I've never used the checksum when downloading various executables or zip files from the Internet. I know it is used to check for consistency and add a bit of security. But is it necessary for when you download from a respectable project like Apache or Microsoft. How many of us actually use the checksums or hashcodes to verify the contents?
FYI, please let me know if I have strayed too far from StackOverflow's acceptable content.
To be sure that the file you download is the good one file and no other modified by some others with malicious intentions. As this information in Apache says:
"Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the 'real' key. Therefore, you need to validate the authenticity of this key."
To verify you can follow the steps here.
This is so that you can check the integrity of the file. I use it all the time. You basically just run some program that will produce a MD5 checksum, or whatever hashing method is used, on the file and see if the two checksums match. If not, then the files are different. However, note, that it is possible to have two files that yield the same checksum, but the likelihood you will run into this comparing two files of the same size is pretty low, unless you are contriving the example.
This is very useful. I found a bug in a CD burning program recently; I kept having a problem with a particular file on a particular computer. I finally just compared the checksums of the file from the CD and the one on the original computer, they were different, and I was able to solve the problem!
Imho it's only useful if you have downloaded a large file and want to check if it's corrupted before re downloading it (i.e. if application is not installing correctly).
When downloading files where integrity is critical (an iso of a linux distribution for example) i tend to md5sum the download just in case.
The source may be trusted, but you never know when your own NIC's hardware may start to malfunction.
Another use is to verify that a file that you already have is the same (i.e. unaltered, uncorrupted and as current) as the file available for download from the trusted source.
This might occur if
Although you are choosing to download from a trusted source (e.g. Apache.org) your download request will likely be served by a mirror site. The trusted site in question does have the resources to serve all requests so mirrors serve a valuable function. However, the trusted site does not necessarily have full control over the mirror site and it's possible that the mirror's owner (or a third party) could replace the mirrored executable with malicious code. By verifying the trusted source's hash against the downloaded file you insure that it has not changed in transit (for whatever reason.)
It's used for both integrity reasons (particularly on ftp sites, where you may have mistakenly downloaded in ascii mode). Additionally, it can be used to verify the download has not been altered, assuming you download from location a and get checksum from location b (often download is from mirror, and hash from official site).
For integrity purposes, though, signing a file is going to be more useful than just hashing it.
I use MacPorts on Mac OS X, which is a source based package manager; each Portfile contains a description of how to download, patch, compile, and install a piece of software on Mac OS X. Included in the Portfile is the checksum of the particular version of the tarball to download. This helps ensure the integrity of the file from many possible problems; sometimes, people will update a tarball without incrementing the version number, which may cause patches to fail to apply or the code to break under certain conditions, or sometime the package may become corrupted, or an attacker may be tampering with the software in the hopes that you will install it.
So, I will have to say that yes, I use the checksums every time I install software (though my package manager does it automatically for me, I don't do it directly). And even if you are downloading manually from a respectable project, you many wish to download the code itself from a faster, closer mirror, and then verify the checksum against a copy downloaded from the more trusted master server; that helps keep it more difficult to attack as multiple servers would have to be compromised rather than just one mirror.