ad3laid3/Guides
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Guides/File-Verification-and-Checksums/Guide.md
MiTHRAL 7af6fb3b55 Guides Added
2026-05-14 22:26:43 -04:00

140 lines
3.1 KiB
Markdown
Raw Permalink Blame History

# File Verification and Checksums
---
### 1. Goal
This guide explains how to verify downloaded files using hashes and signatures. Verification helps confirm that a file was not corrupted, swapped, or modified after release.
Checksums do not prove a file is safe by themselves. They prove that your copy matches a known value.
---
### 2. Common Verification Types
You will usually see:
* **SHA256:** the most common checksum for releases.
* **SHA512:** a longer checksum, also common.
* **GPG/PGP signature:** proves a file was signed by someone with a specific private key.
* **Code signing:** built into some operating systems for apps and installers.
If a project provides both a checksum and a signature, use both.
---
### 3. Recommended Tools
Use built-in commands first. Add a GUI only if it makes verification easier.
* **PowerShell `Get-FileHash`:** built into modern Windows and good for SHA256/SHA512 checks.
* **`sha256sum`:** standard on most Linux systems.
* **`shasum`:** available on macOS and many Unix-like systems.
* **GnuPG:** command-line OpenPGP tool for signature verification.
* **Gpg4win / Kleopatra:** practical Windows GUI for GnuPG signatures and certificates.
Official links:
* GnuPG: `https://gnupg.org`
* Gpg4win: `https://gpg4win.org`
---
### 4. Verify SHA256 on Windows
Open PowerShell in the folder containing the file:
```powershell
Get-FileHash .\filename.ext -Algorithm SHA256
```
Compare the output to the checksum published by the source.
The values must match exactly. Close is not good enough.
---
### 5. Verify SHA256 on Linux
Open a terminal in the folder containing the file:
```sh
sha256sum filename.ext
```
Compare the first long value to the published SHA256 checksum.
---
### 6. Verify SHA256 on macOS
Open Terminal in the folder containing the file:
```sh
shasum -a 256 filename.ext
```
Compare the output to the published checksum.
---
### 7. Verify a GPG Signature
Some projects publish a file plus a signature file:
```text
example.iso
example.iso.sig
```
Basic flow:
1. Download the file.
2. Download the signature.
3. Import the developer or project signing key from the official source.
4. Verify the signature.
5. Confirm the key fingerprint matches what the project publishes.
Example command:
```sh
gpg --verify example.iso.sig example.iso
```
A valid signature means the file matches the signer. It does not automatically mean the signer is trustworthy. Always check the signing key fingerprint from an official source.
---
### 8. What a Mismatch Means
If the checksum does not match:
1. Do not run the file.
2. Delete the file.
3. Download it again from the official source.
4. Recheck the hash.
5. If it still does not match, treat the release or mirror as untrusted.
Possible causes:
* incomplete download;
* wrong version;
* corrupted file;
* mirror replaced the file;
* malicious modification.
---
### 9. Keep Verification Notes
For important files, keep a small note next to the download:
```text
File: example.iso
Source: https://example.org/releases
Version: 1.2.3
SHA256: ...
Checked: 2026-05-14
```
This is useful for operating system images, firmware, backups, archives, and tools you may reinstall later.
Reference in a new issue View git blame Copy permalink