Thanks for pointing out @emva but that is incorrect from security perspective.
As checksum should be provided by server that is different from the one providing image. In order to prevent hacking of single server and modifying the image.
Also checksum should be public to prevent âorganizationâ from providing modified image to specific users.
Although I agree that the checksums should be available from the server providing the images, there is nothing keeping a server admin from dynamically generating new packages and checksums for specific requests. An audit âmightâ find it, but if users arenât VERY vigilant (for instance check the same sources from multiple IP addresses), itâs possible to slip users a mickey.