Before you install a program, make sure to check its hash

Dear users of setups and installations,

When you download a file from the internet, some distribution websites actually provide the ability for you to check the file’s hash.

Let’s walk through an example:

I’m a big fan of pandoc – a software that enables you to write in plain text and convert to different types of formats like pdf, word doc. On their website they provide a setup program targeting various platforms:

http://johnmacfarlane.net/pandoc/installing.html

So, assuming I want to download pandoc on a windows system, I would simply go ahead and click a link and download the setup.exe off of their content distribution on Google’s servers.

Dowloading is one thing, but in order to make sure that there was no discrepancies malicious or otherwise, Google’s servers provide us with a hash (sha1) which in this case happens to be:

9327836ec84316b3f79ba082d379b591a7c2dfcf

The problem is .. Windows XP doesn’t quickly or easily provide a way for a user like yourself to compute the sha1 hash to verify if the file is ok for you to use it. However, what is not well known that they provide a downloadable utility like fciv (http://support.microsoft.com/kb/841290) that would allow you to compute the hash.

fciv -sha1 pandoc-1.9.4.2b-setup.exe

Which results in:

c:\TEMP>fciv -sha1 pandoc-1.9.4.2b-setup.exe
//
// File Checksum Integrity Verifier version 2.05.
//
6f4c415dcfd5c450adea83884422951651f242f3 pandoc-1.9.4.2b-setup.exe

This exactly matches google server’s hash, so its ok for one to install the program and start to use it.

Now let’s modify the setup program in the best way we know how – opening it in a text editor and adding a few more lines to it:

And re-run fciv for checking the hash:

c:\TEMP>fciv -sha1 pandoc-1.9.4.2b-setup.exe
//
// File Checksum Integrity Verifier version 2.05.
//
8c2bd2509c5dedebcdb7c3fd2216dcf771e2d986 pandoc-1.9.4.2b-setup.exe

As you can probably tell by now, because the match is different the setup program can’t be trusted anymore. Hence you’re better off finding the program from a different server or contacting the author directly.

Sincerely,

gsvolt

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s