Open in app

Sign in

Write

Sign in

Why, When and How to use SHA256 in Download?

tanut aran
CODEMONDAY
Published in
3 min readJul 5, 2020

For many download page e.g. Golang and Ubuntu, there will be a SHA256 ‘signature’. On some site e.g. Audacity there will also have MD5 and SHA1, which is less used nowadays. We will see why they provide us this ‘hash’.

SHA256 and other long string is use to “checksum”.

What is checksum?

The ‘sum’ is a process of converting any file to ‘hash’, a long long string, like 522ff2efcc2dc89b6de70c6a0cc486e53b4a7afc.

The ‘hash’ is a long and unique string. Any change to the file change the hash value no matter how small.

The same file must have the same ‘sum’. This is use to verify original file and the downloaded file.

Why checksum?

I haven’t done this before for the normal download. So when?

When not sure it is exactly that file

Example scenario:

  • There is a downloaded file long time ago. Not sure it is still usable or complete.
  • When the file is rename to something else or without full name with version. Checksum to make sure it is the file we’re looking for.
  • For some reason, when you do not download from the official or trustworthy site.
  • The file is from somewhere you don’t know or forget so you’re hesitate to run because it might be a malicious software. Checksum to verify it.
  • Copy some large file e.g. ISO image from hard disk or flash drive and cannot open. Check if the file is corrupted.
  • There is a pause and start again on download. Not sure file is complete.
  • The internet is super slow. Not sure the file is complete.

How to do that in command line?

The normal command is sha256sum which take the shasumfile as an input.

// check there is a command
$ sha256sum --help$ sha256sum --check sha256sum_file

In the file sha256sum_file will have a hash and original filename. For example, look at this file SHA256SUMS from Ubuntu release.

e5b72e9cfe2098...8150615883ce11 *ubuntu-20.04-desktop-amd64.iso
caf3fd69c77c43...14319a9264df9f *ubuntu-20.04-live-server-amd64.iso

If we don’t want to create that file we can just checksum and compare by eye:

sha256sum audacity-win-2.4.2.exe//output
522ff2efcc2dc89b6de70c6a0cc486e53b4a7afc  audacity-win-2.4.2.exe

… urg that’s not good. We can fire up python then copy paste to compare it but I think there must be the better way.

More convenient command line

Make string work just like file by echo. Example from the Ubuntu repos:

echo "caf3fd69c77c439f162e2ba6040e9c320c4ff0d69aad1340a514319a9264df9f *ubuntu-20.04-live-server-amd64.iso" | shasum -a 256 --check

In my opinion the echo and pipe | is a bit cryptic and looks like workaround. I prefer, use <<< to redirect string to stdin .

sha256sum --check <<< "caf3fd69c77c439f162e2ba6040e9c320c4ff0d69aad1340a514319a9264df9f *ubuntu-20.04-live-server-amd64.iso"// output
*ubuntu-20.04-live-server-amd64.iso: OK

Hope this help. Cheers!

Web Application | IoT

www.codemonday.com

Terminal
DevOps
Programming

--

--

tanut aran
CODEMONDAY

Written by tanut aran

76 Followers
Editor for

Co-founder and Coder at work !

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams