Has anyone ever had an incidence of downloading software from a genuine site, where an MD5 or SHA series hash for the download is also supplied and then discovered that the hash calculated from the downloaded artifact doesn't match the published hash?
I understand the theory but am curious how prevalent the problem is. Many software publishers seem to discount the threat.
I had a similar problem once in a Linux distro (I believe it was Fedora, but I can't recall the details): the built-in "Verify media" application had a wrong hash embedded and it would always report the disk as faulty. However, what you describe seems rare: most likely, you have a virus scanner or some sort of software that's corrupting the download.
I have had it quite a few times, but it turned out that there was a router with faulty RAM, which was corrupting data in transit. Most of the faults were transparently handled through the TCP checksum, but some got through. In practice, I was getting one wrong bit every 30 MB or so.
I also encountered software packages with a wrong MD5 probably due to a human error on the packager side (he just forgot to rerun the MD5 after having updated the package; or it could have been his computer which had faulty memory). Last it occurred to me, it was with a binary package for NetBSD on a PowerPC architecture.
As far as I know, such random errors are orders of magnitude more frequent than real attacks from malevolent individuals. And yet they are quite rare nowadays; the Internet at large is much more reliable than 15 years ago.