Verifying Checksums
These days, it’s not uncommon to download a known application from an unknown source. It may be because the site uses multiple download mirrors (many Linux distributions are downloaded this way), because the software was downloaded from a torrent, given to you by a friend, or for any number of other reasons. The good news is that it’s also not uncommon for software writers to post a checksum of the software on their website, to give users a way of validating the software. This checksum does no good if you don’t actually check it, so here are very easy steps on how to do that.
What does the checksum do for us? Let’s say that we have a program that was created by ABC corp. We trust that they didn’t do anything malicious to the file, and they’ve posted a link to download the file, along with the checksum of the file on their site. When you actually go to download the file, you’re taken to numerous download sources. You download the file from XYZ corp, but you want to make sure that you’re getting the file just as ABC corp wrote it, and not any malicious code that an intern hacker at XYZ corp decided to add to the code. In addition, verifying the checksum can help make sure that you don’t have a corrupted version of the file. Any changes (even adding a single space somewhere) will make the resulting checksum very different. So after you download the file, you generate a checksum of that downloaded copy, and compare it to what the creator of the file said it should be. As long as the two values match, you can be reasonably sure that no one has modified the file.
To validate a checksum, you’ll need three things. You’ll need a utility that can generate the checksum, the actual file that you want to validate, and the checksum of the file as defined by the provider of the file.
First, you’ll need software that can generate a checksum. Many Linux distributions include one of these by default. For Windows, Microsoft provides the File Checksum Integrity Verifier (FCIV) as a separate download (currently located here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b3c93558-31b7-47e2-a663-7365c1686c08). Once you’ve downloaded and extracted this file, open a command prompt, and go to the directory that the extracted file was saved to.
Second, from the command prompt, you’ll tell fciv what file you want to validate the checksum for. For this example, I want to validate an installer on the network for Python version 2.6.4. Currently, the Python site http://www.python.org/download/releases/2.6.4/ has the MD5 checksum for the .msi install listed as being 2e2b60ae73e9e99cd343a3fe9ed6e770.
To validate this, I return to the command prompt that we opened earlier which is in the directory where fciv.exe is downloaded to. Type the command
fciv.exe <file to verify>
for example
fciv.exe C:\Tools\Python\python-2.6.4.msi
note: due to weaknesses that were found in MD5, many files are now posted with the SHA1 hash as well as the MD5 hash. To get fciv to generate the SHA1 hash, just add a “-SHA1” flag at the end of the command. For example, the above command would now be “fciv.exe C:\Tools\Python\python-2.6.4.msi -SHA1”
This results in the hash being returned. As we can see, this hash is the same that was listed on the python download page. This quick step helps make sure that the file we’re running hasn’t been tampered with or accidentally corrupted.