File hashes or checksums are cryptographic strings generated from the file itself, which you can verify on your end to ensure that the file you are downloading hasn't been tampered with somewhere between us and the mirror, or between the mirror and you.
Project developers may also find it useful to use checksums to verify that the upload process went smoothly, and that the file on our servers after upload is in fact the same as the file on your computer.
In the files interface, click on the "I" information icon next to the file, and you'll see two strings labelled SHA1 and MD5.
Once you have downloaded the file, generate the MD5 checksum, or SHA1 checksum, of that file, and compare what you get to what we list on the site. If they don't match, notify us, then try downloading from a different mirror.
There are a number of sites that you can use to generate a hash. Here are some we've used before:
On Windows, we recommend a tool like md5deep to generate the hashes from the downloaded file. There are also browser plugins that will calculate the checksums on a file as you download it, so that you're less likely to forget to do it yourself.
On Mac OS X, at the terminal:
$ md5 download.tar.gz MD5 (download.tar.gz) = 84a3d6aa561b112058ad9aa08a352044 $ shasum download.tar.gz b6133cbc973faf908f83fa950574db0fa268480c download.tar.gz
On Linux, at the command line:
$ md5sum download.tar.gz 84a3d6aa561b112058ad9aa08a352044 download.tar.gz $ sha1sum download.tar.gz b6133cbc973faf908f83fa950574db0fa268480c download.tar.gz
For users, this test will only determine whether or not the file matches what is stored on our master mirror server. If the file was corrupted when the project developer uploaded the file, this will not detect that.
Again, if you discover that a checksum doesn't match, please notify us so that we can do something about it as quickly as possible.