Photo by Maksym Kaharlytskyi on Unsplash

What is a checksum?

How to verify the checksum of a file and why it’s important

Files of all types are downloaded everyday and every second. From documents to videos, music to applications, etc going from point A to point B. “A” being the source, in most cases a url endpoint that triggers the download process to “B” being the end user’s destination. In many cases if the the file we’re downloading doesn’t come from a familiar source say from a torrent server. How can we verfiy that the file’s integrity? This is where checksums come in?

What is a Checksum?

Basically a checksum is hash value as a result of passing a file through an algorithm, either MD5, SHA-1 or SHA-256. Each algorithm produces different results but it’s recommended that SHA-256 should be used to generate the checksum.

Verifying checksums are useful when files may have been corrupted during network transmission or storage to a hard drive. In practice to validate the integrity of a file the checksum of the original file is needed. If the checksum of the original file is the same as the new file then it’s valid. If not the file may have be altered.

Imagine downloading an application from a site and not verifying it’s checksum. There’s a possibility once you download that application it could really become a disaster. Maybe it would contain some malware or trojan horse that would infiltrate your machine and cause a host of issues that cannot be fixed.

Many Linux distros require users to download from a torrent server and their manual instructions usually include validating the checksum prior to using distro. For example the Kali Linux distro download page gives the checksum of the original file and users validate against that.

# Example format of Kali Linux download page
Filename | Torrent | Version | Size | Checksum Hash

Real word use case

For this example using several commands, a linux distro will be downloaded and its checksum will be validated.

$ wget https://path/to/amd64.iso
$ sha256sum -c amd64.iso
[returned hash]

After we know what the original checksum hash is, we then download a copy of the file. From there execute the sha256sum cmd passing the new file with the -c (check) argument. The new file’s hash will be returned and it should be compared to the original file’s hash.

** Note ** This example is performed in Linux but if you’re using Windows there’s a built-in utility that performs this check and on Mac you’ll need to download a package that runs this process.

If comparing the hashes character by character seems tedious I have built small application that returns a response for a valid/invalid file. Check it out here. All you have to do is enter the original hash and the name of the new file. That’s it

---------------------------
Checkem v1.0
Written By: bshelling | bshelling@gmail.com
Application validates the integrity of a downloaded file
---------------------------
Enter the original file's checksum:
Enter the name of the file to validate:
[response]

Shelling is what they call me. A forward thinker debugging life's code line by line. Creator, crossfitter, developer, engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store