Verifying file integrity is an important step when downloading and installing applications, especially when these applications are relied upon to perform a security function. An application that is not downloaded completely or correctly may be weakened and fail to provide the necessary security. Worse, users may be the victims of a watering hole attack where the download site is infected with malware, or some targeted individuals are redirected to look-alike sites. In this instance the software in question would be modified to suit the attacker’s aims and its security could be bypassed entirely. The easiest way to have some assurance that your downloaded applications are intact and legitimate is to verify their integrity using checksums and a checksum calculator.
There are also some other reasons that a checksum calculator may be handy. For example, if you wish to transmit an attachment to another person through email, a cloud storage account, or other digital medium, a checksum could be used to verify the file had not been tampered with in transit. Checksums can also be used to ensure that two files are are identical. For example, if you backup a large folder to a USB flash drive you can compare the checksums of the two folders to ensure they are the same.
I constantly push this technique in my live classes and never cease to be amazed at the minuscule number of participants who every take any steps at all to verify the integrity of applications before executing them. It appears to me that this skill is applied only by the smallest handful of users. The other major problem I run into when teaching (and when downloading software myself) this is the lack of a single, independent checksum repository from which to pull known-good checksums for comparative purposes. This is perhaps at least part of the problem inherent in verifying file integrity.
As a result I have slowed down on the blog in the past couple of weeks to expand and update the checksums page. Though many do not, some security applications post checksums on their download pages. Even so I still believe it is important to verify checksums from an alternate source; if you are redirected to a forged download page and download a corrupted file, it would be a simple matter for the forger to post his or her own checksum. If you acquired both a corrupt file and its corresponding checksum from a forged site, the result would be worse than not verifying the file at all: you would receive a false positive, causing you to misplace trust in the application.
This is the primary motivating factor in my recent expansion of my checksums page. There seems to be no comprehensive, third-party repository of checksums for security software. The checksums posted there are SHA-256 and SHA-512. MD5 is insecure and there are credible reports of vulnerabilities in SHA-1 dating back several years.
Methodology: Before calculating checksums I download the application in question. If a GPG signature is available I will use the signature to verify the integrity of the application, and then use a checksum utility to calculate a hash. If a signature file is not available for a given application, I will compare it against a checksum found on a third-party site.
Windows: The CHK Checksum Utility is the simplest and most user friendly checksum calculator I have found for Windows operating systems. CHK runs in portable mode so there is no need to install it. Simply download and open the executable. Drag the file or files to be verified into the interface. The checksums will automatically be calculated in SHA-1; to change this open the Options menu and select the desired algorithm.
Next, right click on the file to be verified and select Verify…
In the pop-up that appears, paste a known-good checksum and click Verify.
A green checkmark will appear next to the application if the checksums match; if not a red “X” will appear beside the application name.
Checksums for the CHK Checksum Utility itself are available on my checksums page.
OS X: Mac users have checksum verifying ability built-into their operating systems, though it requires a trip to the Terminal. Open Launchpad and select Terminal. Enter the command “shasum” into the terminal. Next, drag the file itself into the terminal window and press Enter; by default this will calculate SHA-1 hashes. If you wish to verify the file using a SHA-256 or SHA-512 checksum use one of the following commands (disregarding the file path which is represented in italics):
- SHA-1: shasum /user/macbook/desktop/filename.dmg
- SHA-256: shasum -a 256 /user/macbook/desktop/filename.dmg
- SHA-512: shasum -a 512 /user/macbook/desktop/filename.dmg
This method merely displays the calculated hash for the selected file. To verify its authenticity requires a visual check. This is tedious and can be mistake-prone but is not impossible. I recommend copying both versions of the checksum (the output of the terminal calculation and the checksum collected from the internet) and pasting them into a word processing document, one on top of the other, in the same pitch and font. This makes differences much more easily identified visually.
There are also several GUI-driven checksum calculators available for OS X but I confess I have not yet tried one. There are very few that have been either recommended by a reputable source or well-reviewed.
Linux: Given Linux’s proclivity for eschewing graphic user interfaces (GUIs) over the terminal it is somewhat surprising that an excellent GUI-driven checksum calculator exists for Linux. It is called GtkHash, and will not be covered here.