When you download files from the Internet, particularly source files for programs, or compiled binaries, you may often see checksums next to the download links or contained in files in an FTP server. Open source projects, for instance, often include checksums for compressed versions of their source code for particular releases. 

If you want to verify that the archive you have downloaded is the same as the archive the project has linked to, you can create your own checksum against the file and verify that your checksum matches the checksum supplied by the download source. While there are plenty of GUI tools available for verifying checksums, the easiest and quickest way is often to use CLI tools to create your own checksum for verification. Before we get to generating the checksums, let's look at the different kind of checksums.

 

Checksums

The major checksum hash methods in use for this purpose are SHA and MD5. SHA has several variants, SHA1, SHA256, and SHA512. MD5 and SHA1 both have demonstrated vulnerabilities but remain in widespread use. When you need to verify checksums, you should use the most secure checksum available for the source, currently SHA256 or SHA512. 

For more information on checksums, see the Checksum page on Wikipedia.

 

CLI Tools

Command line tools exist for MD5 and SHA sums. They are:

MD5
  • md5sum ( Linux )
  • md5 (OS X)
  • FCIV ( Windows older versions )
  • Get-FileHash ( Windows Powershell )
SHA
  • sha256sum ( Linux )
  • shasum ( OS X )
  • FCIV ( Windows older versions )
  • Get-FileHash ( Windows Powershell )

 

Verification

You can verify checksums automatically using the CLI tools or manually by visual inspection of generated hashes. Automated verification is less prone to error and is generally preferred.

 

Automated

 

SHA

On Linux and OS X, you can verify checksums automatically using a checksum file - a file that contains checksums for files, one per line, in the format: 

{hash} SPACE ASTERISK [{directory} SLASH] {filename}, e.g.

b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 *openssl-1.0.2g.tar.gz

See the Wikipedia article on sha1sum for more details. Commands are as follows:


Linux

$ sha256sum -c {checksum_filename}


OS X

$ shasum -a 256 -c {checksum_filename}

 

Windows

Windows tools FCIV and Get-FileHash use their own formats. FCIV write and reads checksum files in an XML database format. See the FCIV page and the Get-FileHash page at Microsoft for more details. With the announcement by Microsoft of the availability of a Linux bash shell on Windows, Windows users will be able to use Linux tools like sha256sum natively.

 

Manual

 

SHA

Manually verifying SHA sums is not recommended due to the size of the sums, but it is possible. 

 

Linux

$ sha256sum {filename}

 

OS X

$ shasum -a 256 {filename}

 

The command will generate an SHA sum that can be visually compared to the SHA sum supplied by the vendor.

 

MD5

You can generate MD5 checksums using the commands:

 

Linux

$ md5sum {filename}

 

OS X

$ md5 {filename}

 

Windows

FCIV and Get-FileHash can be used to generate both MD5 and SHA checksums.

While Windows users may be frustrated that simple CLI tools like sha256sum have not been available in the past, Windows users have a wide variety of GUI tools for verifying checksums.