APT-GET KNOWLEDGE

Photo by Emily Morter / Unsplash

Sum It Before You Run It

General Jan 1, 2000

When browsing through various applications, images, and other files, you will often see additional information referencing a checksum (md5, sha2, etc.) with a long string afterward. While often ignored, a checksum helps confirm the file downloaded matches what the publisher intended. According to Wikipedia, "A checksum is a small-sized datum derived from a block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. It is usually applied to an installation file after it is received from the download server. By themselves, checksums are often used to verify data integrity but are not relied upon to verify data authenticity."


Many open-source projects and a growing number of paid software publishers are providing a checksum for the latest and greatest versions of their products and wares to allow users to verify what they have downloaded is what the publisher intended to release. Some examples of popular projects providing a checksum include Buscador, Kali Linux, and Maltego.

The publisher-provided checksum key is not just for the tinfoil-clad paranoid. There have been niche and mainstream new stories of successful supply chain attacks. One example that comes to mind is when CCleaner servers were compromised and served up a malicious version of the software. Even though a successful supply chain attack had been conducted, if Ccleaner provided the checksum and users were vigilant in always confirming the download matched, the attack would still be ineffective as users would be able to report the file and stop the attack sooner.

This seems nebulous and a big to-do, but earlier this year I found myself needing to share and provide verification of a file. The provider of the free virtual machine Buscador took the image down. Multiple users and fans stood up mirrors and provided the checksum so would-be users could ensure they were getting the VM vs. some other nefarious file.

Many 3rd party tools can be used to get a file hash such as 7zip, hashgenerator, etc, it can be done natively using various algorithms built into the main operating systems (Mac, Linux, Windows). Below is an example of getting a file hash using the built-in PowerShell utility  'Get-FileHash'

Powershell Command:

Get-FileHash 'C:\Users\Frank\Downloads\2019-09-25-rpd-x86-buster.iso' -Algorithm sha256 | format-List

Output:

Algorithm : SHA256
Hash      : AC557F27EB8697912263A1DE812DFC99FA8D69BD6ACC73A0B7756A1083BA0176
Path      : C:\Users\Frank\Downloads\2019-09-25-rpd-x86-buster.iso

As you can see, it matches the provided checksum listed on the Debian Buster download page.

Debian Buster iso
SHA-256: ac557f27eb8697912263a1de812dfc99fa8d69bd6acc73a0b7756a1083ba0176

References
https://www.pcworld.com/article/3225407/ccleaner-downloads-infected-malware.html
https://www.wired.com/story/inside-the-unnerving-supply-chain-attack-that-corrupted-ccleaner/
https://en.wikipedia.org/wiki/File_verification

Tags

Frankly Fuzzy

Recommended for you