I'm not entirely sure if this a SO or SF question, but I'll give it a go here.
We're offering DMGs for download and a MD5 checksum to go with each. The question is how to instruct users of how to actually checksum and compare with the given checksum. Users aren't going to be all that tech savvy.
One idea was to produce a copy-paste bash command (a string built with the current checksum) which when executed says "yes" or "no". But that involves the user pulling up the Terminal, which isn't very friendly and means that most users don't know what they're doing. 'Black magic' isn't good for security.
Another idea would be to provide a GUI app to do the verification, but that would require initial trust, which breaks the point of offering a checksum.
So how do you boot-strap this kind of thing?