Wednesday, May 26, 2010

How do I Verify the signatures of My Downloads (Checksum)

Disclaimer: These are my thoughts. I am not sure if this is correct but this is what I currently believe. I may or may not change this as my.


Windows 7 does not have a built in Checksum utility unlike Linux, Mac and other O/S's. This creates a chicken and egg problem. How can I verify that the checksum software I download is legitimate if I currently don’t have a way to verify downloads. In other words, how I do I know the checksum software I just downloaded has not been tampered with?

The short answer is there is none. I really think Microsoft should have a checksum utility as part of their O/S.

The correct answer is find some other PC or O/S that presumably has a trusted checksum utility on it and verify the download against that one.

This is what I did. Its less than ideal and I wouldn’t recommend it for PCs that contain any sensitive or personal information (like most all of them). But at least this will get me in the habit of checking software I download.

Here are some options:

  1. Download from Microsoft

    2. Pros:
    It is from Microsoft’s web site so it is presumably safe.

    Cons:
    Unsupported
    Primitive UI - command line interface only

    Syntax: fciv.exe -sha1 C:\Downloads\file_to_verify.exe

    Note: I copied fciv.exe into “C:\Windows\System32” directory so that the path would not have to be specified. No other files were needed to be copied as it was a self-contained executable. In other words, it did not need to be installed.

  2. Download freeware

    3. Pros:
    Free
    Excellent User Interface - Incorporates into O/S well
    View hash by selecting file and clicking - File Properties - File Hashes

    Cons:
    May be a well known organization but I have never heard of them
    Is installed on my PC (trade-off from Pro above)

    http://www.beeblebrox.org/

  3. Download another freeware -

    4. Pros:
    Free
    Good User Interface
    Single executable

    Cons:
    Lacks name brand backing by well known company.

    http://raylin.wordpress.com/downloads



Note: As described in Wikipedia and by the US-Cert Web Site, the MD5 hash is now documented to be vulnerable and should be considered as compromised. The short of it being, if you are going to bother to verify the download, verify with something that is not vulnerable to tampering.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)