file hashes

Stop using file hashes in place of digital signatures (please!)

You may have seen something like this before. You go to download your favourite program SuperApp3000 and on the download page they provide you with hashes (usually MD5, SHA1, etc.) for each of the available files to download. Sometimes they even stress that you should verify that the file you downloaded matches the provided hash or that you should never trust anything you download without first confirming the hashesmatch. This is a prime example of people confusing file hashes with digital signatures and it needs to stop.