Here at ProPrivacy we just love open source software. This is mainly because, despite not being perfect, open source provides the only way to know for sure that a program is on the level.
One problem, though, is how do you know that an open source program you download from a website is the program its developer(s) intended you to download? Cryptographic hashes are a partial solution to this problem.
What is a cryptographic hash?
A cryptographic hash is a checksum or digital fingerprint derived by performing a one-way hash function (a mathematical operation) on the data comprising a computer program (or other digital files).
Any change in just one byte of the data comprising the computer program will change the hash value. The hash value is, therefore, a unique fingerprint for any program or other digital files.
What is a hash check?
Ensuring that a program has not been tampered with, or just corrupted, is a fairly simple matter of calculating its hash value and then comparing it with the hash checksum provided by its developers.
If it's the same, then you have a reasonable degree of confidence that the program you have downloaded is exactly the same as the one published by its developer. If it is not, then the program has been changed in some way.
The reasons for this are not always malicious (see below), but a failed hash check should set alarm bells ringing.
Problems with hash checks
You may have detected a note of caution when singing the praises of hash checks...
Integrity but not authentication
Hash checks are useful for ensuring the integrity of files, but they do not provide any kind of authentication. That is, they are good for ensuring the file or program you have matches the source, but they provide no way of verifying that the source is legitimate.
For example, fake websites exist which distribute malicious versions of popular open source software such as KeePass. Many of these websites even provide hash checksums for the programs they supply and, were you to check these against the fake program, they would match. Oops.
An additional problem is that mathematical weaknesses can mean that hashes are not as secure as they should be.
Despite this, MD5 and SHA1 remain the most popular algorithms used to generate hash values. SHA256, however, remains secure.
Developers sometimes update their programs with bug fixes and new features, but neglect to publish an updated hash checksum. This results in a failed hash check when you download and try to verify their program.
This is, of course, nowhere near as serious as a hash check giving malicious software a pass, but it can degrade trust in the ecosystem, resulting in people not bothering to check the integrity of files they download...
Cryptographic hashes vs digital signatures
Most of the problems with cryptographic hashes are fixed by the use of digital signatures, which guarantee both integrity and authentication.
Developers who are happy to use proprietary code can automatically and transparently validate signatures when their software is first installed, using mechanisms such as Microsoft, Apple, or Google PKI (public key infrastructure) technologies.
Open source developers do not have this luxury. They have to use PGP, which is not natively supported by any proprietary operating system, and why no equivalent of Microsoft, Apple or Google PKIs exist in Linux.
So PGP digital signatures must be verified manually. But PGP is a complete pig to use and is not a simple process, as a quick glance at our guide to checking PGP signatures in Windows will demonstrate.
Neither is the actual signing process for developers, who are well aware that in the real world few people bother to check digital signatures manually, anyway.
Cryptographic hashes are nowhere near as secure as PGP digital signatures, but they are much easier to use, with the result that many developers simply choose to rely on them instead of digitally signing their work.
You really should hash check (if no digital signature is present)
This is a less than ideal situation, and you should always check an open source program’s digital signature when one is available. If one is not, however, then checking its cryptographic hash is much better than doing nothing.
As long as you are confident about the source (for example you are sure it's from the developer’s real website, which has not been hacked to display a fake cryptographic hash), then checking its hash value provides a fair degree of coincidence that the software you have downloaded is the software its developer intended for you to download.
If neither a digital signature nor a checksum is available for open source software, then do not install or run it.
How to hash check
The basic process is as follows:
- Make a note of the hash number published by the developer
- Generate the hash value of the file you have
- Compare the two hash values
If they are identical, then you have the file the developer intended you to have. If not, then it has either become corrupted or has been tampered with.
If an SHA256+ hash is available, check against that. If not, then use SHA1. Only as a last resort should you check against an MD5 hash.
The easy way (all systems)
The simplest way to generate the hash value of files is by using a website such as Online Tools. Just select the kind of hash value you need to generate, then drag-and-drop the required file into the space provided and the relevant hash value will be generated.
We want to check the integrity of the KeePass installer file that we have downloaded from the KeePass.org website (which we know to be the correct domain). The website publishes MD5, SHA1, and SHA256 hashes for all versions of its KeePass, so we will check the SHA256 for the version we downloaded.
- We make a note of the correct hash value, as published on the KeePass website.
- We then visit the Online Tools website, select File Hash: SHA256, and drag our downloaded KeePass installer file into the space provided.
- We compare the output with the checksum published on the KeePass website and they are identical. So assuming that the KeePass website has not been hacked to display false hash values, we can be confident that we have downloaded an untampered-with file. Yay!
Windows, macOS, and Linux also have built-in hash value functions which can be accessed via the command-line...
This method works out-of-the box in Windows 10, while Windows 7 users need to first update Windows PowerShell with Windows Management Framework 4.0.
To obtain an SHA256 hash, right-click Start -> Windows PowerShell and type:
MD5 and SHA1 hashes can be calculated using the syntax:
Get-FileHash [path to [path/to/file] -Algorithm MD5
Get-FileHash [path to [path/to/file] -Algorithm SHA1
Get-FileHash C:\Users\Douglas\Downloads\KeePass-2.43-Setup.exe -Algorithm MD5
Open Terminal and type:
openssl [hash type] [/path/to/file]
Hash type should be md5, SHA1, or SHA256.
For example, to check the SHA256 hash for the Windows KeePass installer (just to keep things simple for this tutorial), type:
openssl sha256 /Users/douglascrawford/Downloads/KeePass-2.43-Setup.exe
Open Terminal and type either:
Md5sum [path/to/file]Sha1sum [path/to/file]