This utility computes MD5 checksums of files, ignoring end-of-line conventions unless the -b (binary) flag is set. The file "pgp23.md5" contains the signatures of all the files in the source. If you are in the source directory and run "md5sum -c pgp23.md5", you will get an error message if any files fail to match. If all files match, nothing will be printed. You need to borrow some files from the PGP sources to compile this utility (md5.c, md5.h, and possibly the getopt implementation); see the md5sum.c file for details. The file pgp23.md5 is signed by one of the developers, so you can be reasonably sure it's correct. It would be possible for a hard-working miscreant to fiddle with the distribution so all of this mutual checking would not show any errors, but it's not going to happen accidentally. And if you have a previous version of PGP that you trust, it's not going to happen at all. The only other thing that's needed is a detached PGP signature of the files md5sum.c, md5.c and md5.h, and anyone with a previous trusted version of PGP can be sure that no tampering has occurred anywhere, and that's here: md5sum.c: -----BEGIN PGP MESSAGE----- Version: 2.3 iQBgAgUBLB2GKco9of2GWqfzAQEHNwJXcWywhAoq8hBOxRnk6IDU7FoltmeInXDS kkO7qpM8yL34MChuXRn9P97FItJeWUatRPDIGSzO6Gqw+CA5jiRfI6Sj9zMBU1ef VHR2 =5EcU -----END PGP MESSAGE----- md5.c: -----BEGIN PGP MESSAGE----- Version: 2.3 iQBgAgUBLB2Ghso9of2GWqfzAQH0rQJVFoCqfOtnLe1hIKb21wIiX4VqPJbHg2B+ p5AXczVVMoO7NyYaCuFEQfGeET+GMq3yqp4jH6/mQ8fglXHkPDwpR7D8/f2Opl2g MLRg =TVF4 -----END PGP MESSAGE----- md5.h: -----BEGIN PGP MESSAGE----- Version: 2.3 iQBgAgUBLB2Gnco9of2GWqfzAQGORQJXSH/dr7rvLw2mtwZx/+8gzPjVVmTLapek 2hWo4LOu1/oBFYZN/C/ZQogr7XTk6vJiL4GqrDNWzzi+q1au3dUMO4FP/eFD/fke AB30 =+Hn6 -----END PGP MESSAGE----- (And my and Branko's keys are in the supplied key ring, signed by Philip Zimmermann, so you know that we are who we say we are, and if there are any trojan horses in the source, you know who put them there. Isn't security fun?) -- -Colin