Checksum

About

Files get corrupted and malicious actors tamper with files. There are many things that can go wrong when transfering files between two parties. Checksums and signatures are provided to help protect against these kinds of problems.

SHA2

The checksum algorithm known as SHA2 is utilized as a quick and simple integrity check on files. This also functions as a poor mans authentication but offers no real security that the checksum itself is valid. The GPG checksums are a more appropriate choice for authentication.

There are several variations of this algorithm.

  1. SHA512: A 512-byte version of SHA2 that results the largest, strongest, and slowest checksums.
  2. SHA385: A 384-byte version of SHA2.
  3. SHA256: A 256-byte version of SHA2.
  4. SHA224: A 224-byte version of SHA2 that results in the smallest, weakest, and fastest checksums.

GPG / PGP

The GPG is an open-source implementation, or perhaps version, of the PGP standard. This provides signatures and even encryption of files that are often called keys. There are several different forms of security and data integrity. Within the GPG key, checksums algorithms like SHA2 are also used.

There are public and private parts to a GPG key. The public part of a GPG key is given out publically so that the person receiving the files can verify the integrity and authenticity of the files. These keys are even used to verify and encrypt e-mails.

The following are public keys from Kevin Day and are themselves signed and checksumed.

  1. 2024 and earlier: Kevin Day 76E903396DAD0A83 (SHA256) (GPG).
  2. 2023 to 2024: Kevin Day 02E939B8F7EFE597 (SHA256) (GPG).
  3. 2023 to 2027: Kevin Day 02E939B8F7EFE597 (SHA256) (GPG).
  4. 2026 to 2031: Kevin Day 0AB667F3E07602BF (SHA256) (GPG).

The key identified by 76E903396DAD0A83 is authenticated via the key identified by 02E939B8F7EFE597. This followed the old, and perhaps lazy, practice of using the master key for signing everything. This also utilizes older and less trusted algorithms. This key expired in 2024 and will not be used again.

The key identified by 02E939B8F7EFE597 for the 2023 to 2024 year range is signed via the key identified by 76E903396DAD0A83. This key has been created near the start of 2023 and will be used until such time a replacement comes about. This follows the newer practice of signing using subkeys, making the master key unavailable. This key utilizes algorithms available as of 2024. This key expired in 2024 and will not be used again.

The key identified by 02E939B8F7EFE597 for the 2023 to 2027 year range is signed via its own key. This key is the same as the 2023 to 2024, except that the year is extended. This key will expire near the start of 2027 and will not be used again after that.

The key identified by 0AB667F3E07602BF for the 2026 to 2031 year range is signed via the key identified by 02E939B8F7EFE597. This key will expire near the start of 2031 and will not be used again after that.

These public keys should be downloaded imported into your own key chain to perform integrity checking and authentication.