Open in app

Sign in

Write

Sign in

Security: Verifying integrity of package/file in Linux

Omkar Deshpande
Developer Pod
Published in
2 min readMay 23, 2021

Why

Checking the genuineness of downloaded package and file has become crucial now more than ever. There are many reasons to check that before you actually actually open / install / execute it in your system or server. Unknowingly, one might end up installing malicious version of the package that might have been introduced during the transfer of file from website to one’s local, or local to development system or development to production system because of the compromised network, that you aren’t aware of OR someone was successful in getting access to your file system and replaced that piece of package with his own version.

It is thus necessary to be cautious for such scenarios where the original file is tampered with.

How

Let’s take an example of downloading Elasticsearch package from the official page: https://www.elastic.co/downloads/elasticsearch

  1. Download the Elasticsearch package.
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.12.1-arm64.deb

2. On the same link, corresponding to the download link, there’s a sha provided by the organisation. On hovering on it, we see that it is SHA512. Click on it to download and view the SHA Hash.

OR download using wget

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.12.1-arm64.deb.sha512

3. Now, generate SHA512 for the downloaded package and compare it with the one in .sha512 file:

Generate File SHA512:

shasum -a 512 elasticsearch-7.12.1-arm64.deb

Read SHA512 from the file:

cat elasticsearch-7.12.1-arm64.deb.sha512

To check for any difference in output:

diff <(shasum -a 512 elasticsearch-7.12.1-arm64.deb) <(cat elasticsearch-7.12.1-arm64.deb.sha512)

If there’s NO difference, the above command will return NO output.

The checksum will differ if there’s even a bit difference in the file content, which will confirm that the current file is not the one that is expected to be, possible red flag.

Other prominent hashing mechanism that can be used are:

  • md5sum
  • SHA-256

Reference and Resources:

Shasum
Checksum
Elasticsearch
Verify
Files

--

--

Omkar Deshpande
Developer Pod

Written by Omkar Deshpande

29 Followers
Editor for

Developer - Tech Enthusiast — Programmer — Blogger — Astrophile — Visionary

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams