Você está certo em sua expectativa.
Verifique este exemplo no Apache .
E esta referência do Ubuntu md5sum .
In terms of security, cryptographic hashes such as MD5 allow for authentication of data obtained from insecure mirrors.
The MD5 hash must be signed or come from a secure source (an HTTPS page) of an organization you trust.