You are currently looking at an older section of the wincent.dev website.
Please check the new version of the site at https://wincent.dev/ for updated content.

wincent knowledge base

« Localization on Mac OS X | Main | Building pwgen on Mac OS X 10.3 »

November 12, 2004

Using MD5 or SHA1 to verify the integrity of your downloads

This article explains how to verify the integrity of your download when you obtain a Wincent product. MD5 or SHA1 checksums appear on each of the product download pages, and serve as a "fingerprint" for the file. You can compare the checksum on the downloaded file to the checksum on the website, and if they match then you know that the integrity of the file is intact. This is an indication that the file hasn't been tampered with, even if it came from a mirror server on the other side of the planet.

You should only ever download Wincent software using the links on the download pages, and never from anywhere else. If you see Wincent software hosted elsewhere without being listed on the download page, then that distribution is illegal and potentially dangerous, so it's best to avoid it. You can report such cases of unauthorized distribution using the contact form.

When you download a file, make note of the checksum for that file as indicated on the download page. It will either be a 32-digit MD5 checksum, or a 40-digit SHA1 checksum. The easiest way to do this is probably just to leave your browser window open until after you've completed the check. After your download is complete, follow these steps to verify the checksum on the file:

  1. Open the Terminal application (stored in the "Utilities" folder inside the "Applications" folder on your startup disk).
  2. If the checksum is a 32-digit MD5 checksum at the Terminal command prompt, type this instruction, followed by a space:
    /sbin/md5
    Do not press return. The space is important because it will separate the command name (md5) from the file that you'll be testing. If the checksum is a 40-digit SHA1 checksum type the following, followed by a space:
    /usr/bin/openssl sha1
  3. Using the mouse, find the downloaded file and drag it onto the Terminal window. The full path to the downloaded file will appear in the window.
  4. Switch back to the Terminal window, and press the return key to actually issue the command.
  5. Compare the checksum string that is displayed in the Terminal window with the corresponding string on the website. It should be an exact match (all digits exactly the same).

If there is a discrepancy, then something has gone wrong with your download, or the file has been tampered with. Try performing the comparison again, or re-downloading. If you think you've discovered evidence of tampering, please contact me.

If you would like to learn more about the md5 command and the MD5 algorithm itself, issue this command in the Terminal and press return:

man md5

To learn more about SHA1, issue this:

man sha1

Posted by wincent at November 12, 2004 10:05 PM