hash-examples

From Microformats Wiki
Revision as of 19:36, 13 February 2006 by Eron Wright (talk | contribs)
Jump to navigation Jump to search

Hash Examples

A microformat for MD5 and SHA-1 hashes.

The Problem

Checksums (MD5 & SHA-1 hashes) are offered for files to prove they haven't been tampered with and to uniquely identify them. They are very useful, but they are not used as much as they could be. The current method involves a manual process of hashing the downloaded file (with programs that are not installed by default on all operating systems) and then comparing the value to the one listed. An easy and automatic way to use them would be preferrable to present methods.

Participants

  • Ant Bryan

Real-World Examples

Currently, MD5 and SHA-1 checksums are either listed on a webpage or email (see Example #1) or stored in a separate file such as (filename.ext.md5 or filename.ext.sha1) (see Example #2). There is no standard or automatic way to use them. Verifying a file after you have the hash is not complex, but it is more than the average user is used to doing (see OpenOffice.org: Using MD5 sums). MD5 checksums are 32 digit hexadecimal numbers, while SHA-1 checksums are 40, and SHA-256 checksums are 64.

Who offers MD5/SHA-1 checksums with software

This is only a small sampling.

Example #1: OpenOffice.org MD5 sums

English Application Binaries

e0d123e5f316bef78bfdf5a008837577  OOo_2.0.1_LinuxIntel_install.tar.gz
35d91262b3c3ec8841b54169588c97f7  OOo_2.0.1_LinuxIntel_install_wJRE.tar.gz
cc273fe9d442850fa18c31c88c823e07  OOo_2.0.1_SolarisSparc_install.tar.gz
ff6626c69507a6f511cc398998905670  OOo_2.0.1_SolarisSparc_install_wJRE.tar.gz
ce099d7e208dc921e259b48aadef36c1  OOo_2.0.1_Solarisx86_install.tar.gz
4fb319211b2e85cace04e8936100f024  OOo_2.0.1_Solarisx86_install_wJRE.tar.gz
66bd00e43ff8b932c14140472c4b8cc6  OOo_2.0.1_Win32Intel_install.exe
2d86c4246f3c0eb516628bf324d6b9a3  OOo_2.0.1_Win32Intel_install_wJRE.exe

Example #2: Knoppix MD5 and SHA-1 sums in separate files

KNOPPIX_V4.0.2CD-2005-09-23-EN.iso.md5:

1188f67d48c9f11afb8572977ef74c5e *KNOPPIX_V4.0.2CD-2005-09-23-EN.iso

KNOPPIX_V4.0.2CD-2005-09-23-EN.iso.sha1:

56857cfc709d3996f057252c16ec4656f5292802 *KNOPPIX_V4.0.2CD-2005-09-23-EN.iso

Note: This directory also contains filename.ext.md5.asc and filename.ext.sha1.asc files containing the same checksums and PGP signatures in one file.

Existing Practices

As described above, I believe almost all solutions are manual (see OpenOffice.org: Using MD5 sums), an 8 step process on Windows and 3 steps on Linux. Link Fingerprints which are used by MD Hash Tool, a Firefox extension, is one exception. Here is a Link Fingerprint example:

http://example.org/OOo_2.0.1_LinuxIntel_install.tar.gz#!md5!e0d123e5f316bef78bfdf5a008837577

A Link Fingerprint begins with a traditional URL, then #!md5!, then the MD5 hash.

Brad Fitzpatrick also suggested referring to "files/patches/changesets" by their unique digest.

Some HTTP server applications compute a hash over the response body to serve as an effective ETag. The server must still compute the body but can benefit from reduced network utilization and reduced downstream cache thrashing. Such applications must be willing to risk a hash collision, albeit scoped to a single URL.

Including a hash in a URL can lead to great cacheability, since the TTL can likely be set to an infinite value. Such URLs are often referred to as versioned URLs.

Proposal

A microformat for MD5 and SHA-1 hashes could make them more usable. MD Hash Tool, another extension, or download managers could be modified to use them automatically.

<span class="download">
         <a rel="bookmark" href="http://example.com/OOo_2.0.1_.tar.gz">Download OpenOffice.org</a>
         <span class="hash-md5">e0d123e5f316bef78bfdf5a008837577</span>
</span>