Many files that are available for download (eg in github) come along with “asc” signature files attached, or with a sha256 file hash. Can someone please explain difference of PGP signatures vs file hashes?
- Is the purpose of both files (pgp/256hash) the same, to verify file authenticity/not manipulated?
When a downloaded file’s hash/pgp does not match the hash/pgp provided by the responsible developer, does it mean that only you downloaded that corrupt file? Or does it mean that everyone who downloads that file receives the corrupt file version? What I am getting at: Can the download process be pre-programmed by an attacker which download gets the corrupt and which one the correct file?
Which method is technically better suited for what situation?
- Any technical “flaws” you are aware of for either of both verification methods? Why use pgp, is file 256hash not enough to verify file integrity?