is it enough to only create checksum of a zip package instead of each file

Question

I want to check the authenticity of a zip package downloaded.Is it enough to only create the checksum of the zip package and check it in local? Do i need to create the checksum of each file included?

    m = hashlib.md5()  
    file = io.FileIO('test.zip','r')  
    bytes = file.read(1024)  
    while(bytes != b''):  
        m.update(bytes)  
        bytes = file.read(1024)   
    file.close() 

Answer 1

I assume you are questioning the scope of the MD5 hash, not the checksum (two very different things). Because ZIP is a lossless compression algorithm, taking the hash of the whole ZIP archive (and checking it against the expected value) should provide identical "authenticity" information as checking the hash of each uncompressed internal file individually. If the ZIP archive hash matches the expected value, you don't even need to worry about the checksum values. The hash is a far more robust mechanism than the checksum(s).

As just one example of the hash's power, each object (ie, file) is identified by a SHA-1 hash of its contents in the Git source control system. This is the only mechanism Git considers to see if a file has been altered.