140 lines
3.1 KiB
Markdown
140 lines
3.1 KiB
Markdown
# File Verification and Checksums
|
|
|
|
---
|
|
|
|
### 1. Goal
|
|
|
|
This guide explains how to verify downloaded files using hashes and signatures. Verification helps confirm that a file was not corrupted, swapped, or modified after release.
|
|
|
|
Checksums do not prove a file is safe by themselves. They prove that your copy matches a known value.
|
|
|
|
---
|
|
|
|
### 2. Common Verification Types
|
|
|
|
You will usually see:
|
|
|
|
* **SHA256:** the most common checksum for releases.
|
|
* **SHA512:** a longer checksum, also common.
|
|
* **GPG/PGP signature:** proves a file was signed by someone with a specific private key.
|
|
* **Code signing:** built into some operating systems for apps and installers.
|
|
|
|
If a project provides both a checksum and a signature, use both.
|
|
|
|
---
|
|
|
|
### 3. Recommended Tools
|
|
|
|
Use built-in commands first. Add a GUI only if it makes verification easier.
|
|
|
|
* **PowerShell `Get-FileHash`:** built into modern Windows and good for SHA256/SHA512 checks.
|
|
* **`sha256sum`:** standard on most Linux systems.
|
|
* **`shasum`:** available on macOS and many Unix-like systems.
|
|
* **GnuPG:** command-line OpenPGP tool for signature verification.
|
|
* **Gpg4win / Kleopatra:** practical Windows GUI for GnuPG signatures and certificates.
|
|
|
|
Official links:
|
|
|
|
* GnuPG: `https://gnupg.org`
|
|
* Gpg4win: `https://gpg4win.org`
|
|
|
|
---
|
|
|
|
### 4. Verify SHA256 on Windows
|
|
|
|
Open PowerShell in the folder containing the file:
|
|
|
|
```powershell
|
|
Get-FileHash .\filename.ext -Algorithm SHA256
|
|
```
|
|
|
|
Compare the output to the checksum published by the source.
|
|
|
|
The values must match exactly. Close is not good enough.
|
|
|
|
---
|
|
|
|
### 5. Verify SHA256 on Linux
|
|
|
|
Open a terminal in the folder containing the file:
|
|
|
|
```sh
|
|
sha256sum filename.ext
|
|
```
|
|
|
|
Compare the first long value to the published SHA256 checksum.
|
|
|
|
---
|
|
|
|
### 6. Verify SHA256 on macOS
|
|
|
|
Open Terminal in the folder containing the file:
|
|
|
|
```sh
|
|
shasum -a 256 filename.ext
|
|
```
|
|
|
|
Compare the output to the published checksum.
|
|
|
|
---
|
|
|
|
### 7. Verify a GPG Signature
|
|
|
|
Some projects publish a file plus a signature file:
|
|
|
|
```text
|
|
example.iso
|
|
example.iso.sig
|
|
```
|
|
|
|
Basic flow:
|
|
|
|
1. Download the file.
|
|
2. Download the signature.
|
|
3. Import the developer or project signing key from the official source.
|
|
4. Verify the signature.
|
|
5. Confirm the key fingerprint matches what the project publishes.
|
|
|
|
Example command:
|
|
|
|
```sh
|
|
gpg --verify example.iso.sig example.iso
|
|
```
|
|
|
|
A valid signature means the file matches the signer. It does not automatically mean the signer is trustworthy. Always check the signing key fingerprint from an official source.
|
|
|
|
---
|
|
|
|
### 8. What a Mismatch Means
|
|
|
|
If the checksum does not match:
|
|
|
|
1. Do not run the file.
|
|
2. Delete the file.
|
|
3. Download it again from the official source.
|
|
4. Recheck the hash.
|
|
5. If it still does not match, treat the release or mirror as untrusted.
|
|
|
|
Possible causes:
|
|
|
|
* incomplete download;
|
|
* wrong version;
|
|
* corrupted file;
|
|
* mirror replaced the file;
|
|
* malicious modification.
|
|
|
|
---
|
|
|
|
### 9. Keep Verification Notes
|
|
|
|
For important files, keep a small note next to the download:
|
|
|
|
```text
|
|
File: example.iso
|
|
Source: https://example.org/releases
|
|
Version: 1.2.3
|
|
SHA256: ...
|
|
Checked: 2026-05-14
|
|
```
|
|
|
|
This is useful for operating system images, firmware, backups, archives, and tools you may reinstall later.
|