[321] in Release_7.7_team
md5sum
daemon@ATHENA.MIT.EDU (Matt Braun)
Mon Jun 12 19:13:01 1995
From: Matt Braun <matt@MIT.EDU>
To: rel-eng@MIT.EDU
Cc: release-team@MIT.EDU
Date: Mon, 12 Jun 1995 19:12:46 EDT
Pleae include the md5sum distributed with the pgp release (in contrib) in the
release.
I have fetched and untared the src and put it in
/afs/net/user/mhbraun/Network/pgp. It is somewhat fascist right now, so if
you want access and don't have it, give a yell.
(Craig you have access)
Included is the readme file
Matt
Instructions for the MD5SUM Utility
-----------------------------------
This utility computes MD5 checksums of files, ignoring end-of-line
conventions unless the -b (binary) flag is set.
This utility can be used to check the integrity of any files. For
this discussion, we'll be checking the files in the PGP source code
release. For PGP version 2.6.2, the file containing all the MD5
message digests is called "pgp262.md5", but for other versions of PGP,
the filename will change to reflect the new version number.
The file "pgp262.md5" contains the signatures of all the files in the
source. If you are in the source directory and run
md5sum -c ../contrib/md5sum/pgp262.md5
you will get an error message if any files fail to match. If all
files match, nothing will be printed.
You need to borrow some files from the PGP sources to compile this
utility (md5.c, md5.h, and possibly the getopt implementation);
see the md5sum.c file for details. On some platforms, you may have
to compile md5.c with the -DHIGHFIRST flag, or the MD5 sums will be
wrong.
The file pgp262.md5 is signed by jis@mit.edu, so you can be
reasonably sure it's correct. It would be possible for a hard-working
miscreant to fiddle with the distribution so all of this mutual checking
would not show any errors, but it's not going to happen accidentally.
And if you have a previous version of PGP that you trust, it's not going
to happen at all.
The only other thing that's needed is a detached PGP signature of the
files md5sum.c, md5.c and md5.h, and anyone with a previous trusted
version of PGP can be sure that no tampering has occurred anywhere, and
that's here:
md5sum.c:
-----BEGIN PGP MESSAGE-----
Version: 2.6.1
iQCVAwUBLmkvh8UtR20Nv5BtAQGt6AP/S41H9gw7rfifG7W6ZlMviV4VVeov1C54
wkS/rjG3+tCm2Gcixfcx7iPb6wIbg5IqWtjbuPd2xvpyLn8MrN3E4Llak7tOBVg7
insTxrqzjmSNCxVPe3X5+QqnOY7TlI6qIjhZ74Wb9gKiQxKn3f5yjKzJKvpv20a1
ngI7v5BADKQ=
=Qi79
-----END PGP MESSAGE-----
md5.c:
-----BEGIN PGP MESSAGE-----
Version: 2.6.1
iQCVAwUBLmkvv8UtR20Nv5BtAQE/jgQAooUL4iKAeg5alJKGvbFqmFlFz0dakkne
HnX2dDihBHiapkZ/a2dMCMNbDuxWcUdS5/I4RQfhaLPis9WTeQr2d707c4x5+B4a
QPSEAA3fZ0GwX+q8JkZ4XSD3NZbcGJRdudtnp8sYnVY3n7PkzUm6xK7ZcxFxmKTf
lTh4Hf3EAaU=
=mxp3
-----END PGP MESSAGE-----
md5.h:
-----BEGIN PGP MESSAGE-----
Version: 2.6.1
iQCVAwUBLmkvz8UtR20Nv5BtAQHvaAQAq0SZeeArKo5rcRSv25tqa5zFLRDtbZgc
dI8JD0st/Dfj8hZf9KWOBiPQbCD5K4U8SWTAJE4qfNkJGM6gf9hXixuZ/DaEzqQr
ruXxx0/0/pbx48oVKy08kNL2W3/cguJXQjkK0VbqlYUjgy5zApwbkRgjXw3R1mkF
46A7P51mRLg=
=DGCy
-----END PGP MESSAGE-----
These signatures were generated by Jeffrey I. Schiller <jis@mit.edu>.
Jeff's key is supplied in the keys.asc file in the PGP distribution
and is signed by various PGP developers including Phil Zimmermann, so
you know that we are who we say we are, and if there are any trojan
horses in the source, you know who put them there. Isn't security
fun?)
--
-Colin <colin@nyx.cs.du.edu>
Revised by Jeffrey I. Schiller <jis@mit.edu>
