be downloaded imported into your own key chain to perform integrity checking and authentication.