I work as a tech for a small computer company. My boss has tasked me with assembling a toolkit of utilities that will help our company as we work and perform maintenance on servers and workstations.

One of the requirements of my task is to make sure that the programs I download can be verified for integrity.  He suggests using an MD5 or SHA-1 Checksum.  I have educated myself on how to use the checksums to verify the programs but I most of the programs do not provide an MD5 or SHA-1 for their program.  

What is the best way I can verify the programs that do not have given checksums? We do not want to put anything on our network that could jeopardize our servers.

Thanks in advance! 

 

There are no reliable solutions other than to get digitally signed binaries. If the assembly is signed and signature is valid, than you can say that this software came from exact publisher. If there are no digital signatures then you can't say certainly where it came from. Even if publisher provides a hashsum.