How to verify the file checksum of a download

On the internet, it’s somewhat common for you to see “checksum codes” available for downloads of compiled open source projects.

image

Let’s dig into what this is, why it’s important, and how to use them.

What is a checksum?
A checksum is an algorithm that goes and adds up various bits of information in a file, to generate a fixed-size result. The idea being that if even a single byte of the file is different, the resultant checksum will be different – and you can detect if there was an error during the download. This used to be done with CRC, but in modern day, it’s easier and cryptographically stronger to use a message digest like SHA-1.

Why is it useful to me?
Practically, this concept can be useful to you for two reasons:

  1. You can verify that your download was absolutely perfect and was not corrupted during transit. In present day, this is not a common problem anymore. However, you may have had a file sitting on a bad hard drive where some bits of the file were corrupted for example.
  2. You can verify that you are downloading the actual version you think you are. For many open source projects, the download is available from many “mirrors”. What if one of these mirror sites was compromised?

On the second point, another example, imagine you are are http://malicioussite.example.com and they have a download of ParrotOS (a Linux distribution you want to check out). Well, how do you know it really is just that? Maybe someone added some malware and re-packaged it? Well first, you should obviously only download software from that actual vendor site. However, even supposing you did – or supposing you ran across an .iso on a file share, how to verify that it is the EXACT same version as the known-safe version from the vendor website? Answer: you verify the checksum.

How to verify the checksum on Windows:
This is nice and simple. Microsoft has a free download of a single executable:

Microsoft File Checksum Integrity Verifier
https://www.microsoft.com/en-us/download/details.aspx?id=11533

You download that, run the self-extracting .exe and it has an exe and a readme file. To use it, you run it from the command-line, like this:

fciv.exe -sha1 -add filename.iso

and that should result in output like this:

image

I installed this utility into C:fciv, but you can put it wherever. On my machine,  the full path of it is C:fcivfciv.exe – and now if we compare the checksum to what it says on the website (look at the long string of characters starting with “a07aba…” and ends in “…b1a”:

image

we have a match – we know the file is intact AND it’s the same version, exactly, from the website.

How to verify the checksum on MacOS X:
On a Mac, the utility for this is included with the OS and it’s called shasum. To use it, run something like this:

$ shasum DownloadsParrot-2.0rc9.3_i386.iso

and you should get an output like this:

image

again, we have a match – so we know this is the same, exact version from the website. Note the string starting with “a07…” and ending with “…b1a” matches what is on the website.

How to verify the checksum on Linux:
The answer seems to be the same for most distributions – that same “shasum” is already included in many distributions of Linux. So, on an Ubuntu 14.x instance for example, I can run:

$ shasum DownloadsParrot-2.0rc9.3_i386.iso

and get a similar output:

image

and again, by this same matching number, we know that this is exactly what is available on the website. We know the file is intact, and we know it hasn’t been tampered-with.

Bottom line:
Do you need to do this? Well, Microsoft doesn’t think so since this is not even part of the OS. Conversely, Mac and Linux DO think it’s so significant, they included the utility. In general though, yes, it would be ideal to use this when downloading any compiled open-source binary or ISO. Even better, why not make a script that uses wget or curl to get the file, run the utility and output that to the window. So, instead of downloading things in your browser, you could copy the URL and paste it into your script instead?

For me, I’ve been lax with this and it hasn’t bitten me yet, but it’s a simple enough step that I will try to make this a habit – to always validate the checksum of what I download.

Posted in Apple Stuff, Best-practices, Computers and Internet, General, Infrastructure, Linux, Organization will set you free, Professional Development, Security, Uncategorized, Windows

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 5 other followers

%d bloggers like this: