Part of using a Linux-based operating system is using the package manager of your Linux distribution to download and install new software. On CentOS/RHEL-based distributions for example, the EPEL repositories provide you with almost everything you need. And often when a pre-installed repository is unavailable, you can manually add it and the files will be downloaded securely after verifying it with a key.
However, sometimes you have no choice but to download the packages directly over the Internet. One example is the operating systems themselves. If you want to download a new distribution, you’ll have to get it from a website.
Verifying File Integrity with Hashes
But how do we know that the files we download are indeed the file that the creator made? What if someone maliciously accessed the servers and placed their own file in there instead? We might end up downloading and then using a file that might be deeply compromised!
Sometimes files are distributed widely through 3rd party sites, such as SourceForge. We need a way to verify that the file we’re downloading hasn’t been tampered with and re-packaged. This is where hashes come in.
A “hash” is a special mathematical operation we perform on a file that generates a string of characters that is unique to that file. These are also referred to as “checksums”. While it is not perfectly unique, the chance of it repeating is low enough for it to be an acceptable form of security. A good hashing algorithm will ensure that even small variations in the input file will generate huge differences in the output hash. Thanks to this, is it practically impossible to tamper with a file in any way and have the hash be similar.
If the hashes of two files have been generated by a good algorithm, and they match, you can be next to certain that the two files are the same. Because of this, all good software providers also display their hashes next to the files they offer for download. Like this:
Now let’s see how to verify the hash.
Generating and Comparing Hashes
This website offers twp hashing algorithms – SHA256, and SHA512. SHA256 is good enough for our purposes. When you click on the “SHA256” link, you get this:
The 64 characters you see here make up the SHA256 hash for the file we want to download. To verify it, we first download the file itself via wget as shown here:
And then we use the following command in our terminal to generate the SHA256 hash:
sha256sum [filename]
Replace [filename] with the name of the file you just downloaded. It will generate a string of 64 characters, like this:
Now all we need to do is compare the string of characters it generates with the one provided by the website in the second screenshot.
To make it easier to read with some formatting, here’s a command to make everything uppercase and split the hash into groups of 8 characters:
sha256sum [filename] | awk '{print toupper($1)}' | fold -w8
And we get an output like this:
With this command, it is much easier to compare as opposed to a long string of 64 characters.
Other Checksum Algorithms
Different websites will have different hashing algorithms for you to compare. In the example above, we looked at SHA256. Here are the commands for the others:
SHA256 – sha256sum (used above)
SHA512 – sha512sum
MD5 – md5sum
If you need to calculate the hash for another algorithm, just replace “sha256sum” in the examples above with the command you need. Keep in mind, however, that the MD5 hash has been insecure for some time now. You can use something called a ‘salt’ to further improve the security of an SHA hash – however, it is not impossible to get past, so it is discouraged for protecting passwords and personal data.
If you are able to successfully compare the hashes of the downloaded file to the one that’s displayed on the website, you can be sure that the file you downloaded is the one that the creator intended for you to have.