I use hash files (mainly SFV files) to verify that my media collections do not get corrupted over time. They also are great for verifying files after moving them from one computer/drive to another.-skwire
I've been doing that too - but lately I've been pondering if it wouldn't be a better idea to use PAR files instead... then you might be able to
fix corruption rather than just
detect it.
As for anti-tampering, this has already been touched on, but
for linux/bsd distros, the .iso files are hosted on a lot of different mirrors, and the links + hashes are hosted on the main site. To successfully violate a distribution, you'd need to hack both the main site as well as a number of mirrors (people downloading these things wouldn't be fooled by bad links).
Some distributions even cryptographically sign the images.
If you want real security, you sign the package to get cryptographic blahblah on your side. Or maybe you can just sign the hash. I'm unsure, to be honest. -worstje
You're
always signing a hash, as it'd be computationally unfeasible running public-key algorithms on a DVD image... whether you're signing the hash of the md5sum file or the hash of the DVD-image is a different matter, though :p
but any good installer checks its contents for this before installing-justice
Installers work differently, though. For OS distributions, you don't generally check the entire media before installing - especialling considering you're often running from an optical media, that would be extremely slow... and considering you don't install 100% of the packages on the media, it would also be stupid. Better to let users offline-verify the ISO hash, and then online-verify the individual packages being installed.