What it means to check the integrity of the download with the SHA-1 or SHA-256 checksums

Discussion in 'other security issues & news' started by Frankfree, May 10, 2019.

  1. Frankfree

    Frankfree Registered Member

    Joined:
    May 3, 2011
    Posts:
    83
    What does it mean and how you do it ? Also is it really necessary ?
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    It checks if downloaded file is not corrupted or modified.

    I personally use Total Commander to perform check, but there are also other tools that can compute checksum.
     
  3. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    It checks if downloaded file is not corrupted. It is not sufficient to check whether it was purposefully modified. Checksum must be signed by key obtained by different channel.
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    According to @Minimalist and @reasonablePrivacy , it is and I fully agree, unless you have downloaded a digitally signed file, then there's no need to have checksums.

    Now, a digitally signed file, you must verify if it's OK and belongs to the file's author.
    If the signature is not valid then either the file is unintentionally corrupted or the file was tampered.

    Unintentional corruption appears once in a while during the download process where bits transmission over the Internet goes wrong somehow or the software downloading your file corrupts the file unintentionally.

    Speaking of which, yesterday I downloaded a 200+ MB file digitally signed but the signature was not valid. Downloaded again immediately, then the signature was fine this time.
     
  5. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    I think it depends on how paranoid you are. I have never felt the need for such tools.
     
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Security-wise is your point. But checksums are also needed for file corruption check (not talking about tampering).
     
  7. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    If a file is corrupt, I cannot use it and will find out about it when I try to open it. If a file is NOT corrupt, it works as expected, so I really don't know why I should check a file for a possible corruption.
     
  8. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    I always verify the checksum of my router firmware before flashing.

    I rather find out that way than via a bricked router.
     
  9. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    OK, this makes perfect sense to me. Good point. Perhaps I should verify the checksum of "important" files, but I'm definitely too lazy to verify the checksum of each and every file that I download.
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    Alright, good, fine. Just try a corrupted Windows iso and talk to me later.
    or how about this:
     
  11. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    I can see you point. Verifying the checksum might be useful when it comes to important stuff, such as firmware and iso files, but it's certainly not a must-do procedure when it comes to less important files. Just my two cents.
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    I agree on this when getting pdf files to read, word docs, etc. mostly not executable bits or binaries. Otherwise I look for checksums and most preferred by me: digital signature.
     
  13. Frankfree

    Frankfree Registered Member

    Joined:
    May 3, 2011
    Posts:
    83
    Any reliable open source software that can do this for me? Or online tools?


     
  14. guest

    guest Guest

    I use Hashtab, will add a checksum tab in the file properties menu. But you need to input the legit hash to compare.
     
  15. Frankfree

    Frankfree Registered Member

    Joined:
    May 3, 2011
    Posts:
    83
    Just to install one or two software Is there any online version?
     
  16. guest

    guest Guest

    Probably but I use Hashtab because it is convenient and I can select several hash formats at same time.

    This kind of tools are useful for those like me that don't rely much on Antiviruses (which check the hashes already) but default-deny mechanisms (which don't).
     
  17. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Hello All:

    If the installer file in question is smaller than 128MB, think about submission to https://www.virustotal.com/en/ where a variety of hashes plus digital signing/countersigning are routinely displayed. One caveat being that an installer may contain both signed and unsigned files.

    Within Mark Russinovich's Sysinternals suite is the Sigcheck utility. https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck
    Skywire (http://www.dcmembers.com/skwire/download/sigcheckgui/) distributes the compatible GUI front end for the Sigcheck utility that allows the user to run files and whole directories through a validation checkup that includes both hashes and digital signatures.

    HTH
     
  18. mickel

    mickel Guest

    I use 7-zip and Notepad++ to check the integrity of some downloads.
    I already use both for other tasks, so for me, it's not extra.

    1. Right-click on the file, go to CRC SHA, then click on SHA-1 or SHA-256 or click on the *.
    A checksum information window will appear.
    2. Click on the hash (e.g., SHA256: 79A73BE937C95B99295030F7CC7660B95F9724BD8336E962BAAD64C6B31FB28A) to highlight (select) it.
    3. Press the CTRL + C keys on your keyboard.
    4. Open Notepad++.
    5. Paste the hash code into Notepad++ (right-click > Paste).
    6. Paste the original hash code into Notepad++.
    7. Highlight one of the hash codes.
    8. If the other hash code also gets highlighted (green background) then they match.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    EXAMPLE:
    hashtab.jpg
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.