How to Verify Authenticity and Integrity of Downloaded Files

Software download is one of the most common activities every savvy internet user performs now and then. Although, modern antivirus applications easily catch compromised files—but—what about file corruption by packet loss? How can it be detected and verified? In this context, we are dealing with two different things, viz., authenticity, and integrity. The former ensures the file is indeed provided by a trusted source and is free from any malware or malicious code, and the latter ensures it's not corrupted due to packet loss during transmission. In this guide, we'll address both of these critical factors.

📷 Credit: Ed Hardie / Unsplash

There's an easy mechanism for the end user to verify the integrity and authenticity of any downloaded file. All trusted and reputed download websites support this mechanism for the users.

Read Also:
How to Secure and Lock Folders on Your Devices

The next section will familiarize you with this mechanism, its functioning, and how it ensures smooth and easy verification of downloaded files. Let's get started, NOW

Cryptographic Checksum for File Integrity

A cryptographic checksum is a fixed-length alphanumeric string generated by a hashing function. This function is applied on a file and you get a hash value (alphanumeric string) as the output.

It looks something like this.

📷 Checksum values for ISO files. / Credit: Pop!_OS

How does this ensure file integrity?

Well, even if a bit is changed in the file, a completely different checksum is generated indicating the change in the file's content.

So, an aware user, after downloading the file from the internet, generates a checksum locally and compares it with the one published on the file owner's website.

If there's a mismatch, the file is corrupted or infected with malicious code.

Here's the entire process illustrated as a graphic.

📷 Simple checksum matching process for ensuring file integrity.

As you can see, the process is simple. The website provides both the file and its checksum. Download and copy both, generate a checksum locally using the downloaded file, and finally, compare the locally generated checksum with the one copied from the website.

If both match, you are good to go. Else, do not use that file.

The most popular checksum-generating algorithms used by the applications are MD5, SHA-1, SHA-256, and SHA-512.

Without going into the technicalities of how these algorithms work, let's straightaway learn how to use this method to verify downloads on Windows, Mac, and Linux.

Verifying File Integrity in Windows

All popular desktop operating systems have built-in commands to generate checksum against a given file. Windows too has a certutil command.

You can use it from the command prompt as well as PowerShell with admin privileges.

The syntax of the command is as follows.

certutil -hashfile path/to/downloaded/file ALGO_ABBRV

The hashing algorithms supported by this command are:

• MD2
• MD4
• MD5
• SHA1
• SHA256
• SHA384
• SHA512

The website you've downloaded the file from will always indicate the algorithm they've used to generate the checksum. Simply use that algorithm's abbreviation in the command.

So, for example, if you've downloaded a file demo.iso at the location D:\downloads on your PC, and the algorithm used at the file source end is MD5, the command to generate a checksum (locally) will be as follows.

certutil -hashfile D:\downloads\demo.iso MD5

# Command output
MD5 hash of D:\downloads\demo.iso:
45baab64b088431bdf3370292e9a74b0
CertUtil: -hashfile command completed successfully.

Now, you can easily match the checksum generated locally with the one fetched from the file's source website. If both the checksums are different, do not use that file on your computer.

Verifying File Integrity in Mac

If you are using a Mac computer, checksum generation can be completed through 2 different commands. Remember, no matter which operating system you are using, the checksum will always be the same.

You can use the md5 or shasum command for generating file checksum on a Mac computer.

Let's first see the usage of the md5 command. The file name and path are imaginary for demo purposes.

md5 /Users/rajeevedmonds/demo.iso

# Command output
MD5 (/Users/rajeevedmonds/demo.iso) = 45baab64b088431bdf3370292e9a74b0

And, the shasum command can be used as follows.

# Command for SHA1 checksum
shasum -a 1 /Users/rajeevedmonds/demo.iso

# Command for SHA256 checksum
shasum -a 256 /Users/rajeevedmonds/demo.iso

#Command output
c73cef32202a2a2df66339ed180b6b7292a58e36d83a448273c4795e8f7715e5 /Users/rajeevedmonds/demo.iso

As usual, compare the locally generated checksum with the one provided by the file's source website to verify the file's integrity.

Verifying File Integrity in Linux

The file integrity checking mechanism is the same in Linux too. All you need to know are the commands used for the same.

You can use these commands to generate MD5, SHA1, and SHA256 checksums. Here are the examples of all three.

# Generate MD5 checksum
md5sum /Users/rajeevedmonds/demo.iso

# Generate SHA1 checksum
sha1sum /Users/rajeevedmonds/demo.iso

# Generate SHA256 checksum
sha256sum /Users/rajeevedmonds/demo.iso

# Command output
c73cef32202a2a2df66339ed180b6b7292a58e36d83a448273c4795e8f7715e5 /Users/rajeevedmonds/demo.iso

Remember, if the file is extremely huge, it may take a couple of minutes or maybe more than that to generate the checksum. So, be patient!

There are GUI-based checksum-generating tools available for all the platforms—but—I'll recommend sticking to the native commands as they are easy to use and work like charm.

Image Credit: All screenshots and images by Rajeev Edmonds/FreshTechTips