How to verify the checksum of a downloaded file (pgp, sha, etc.)?

  • Maybe I have been negligent towards the verification of software I download over the Internet, but I (or anybody I ever met) have never tried to verify the checksum of the contents I download. And because of this, I have no idea about how to verify the integrity of the downloaded item.

    So how do I verify the checksum of a downloaded file?

    You can also compute hash through GUI

    A SHA256/MD5 checksum and a PGP signature are 2 very different things

  • Connor J

    Connor J Correct answer

    3 years ago

    Usually this would start on the owners side displaying the checksum for the file that you wish to download. Which would look something like the following:

    md5: ba411cafee2f0f702572369da0b765e2

    sha256: 2e17b6c1df874c4ef3a295889ba8dd7170bc5620606be9b7c14192c1b3c567aa

    Now depending on what operating system you are using, once you have downloaded the required file you can compute a hash of it. First navigate to the directory of the file you downloaded, than:

    Windows

    CertUtil -hashfile filename MD5 / CertUtil -hashfile filename SHA256

    Linux

    md5sum filename / sha256sum filename

    MacOS

    md5 filename / shasum -a 256 filename


    The issue that comes with checking a hash from a website is that it doesn't determine that the file is safe to download, just that what you have downloaded is the correct file, byte for byte. If the website has been compromised then you could be shown the hash for a different file, which in turn could be malicious.

    In my case I needed sha512 for .net core library `CertUtil -hashfile filename SHA512`

    notably, downloads often happen via mirrors (when downloading Apache Tomcat, for instance), in which case the checksum might be provided from the same site that links the mirrors. However, if that site is corrupted itself and not just one or some of the download mirrors, you don't gain any security from the checksum.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM