netlib-bl@netlib.bell-labs.com

Netlib now publishes signed MD5 checksums, to provide an extra margin of security for people downloading netlib files through less trusted channels. We look forward to a time when code authors sign their programs as well.

The netlib-bl signature asserts only that the distributed files match the copy on the master disk. The netlib editors attempt to exclude junk and viruses but are not in a position to absolutely rule out the possibility, and rely on end users to study downloaded material and satisfy themselves that it meets their requirements. 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzFtMfYAAAEEAJVGNvh48DCak/6rrEmyowVqXlVB7bUF7AiVARuz0M9pn6+5
2JzBsmgkTLdXwW2gD+lu674BJMMUro83+v5WmUotV03i5lPw/e0E43e2pukFSSvz
f+BjR1pb/3vIPxEirxvQZLpOF3+asAOGtvSChtB2qyLQPbiqQb5pvxO9gjtZAAUR
tCpuZXRsaWItYmwgPG5ldGxpYi1ibEBuZXRsaWIuYmVsbC1sYWJzLmNvbT6JAHUD
BRAxbTN6cfO1KRdb20kBAeO9Av49hVEXvCsVZ+jZpacdai6oP2z037OBKRQtfu/8
w6gBU3uDjP2J93QOY666jI/4iCtmCpWuvURkg6FFMq3AGf3HH/PtTWN9ZbxohWte
KJynFarwg7rs0SDfgesyOd6eeIeJAJUDBRAxbTNMvmm/E72CO1kBAfW5A/90Jt5V
m3k8Q5GEBK2Sqwwy4j+17jCxmXIU01nANDgIWaec1gck7pR7SsVLx2B8DhJAl9iU
FmN0uH2m6kD4l1/NVpi0wEpDfnmOiKAELAU9P8etu0KZnao0eBWrK4OMzcvDlrqV
j1xGdDTIiN7aiN5GknauPcqmRpXbnnbrdFGTMw==
=9rUW
-----END PGP PUBLIC KEY BLOCK-----
Ordinarily, you'll verify this key using the fingerprint published in the Netlib News column in the SIAM News.

verifying downloaded files

We plan a tool that will lauch from your Web browser and have a user interface like WinZip. For now, here are the manual steps you can use to confirm correct receipt.

Step 1. Get the desired file from a netlib mirror and uncompress.
Step 2. Get the MD5 file from the same netlib directory.
Step 3. Run "pgp MD5" to verify that the checksums have not been tampered with. For this step, you must have installed the key block above on your public keyring.
Step 4. Run "md5sum" with command line arguments being the file names of the downloaded material.
Step 5. Compare the output with the contents of the MD5 file.

security provisions

This PGP key is adequately secure for its purpose, signing master copies of netlib files. The public and secret key rings are stored and used on a computer to which a number of Bell Labs people potentially have root access. The point is not to guard the netlib master disk from local users, but rather to guard against malicious changes during distribution.

background

PGP is a widely and freely available method for sending material that should be confidential or signed, and is generally regarded as safe and effective when used as directed. For learning more about the subtle issues involved, see Bruce Schneier, Applied cryptography : protocols, algorithms, and source code in C, Wiley, 1996 ISBN 0-471-11709-9.