Cross-platform checksum verifiers 2019

We all know that checking downloaded files for tampering/corruption is a good thing, but how many actually do it?  Almost none.  Why?  I believe it's because there isn't an easy, cross-platform standardized way to do so.

Easy

Here's an example of how hard it is to setup your system to verify a PGP GPG key (how's that for confusing!)

There has to be an easier way.


Cross-Platform

Linux fans will immediately recommend md5sum, and sha1sum, and sha256sum, and...

While many of these tools have been ported to Windows, they still suffer from hash sprawl -- the tendency to create one-off tools each time a new hashing algorithm is released, which happens quite frequently as new weaknesses are identified (such as this SHA3-256 fault analysis).


Standardized

While the hashing algorithms have been standardized, the format to store a checksum file with the file(s) they've calculated is not.  Publishing the hash on the download page for the file works for many use cases but not for peer-to-peer, thumb-drive distribution, or user-uploaded file submissions.  Cor, the maker of checksum, tried to lead by example with his Unified Hash Extension™ and Multi-Hashing™ concepts but they never caught on:

"Welcome to the unified .hash extension ... I feel there are quite enough file extensions to deal with, and with some effort on the part of software developers, this may catch on. I hope it does, anyway, and that you agree. A single, unified hash extension looks like the way forward, to me. ... The single, unified hash extension gives us not only the freedom to effortlessly upgrade algorithms at any time, without having to handle yet-another-file-type, but also the ability to easily store output from multiple hashing algorithms inside a single .hash file. Welcome to multi-hashing, which will doubtless have security benefits, to boot (a multi-hash is simply collision-proof)."

Other common standardized file options include:
______________________________

 Software Options

Here are the latest set of options with their pros/cons:
  • Jacksum
    • Example: jacksum -a sha-1+sha-256 -o myfile.hash myfile.img
    • Cons:
      • jacksum -h doesn't work on Linux apt-get install version
      • concatenates all checksums together without identifying the algorithm: 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 5 myfile.img
    • Verdict: avoid
  • Toolsley Hash & Validate
  • Corz checksum
    • Example: ./checksum.sh /full/path/to/myfile.img
    • Cons:
      • Linux version hasn't been updated since 2014 and has very little features compared to the Windows version (for example, you can't select multiple hash algorithms)
      • Relative file paths not supported
      • The output file doesn't include the hash algorithm name: d8e8fca2dc0f896fd7cb4cb0031ba249 *myfile.img
    • Verdict: avoid
  • GtkHash
    • Example: no command line option
    • Cons:
      • GUI only
      • Creates a nice hash output file but doesn't provide an easy way to verify.  Users would need to open the file, copy the hash, run the tool, select the target file, then copy the hash.
      • No support for multiple files (e.g. hashing a directory)
    • Verdict: avoid
  • RHash
  • hashdeep
    • Example: hashdeep -l -W myfile.hash myfile.img
    • Cons:
      • Confusing options and verification process (for example, can't mix relative paths with audit)
    • Verdict: avoid

______________________________

tl;dr

sudo apt install -y rhash
echo 'percents = on' > ~/.rhashrc
echo 'printf = SHA-256 (%f) = %{sha-256}\r\nEDON-R512 (%f) = %{edon-r512}\r\n# Verify using terminal: rhash -c thisfile.txt --percents\r\n# Verify using browser:  https://www.toolsley.com/hash.html#v=sha256|%{sha-256}&f=%u\r\n\r\n' >> ~/.rhashrc
echo test > test.txt
rhash -o hash.txt test.txt
cat hash.txt
rhash -c hash.txt
rm test.txt hash.txt

Comments

Post a Comment

Keep it clean and professional...

Popular Posts