Is a SHA checksum enough to verify integrity and authenticity?

This is a broader question but here a concret example:

From https://www.apache.org/info/verification.html :

File hashes are used to check that a file has been downloaded correctly. They do not provide any guarantees as to the authenticity of the file.

I don’t understand this part: They do not provide any guarantees as to the authenticity of the file.

The checksum used is from a trusted HTTPS source (Eg: https://downloads.apache.org/tomcat/tomcat-8/v8.5.56/bin/apache-tomcat-8.5.56.zip.sha512).

How a file can not be authentic if it match a checksum from a HTTPS trusted source?

Or do I miss something and I still need to validate with a GPG key?

Is this method of 32 char hash generation secure enough for online-based attacks?

A fellow developer and I have been having a discussion about how vulnerable a few different methods of developing a hash are, and I’ve come here to see if smarter people than I (us?) can shed some light.

In PHP, I feel the below is secure ENOUGH to generate as 32 character value that could not be reasonably broken via online attack. There are some other mitigating circumstances (such as in our specific case it would also require the attacker to already have some compromised credentials), but I’d like to just look at the "attackability" of the hash.

str_shuffle(MD5(microtime())) 

The suggested more secure way of generating a 32 character hash is:

bin2hex(random_bytes(16)) 

I acknowledge the first hash generation method is not ABSOLUTELY SECURE, but for an online attack I think being able to guess the microtime (or try a low number of guesses), and know the MD5 was shuffled and/or find a vulnerability in MT which str_shuffle is based on is so low as to make it practically secure.

But I would love to hear why I’m a fool. Seriously.

EDIT — This is being used as a password reset token, and does not have an expiry (although it is cleared once used, and is only set when requested).

Is my code safe enough to be publish on the server side?

I’m new here to ask a question. Sorry if my question had miss explanation. I just wanna ask if my PHP code is secure enough. Please find below is the source code.

Get the ID for choosing the Value

/*Create a new Query for get all the ID from each of Venue Type on the Administration Database*/ $  Q_VenueType = "SELECT Biz_ID FROM Biz";  $  R_VenueType = $  connection->query($  Q_VenueType);  if ($  R_VenueType->num_rows > 0) {     //Success Condition     $  rows = array();     while ($  row = $  R_VenueType->fetch_assoc()) {         $  rows[] = $  row;     }      echo json_encode($  rows);      $  R_VenueType->close();  }else{     //Failed Condition     echo('0'); }  mysqli_close($  connection); 

Get Value with the ID as an Input

//Create Variable to get the Venue Type Value by their ID. $  VenueType_ID = htmlspecialchars($  _POST['TypeID'], ENT_QUOTES);  /*Create a new Query for get all the ID from each of Venue Type on the Administration Database*/ $  Q_VenueTypeValue = "SELECT Biz_Name FROM Biz WHERE Biz_ID = '".$  VenueType_ID."'";  $  R_VenueTypeValue = $  connection->query($  Q_VenueTypeValue);  if ($  R_VenueTypeValue->num_rows > 0) {     //Success Condition     $  rows = array();     while ($  row = $  R_VenueTypeValue->fetch_assoc()) {         $  rows[] = $  row;     }     echo json_encode($  rows);  }else{     //Failed Condition     echo('0'); }  mysqli_close($  connection); 

Please ask for further information, Thank you for the answer before.

Is a random number secure (enough) for card numbers and pins?

I’ve been given the task of generating some gift tokens which comprise a serial number and a pin number, analagous to a pre-paid credit card. The serial and pin will be printed on a card, with the pin behind a scratch panel.

My first thought is for both numbers to be randomly generated with the serial number being unique. Is this secure against guessing?

To my simple mind, adding any kind of logic would make the numbers more gussable as there’d then be something to figure out and understand, whereas random is without reason (ignoring implementation details for now), and so while being simple using pure random gives the attacker less to work with.

Is this a flawed assumption? Are there known “good” ways of doing this?

If the daughter of a night hag avoids her mother long enough can she delay becoming one too?

The daughters of other hags all seem to fully turn into them automatically once 13, except with night hags according to lore. With them it’s said that there must be 13 rituals done on their daughters or the transformation doesn’t occur.

So for campaign purposes I have to ask: does this mean that it’s possible for a daughter of a night hag to be encountered who is older than 13 and thus far been able to evade their mother and being converted? Can it be delayed with them from the usual mandatory age?

And as an aside, if it is possible and such one is encountered, would they be a regular human e.g. stats wise or would there be differences? And would spells used by a party that could detect and reveal a hag also detect them?

Can a sorcerer cast the same spell twice if enough spell slots are available?

In D&D 5e, let’s say that I have two level-1 spell slots available and want to cast Burning Hands. On one turn, I use one of the available spell slots to cast Burning Hands. On my next turn, I have one additional spell slot available. Am I allowed to use it for Burning Hands, or do I need to select a different spell to use the remaining spell slot?

I am asking this because I was told by someone more experienced that it doesn’t work that way, but I thought the rules said otherwise.