This utility computes MD5 checksums of files, ignoring end-of-line
conventions unless the -b (binary) flag is set.  The file "pgp22.md5"
contains the signatures of all the files in the source.  If you are
in the source directory and run "md5sum -c pgp22.md5", you will get
an error message if any files fail to match.  If all files match,
nothing will be printed.

You need to borrow some files from the PGP sources to compile this
utility (md5.c, md5.h, and possibly the getopt implementation);
see the md5sum.c file for details.

The file pgp22.md5 is signed by one of the developers, so you can be
reasonably sure it's correct.  It would be possible for a hard-working
miscreant to fiddle with the distribution so all of this mutual checking
would not show any errors, but it's not going to happen accidentally.
And if you have a previous version of PGP that you trust, it's not going
to happen at all.

The only other thing that's needed is a detached PGP signature of the
md5sum.c file, and anyone with a previus version of PGP that they trust
can be sure that no tampering has occurred anywhere, and that's here:

-----BEGIN PGP MESSAGE-----
Version: 2.2

iQBgAgUBK5lOzMo9of2GWqfzAQFJMAJXUdMp9HjcGQZg/m1cPZ+YrhWMB+CANXzL
cAin6ZB5jCuq5BQefEeyzoT1ceBM0I3ujb+8z3+gKLtyi/jl8c1ypFbjT4og8udz
lwAl
=U8fl
-----END PGP MESSAGE-----

(And my and Branko's keys are in the supplied key ring, signed by
Philip Zimmermann, so you know that we are who we say we are, and if
there are any trojan horses in the source, you know who put them there.
Isn't security fun?)
-- 
	-Colin <colin@nyx.cs.du.edu>
