How to Verify a Checksum

Introduction

A checksum is a special type of hash that is used to verify the integrity of a file. Verifying a checksum ensures there was no corruption or manipulation during the download and the file was downloaded completely and correctly.

A common use case for checksum verification is to verify a large download like an .iso disk image. MD5 and SHA1 hashes are commonly used for this task. We will look at easy ways to obtain a hash to verify a checksum.

Checksums only verifies integrity of a file. It does not provide any confidentiality or encryption. It also does not provide authenticity to verify who created the original download. To verify authenticity (who it came from), a GPG signature should be used. To learn more read How to Verify a GPG Signature. To verify confidentiality (that nobody else can read it), GPG encryption should be used. To learn more read GPG Tutorial - Encryption.

Verify MD5 checksums

The MD5 hash is very common, although considered to be unsuitable for cryptographic uses. You might encounter MD5, especially in older applications, but SHA256+ is what I would recommend to use when possible. SHA hasing is covered in the next section.

Most operating system distributions come with a tool to perform an MD5 hash. Here are examples on how to it in Windows, Mac, and Linux.

# Mac terminal
md5 [file-to-hash]

# Windows command prompt
certutil -hashfile [file-to-hash] md5

# Linux shell
md5sum [file-to-hash]

Verify SHA1 - SHA512 checksums

Calculating the SHA hash is similar to MD5 except you replace MD5 algorithm with one of the SHA hashing algorithms. The most common SHA hashes are SHA1, SHA256, and SHA512, with SHA512 being the strongest. Here are examples that demonstrate how to get the hash in Windows, Mac, and Linux.

# Mac terminal
shasum -a 1 [file-to-hash]
shasum -a 256 [file-to-hash]
shasum -a 512 [file-to-hash]

# Windows command prompt
certutil -hashfile [file-to-hash] sha1
certutil -hashfile [file-to-hash] sha256
certutil -hashfile [file-to-hash] sha512

# Linux shell
sha1sum [file-to-hash]
sha256sum [file-to-hash]
sha512sum [file-to-hash]

Conclusion

After reading this you should understand why you would want to verify a download with a checksum. You should also understand what the purpose of verifying a checksum is and what security mechanisms it does or does not provide as well as the difference between verifying a GPG signature and a checksum.

References

• https://en.wikipedia.org/wiki/Checksum
• https://en.wikipedia.org/wiki/Hash_function
• https://en.wikipedia.org/wiki/MD5
• https://en.wikipedia.org/wiki/Secure_Hash_Algorithms
• How to Verify a GPG Signature
• GPG Tutorial - Encryption