52

Maybe I have been negligent towards the verification of software I download over the Internet, but I (or anybody I ever met) have never tried to verify the checksum of the contents I download. And because of this, I have no idea about how to verify the integrity of the downloaded item.

So how do I verify the checksum of a downloaded file?

forest
  • 65,613
  • 20
  • 208
  • 262
ThankYouSRT
  • 1,275
  • 3
  • 12
  • 15

4 Answers4

62

Usually this would start on the owners side displaying the checksum for the file that you wish to download. Which would look something like the following:

md5: ba411cafee2f0f702572369da0b765e2

sha256: 2e17b6c1df874c4ef3a295889ba8dd7170bc5620606be9b7c14192c1b3c567aa

Now depending on what operating system you are using, once you have downloaded the required file you can compute a hash of it. First navigate to the directory of the file you downloaded, than:

Windows

CertUtil -hashfile filename MD5 / CertUtil -hashfile filename SHA256

Linux

md5sum filename / sha256sum filename

MacOS

md5 filename / shasum -a 256 filename


The issue that comes with checking a hash from a website is that it doesn't determine that the file is safe to download, just that what you have downloaded is the correct file, byte for byte. If the website has been compromised then you could be shown the hash for a different file, which in turn could be malicious.

Line
  • 103
  • 3
Connor J
  • 1,464
  • 8
  • 11
  • 1
    In my case I needed sha512 for .net core library `CertUtil -hashfile filename SHA512` – Ashi Mar 17 '20 at 08:36
  • 1
    notably, downloads often happen via mirrors (when downloading Apache Tomcat, for instance), in which case the checksum might be provided from the same site that links the mirrors. However, if that site is corrupted itself and not just one or some of the download mirrors, you don't gain any security from the checksum. – PixelMaster Apr 27 '20 at 14:04
16

Checksums vs Hashes vs Signatures

You mention checksums, PGP, and SHA in your question title, but these are all different things.

What is a checksum?

A checksum simply verifies with a high degree of confidence that there was no corruption causing a copied file to differ from the original (for varying definitions of "high"). In general a checksum provides no guarantee that intentional modifications weren't made, and in many cases it is trivial to change the file while still having the same checksum. Examples of checksums are CRCs, Adler-32, XOR (parity byte(s)).

What is a cryptographic hash?

Cryptographic hashes provide additional properties over simple checksums (all cryptographic hashes can be used as checksums, but not all checksums are cryptographic hashes).

Cryptographic hashes (that aren't broken or weak) provide collision and preimage resistance. Collision resistance means that it isn't feasible to create two files that have the same hash, and preimage resistance means that it isn't feasible to create a file with the same hash as a specific target file.

MD5 and SHA1 are both broken in regard to collisions, but are safe against preimage attacks (due to the birthday paradox collisions are much easier to generate). SHA256 is commonly used today, and is safe against both.

Using a cryptographic hash to verify integrity

If you plan to use a hash to verify a file, you must obtain the hash from a separate trusted source. Retrieving the hash from the same site you're downloading the files from doesn't guarantee anything. If an attacker is able to modify files on that site or intercept and modify your connection, they can simply substitute the files for malicious versions and change the hashes to match.

Using a hash that isn't collision resistant may be problematic if your adversary can modify the legitimate file (for example, contributing a seemingly innocent bug fix). They may be able to create an innocent change in the original that causes it to have the same hash as a malicious file, which they could then send you.

The best example of where it makes sense to verify a hash is when retrieving the hash from the software's trusted website (using HTTPS of course), and using it to verify files downloaded from an untrusted mirror.

How to calculate a hash for a file

On Linux you can use the md5sum, sha1sum, sha256sum, etc utilities. Connor J's answer gives examples for Windows.


What is a signature?

Unlike checksums or hashes, a signature involves a secret. This is important, because while the hash for a file can be calculated by anyone, a signature can only be calculated by someone who has the secret.

Signatures use asymmetric cryptography, so there is a public key and a private key. A signature created with the private key can be verified by the public key, but the public key can't be used to create signatures. This way if I sign something with my key, you can know for sure it was me.

Of course, now the problem is how to make sure you use the right public key to verify the signature. Key distribution is a difficult problem, and in some cases you're right back where you were with hashes, you still have to get it from a separate trusted source. But as this answer explains, you may not even need to worry about it. If you're installing software through a package manager or using signed executables, signature verification is probably automatically handled for you using preinstalled public keys (i.e. key distribution is handled by implied trust in the installation media and whoever did the installation).


Related Questions

AndrolGenhald
  • 15,506
  • 5
  • 45
  • 50
3

I use a shortcut script to verify SHA 256 sums on Linux automatically.

If you use sha256sum filename you have to compare the sums yourself which is hard, unreliable and slow.

Solution: Instead, you can create a simple function in your .bashrc or .zshrc configurations and run it in the following way:

sha256 <expected-sha-256-sum> <name-of-the-file>

It will compare the expected SHA 256 sum with the actual one in a single command.

The function is:

sha256() {
    echo "$1 $2" | sha256sum --check
}

Please find more details here.

Sasha Shpota
  • 131
  • 2
  • 1
    Or pipe the reference hash into sha256sum and use the -c or --check options, and sha256sum will compare the derived hash with the reference hash, and indicate whether or not they match. See https://superuser.com/questions/1312740/how-to-take-sha256sum-of-file-and-compare-to-check-in-one-line for more info. – mti2935 Dec 02 '19 at 22:06
1

Linux Specific

TLDR;

sha256sum -c thefile.sha
// thefile: OK

Success! Unless you ran that command in a directory that doesn't contain the target of the shasum, in which case you'll get:

sha256sum: thefile: No such file or directory
thefile: FAILED open or read
sha256sum: WARNING: 1 listed file could not be read

/TLDR;

Verify for Yourself

Everything you need to know can be found by using the md5sum man page:

man md5sum

Not because md5sum is particularly useful, but because if you forward search /BUGS you'll be treated to a nice overview of your options :)

Do not use the MD5 algorithm for security related purposes. Instead, use an SHA-2 algorithm, implemented in the programs sha224sum(1), sha256sum(1), sha384sum(1), sha512sum(1), or the BLAKE2 algorithm, implemented in b2sum(1)

They all have the same options, with the exception of b2sum which has an extra --length option.

The following PRODUCES a sha signature:

sha256sum yourFilename > yourFilename.sha

where yourFilename.sha contains:

9f22b735f8f416bb8195cef9436ddec04db709132dae87137026b9725cf5678a  yourFilename

To check simply run with --check option:

sha256sum -c yourFilename.sha
// yourFilename: OK

If this seems a little unsatisfying and magical, you can go a manual route with:

sha256sum yourFilename > homebrewSHA

And diff it against the sha file you downloaded from the internet:

diff suspiciousInternetSHA homebrewSHA

If the diff prints out anything at all, those are NOT the droids you're looking for. Otherwise, you're good!

Paul Parker
  • 111
  • 1