If you ever need to quickly and easily verify the hash sum, or checksum, of a piece of software using Windows, here is a quick and easy way to do it:
- Download and run Raymond’s MD5 & SHA Checksum Utility (Download)
- Click “File”, browse to your file you want to verify, and select it.
- The utility will automatically run the file through the MD5, SHA-1, and SHA-256 cryptographic functions and output them for you.
You can give it a try by verifying the programs own checksum. Just browse and select the checksum utility and have it check itself:
As you can see above, the checksums match the checksum distributed by the software developer (version 2.0 of the utility). You can either manually eyeball the strings to verify, or you can copy and paste a checksum string provided by the developer into the hash box and verify.
You should run this type of verification on all software downloads. Checksum verification works on zip files, executables, iso downloads, or any other type of file.
If you are a command line fan, Microsoft has their own unsupported command line checksum utility.
Why should you verify a checksum in the first place?
Verify the checksum so you don’t deploy malware ridden software!
A malware distributor would have no problem injecting a free piece of software with his own hidden code. He would then release it out into the wild for unsuspecting individual to use and distribute.
Even if you downloaded your software from a “reputable” 3rd party site, there is a chance that the site owners didn’t verify the checksum and are unknowingly distributing a tainted version of the software. Always verify.
There is also a chance that your software is legitimately corrupt. It sometimes happens. These same integrity verification functions will pick up on those changes same as it picks up on malware.
How does a checksum work?
A checksum is a hash value that’s created and distributed by the software creator. They obtain this hash by running their program through one or several cryptographic hash functions right at release. These hash functions scan the program’s contents and hash it into a short, readable “checksum” string. If a 3rd party were to take this same piece of software and alter the underlying code, even if only by a small amount, the hash functions will pick up on the changes and generate a completely different checksum string. No matter how hard a malware distributor can try, he could never taint a program without affecting the checksum. His only hope is that his victims will not verify the checksum and skip straight to installation.