When manually downloading files over the internet, its always a good idea to check the integrity of these files.
Making sure no-one has modified them maliciously or just to check they have not become corrupted during the download process.
If you perform downloads with services such as the App Store, then this validation is performed for you automatically but when manually downloading a file from a web site we can perform this task ourselves.
Checksum Validation
When downloading a file from a website, you may have seen hashes ( a string of hexadecimal numbers) listed next to the downloads. For example this is a download from Line6:
What is a hash
So the first question is, what is a hash?
The idea behind hashing is to take an arbitrary block of data, which can be any size and run it through a cryptographic process, which then returns a fixed-size “hash” value. So there are a couple of key points. Firstly the input data can be any size but the result is always a fixed length hexadecimal number. Secondly the input data can vary by the smallest amount , but would result in the hash generated to be completely different. So no two pieces of unique data could result in the same hash.
For Example:
As you can see, some data goes in, a cryptographic function then generates a unique hash for that data.
With the first two examples , the same data goes in, resulting in the same hash generated.
The other examples vary the data going in, thus generating different hashes. Even when we only change one character, as in the third example, the generated hash is completely different.
Validating a file
So how can we make use of this? Well a lot of websites will display the hash that was generated for the file you are about to download. After downloading the file, you can then create a hash on the version of the file you have. If it generates the same hash as published, then you can be assured the file is identical. If anything had happened to the file then the hashes would have been different.
Generating a hash from a file.
There are a number of different cryptographic schemes that are widely used including MD5, SHA-1 and SHA-256. The vendor will tell you wish one they used.
Here are 3 examples that generate hashes using the more common methods, MD5, SHA-1 and SHA-256 , on a file called ‘myFile.dmg’
MD5 Example
md5 myFile.dmg
or
openssl dgst -md5 myFile.dmg
SHA-1 Example
openssl dgst -sha1 myFile.dmg
SHA-256 Example
openssl dgst -sha256 myFile.dmg
You can even use this to verify backups of your own files. After copying a file to a destination , you can generate hashes on the original and the copy. If they match you know you are good.
I hope you enjoyed this overview.