I highly recommend downloading these images from oldsilicon.com and then checking the file checksum against what I provide alongside the images. Since these files might be loaded onto a classic machine that you’ve restored and that is connected to your network, there’s a risk that someone could alter the image after it’s downloaded, potentially creating an attack vector for your more modern computers. While I’m not doing this, I can’t vouch for others. If you share any of these images, please share the site link so others can read this advisory!
Verifying a downloaded image
To check the image after downloading:
On a Mac, use the shasum command from the command
line:
shasum -a 1 <filename>
On a Windows box, use the certutil command from the
command line:
certutil -hashfile "filename.exe" SHA1
The number that pops out should match the number listed above the link on the website. If the two don’t match, please send me a note via the Contact Me link on the site before booting the disk image on your box and I will make sure the checksum is still correct on the site.
A note on compressed and booted images
Obviously, once you uncompress the image with gzip and/or
boot the image, the checksum will no longer match — and
this is normal. The published hash is for the compressed
.img.gz (or .hda.gz) file as downloaded.