Inadequate processes/procedures
I've had the same problem downloading SOHO router firmware from the UK distributor's website. A emailed enquiry, and shortly (for 'low numbers of days' values of shortly) afterwards, the checksums were magically updated to match the checksums of the firmware files available for download.
Ideally, as well as checksums (MD5 | SHA256 | Favoured contemporary checksum algorithm) the checksums should be signed by with a trusted signing key. Websites can be compromised in many ways, but hopefully organisations will keep reasonably good control of their signing keys.
So for me, downloading some popular alternative SOHO router firmware, I get the files, the file of checksums and the signature file, then at the command line
$gpg --verify sha256sums.asc sha256sums
Assuming the output checks out i.e. the signature is good, I then do
$sha256sum --ignore-missing --check sha256sums
which automatically calculates the checksum of each file listed in the signed sha256sums file and tells me if the checksum matches with the signed one. If so, I'm good to go.
I know I'm in a minority for doing this.
But if you are distributing software, I would have thought you would provide correct checksums and a verification signature as a matter of course. Whether people use them of not is up to them.
Biting the hand that feeds IT
