Luke Sheppard's blog about information security, web development, and hacking 

Home Blog Verifying a Checksum…Forever

Verifying a Checksum…Forever

Typists, ca. 1915. Photo by Lewis W. Hine.

Recently, I finally bothered to learn the proper way to verify checksums via command line instead of just eyeballing checksum output compared with the checksum supplied with the file.

Lets say you downloaded a script called “” and the website hosting it put a “sha1” link next to the download link. If you are lucky clicking the “sha1” link will download a properly formated checksum file. But it might just take you to a plain HTML page with the sha1 checksum value displayed. If it is the latter, then you’ll have to create the checksum file. The filename in the second column of the checksum file must match the filename of the file you’re checking. You can do it this way:

bash-3.2$ shasum | tee

FYI the “tee” command above is in there just so you can see the output and write the output to a file at the same time. Now use a text editor to replace the checksum value with the checksum value from the website where you downloaded the file. I don’t care if you think they look identical. The whole point of verifying a checksum is to know that they are identical. Save the checksum file. Now run this command:

bash-3.2$ shasum --check OK

Or, if the checksum is bad, you’ll see this output:

bash-3.2$ shasum --check FAILED
shasum: WARNING: 1 of 1 computed checksums did NOT match

If that is the case, try downloading the file again (in this case, Maybe it got mangled in transit. It happens. If the checksum fails again, don’t trust the file you downloaded. Delete it and contact the site you downloaded it from.

By the way, you can put any number of checksum/filename pairs into a checksum file and shasum (or your OS’s equivalent command) will verify all of them, one after the other.

As an added bonus, you can verify the checksum any time in the future if you encrypt and sign the checksum file using your PGP/GPG key. That way you’ve always got the correct, original checksum. And you know that it was never modified and the original file (in this case, was never modified.

bash-3.2$ gpg --encrypt --sign --recipient lshep

GPG will ask you for your password so that you can unlock your private key. This enables GPG to use your private key for signing the file it is encrypting. And, obviously, you want to set yourself (your public key’s username) as the recipient. Otherwise you won’t be able to decrypt this file every again.

You now have two files, “”, and “”. Delete the plaintext file (the one that does not have the “.gpg” file extension). Now, if the day ever comes that you suspect that “” was modified from the original, you can verify the original checksum. This is especially important if the website you got “” from is gone or no longer has the version of that file that you need. You can decrypt the checksum file this way:

bash-3.2$ gpg --decrypt

You will have to supply your password for the decryption. And GPG will verify the signature (in this case, your signature) of the file along the way. After supplying your password, you should get this output:

gpg: encrypted with 4096-bit ELG-E key, ID A6FF229C, created 2002-04-16
"Luke Sheppard "
gpg: Signature made Thu Sep 20 23:07:46 2012 PDT using DSA key ID D1AE6740
gpg: Good signature from "Luke Sheppard "

You still have your encrypted and signed “” file, but now you also have the decrypted “” file. Now go back to the top of this article and verify the integrity of your “” (or whatever) file using your newly decrypted checksum file.

 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn