The SHA-256 Checksum: Authenticate Programs from the Web

This quick tutorial can be used to verify the integrity of a file that you have downloaded from the web before installing it on your computer. You can download my notes from my GitHub page.

Why is this important?

Let's say I want to install a program from the web on my laptop. I'm an engineer interested in installing the Anaconda package on my computer so that I can do some scientific computing using Jupyter. How do I know that the file I downloaded from the internet is the original, untampered file from the Anaconda group? What if someone altered the package and put some malicious code (say, a key-logging program for instance) within this software package? We need a way to verify the authenticity of a program before installing it on our home computers and this is what the SHA-256 Checksum is used for.

The SHA-256 Checksum

The SHA-256 algorithm is a cryptographic hash function that takes an input file (the package you want to download) and produces an output hash (the checksum) that is unique to that file. If the file is altered in anyway from it's original state, even a just a single bit, will produce a completely different hash output.

Check it out. Let's create a simple text file and compute the checksum:

$ cat original.txt 
This is the original file.


$ sha256sum original.txt 
56d9fc4585da4f39bbc5c8ec953fb7962188fa5ed70b2dd5a19dc82df997ba5e  original.txt

The output hash <56d9fc4585da4f39bbc5c8ec953fb7962188fa5ed70b2dd5a19dc82df997ba5e> is the unique checksum for this file. Now, let's alter original.txt file a little and check the new checksum.

$ echo 'Altering the file with this sentence.' >> original.txt
$ cat original.txt 
This is the original file.
Altering the file with this sentence.

Now, compute the checksum on this altered file. It should be different than the previous hash we produced.

$ sha256sum original.txt 
3b4393ec9c821e4957980aa95fc06d13f5410b09b74fb1bbd4070024a89435e6  original.txt

Apply the checksum

So, let's use this in real life. In my example, I have downloaded the Anaconda3-5.1.0-MacOSX-x86_64.pkg package from Anaconda's website. You can see it in my downloads folder:

Downloads$ ls
Anaconda3-5.1.0-MacOSX-x86_64.pkg

To apply the checksum, we need to locate the checksum Hash provided by Anaconda. For my edition, the checksums are shown here.

The original programmers for this package publish the SHA-256 hash at the download website. The Hash (checksum) for my Anaconda3-5.1.0-MacOSX-x86_64.pkg is:

• The sha256 checksum:
  • d6bf6309ccafa84314d85ca7421fddc16057ac2d824d698a213ccd597e896897

Now, apply the checksum function in the terminal and verify the signature.

Downloads$ ls
Anaconda3-5.1.0-MacOSX-x86_64.pkg
Downloads$ shasum -a 256 Anaconda3-5.1.0-MacOSX-x86_64.pkg 
d6bf6309ccafa84314d85ca7421fddc16057ac2d824d698a213ccd597e896897  Anaconda3-5.1.0-MacOSX-x86_64.pkg

If it worked out, you should see an exact match to the checksum provided online: d6bf6309ccafa84314d85ca7421fddc16057ac2d824d698a213ccd597e896897

I hope you find this helpful and try to use it where ever possible to authenticate programs that you download online. There are a multitude of other uses for these algorithms to improve the way we compute across the web so keep learning and ask questions.

Thanks and upvote if you enjoy!
-@powderskier