How to hash a file to confirm its integrity

Windows
On Windows, you can open up a command prompt and use the certUtil command.
Usage: certUtil -hashfile <filepath> SHA256

C:\Users\turtleflax>certUtil -hashfile "C:\Users\turtleflax\Downloads\pivx-3.0.6-win64-setup-unsigned.exe" SHA256

SHA256 hash of C:\Users\turtleflax\Downloads\pivx-3.0.6-win64-setup-unsigned.exe:

2ae1e5f9e6b7ca6119891fd09713b3fca53d52f4c36bb84b4528a4b9440b88ec

CertUtil: -hashfile command completed successfully.

Mac
On Mac, you can open a terminal window and use the openssl command.
Usage: openssl sha -sha256 <filepath>

pivx10.PNG

Linux
On Linux, you can open a terminal window and use the sha256sum command.
Usage: sha256sum <filepath>

[email protected]:~$ sha256sum ~/Downloads/pivx-3.0.6-x86_64-linux-gnu.tar.gz
1b987933112560641ac3d8f9b56509ae5dcfc2df2179a1a07b6c9535744d8e58 pivx-3.0.6-x86_64-linux-gnu.tar.gz

Why would I want to do this process?

PIVX Core releases are posted to github with their SHA256 checksum values in a file called SHA256SUMS.asc. You can open this file in notepad or any other text editor to view the contents. You will see that it is a PGP signed message with a SHA256 value for each associated binary file with that PIVX Core version. The purpose of the SHA256 value is to confirm that the file you downloaded matches the official github release file exactly. If it does not, it could indicate a download problem or MITM (Man in the Middle) attack.

Here is an example SHA256SUMS.asc file from the v3.0.6 release:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

141be1f2305dc133cb96f6fe7122f53be99f1bb6ed88a8f36199ab3e436d1f2e pivx-3.0.6-aarch64-linux-gnu.tar.gz
46e157d13a3718868732e6c86110d699c6fc8b9087b08774611240700a5718bb pivx-3.0.6-arm-linux-gnueabihf.tar.gz
f49d4f3140b7231539a40b2704487940f2520654b48684eaef50cc52d56fda68 pivx-3.0.6-i686-pc-linux-gnu.tar.gz
80677ac9c9c6b0656fd9c6c8958d5e00518ab2f3fb4baddf024d7ea11b16df5b pivx-3.0.6-osx64.tar.gz
5eedaa29157f586ea28f0b558ff526bae6d164a5cafacb4f65f871625d8249d5 pivx-3.0.6-osx-unsigned.dmg
87fafd709e602537c4e9d4f02b397181c82e260d967fa4d50fb0813d30117bc0 pivx-3.0.6.tar.gz
a1e58750b217ab8a1ca12e2f157c92de652c664221f79731453540c3a9a175b1 pivx-3.0.6-win32-setup-unsigned.exe
970e08bf934daf00612b3bb53c71b063bbc952a9b9f26f7f813307f00fcb4e71 pivx-3.0.6-win32.zip
2ae1e5f9e6b7ca6119891fd09713b3fca53d52f4c36bb84b4528a4b9440b88ec pivx-3.0.6-win64-setup-unsigned.exe
f113435a0e514bf3d8ac7a0186d9013a5dbfe95fe2000111b8a03abb508f8870 pivx-3.0.6-win64.zip
1b987933112560641ac3d8f9b56509ae5dcfc2df2179a1a07b6c9535744d8e58 pivx-3.0.6-x86_64-linux-gnu.tar.gz
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCAAGBQJaH52hAAoJEDvc2i2HqIHZfU0P/jHiqzOoZra2hDaqW/jnLTH9
/BNmeDxd4B1/zpYo/uHS/xML+IKuscp/VPWxJ9AYVX19FP7SZo4HLfjHfmEBggGO
weqNxHmK7Etik3kOqx6d+cTXG/7OLz2EPMEuJgrR1byfgg51j1eGTQ5jGnOSI/VU
NuG1CXr5CfUBJm8fxFqoQ+yb9nmkhqmNA0mbJyczg5q8bZcabUj1eviI9GVJB9Ck
5nncL74bK0Qthj15nfPhcRT8Du79m7QZ5vmR1uZDBWlxad36HGQ+wbd2w4A3U8gp
TM7tIiHpYKYSD1SmE0rz6OYkZJGYbV2dj0CEIBNJudYlSB72BFwgDFsW0b9LGuKn
VzqHUFSXgSykTjIQH12F57oe8sdLvtnIoX5CFSrHwNF5Q/8gJimGKyumg3u1TPYx
owq5WSeBxZOmSXasX1kR6zelBMulF5fKpzQU1jBPLhiRzp9Q+JWsyBET+69fj74f
IwOqEVKfAGSzTmcZvqA+Sf4yJAf7ijmxBrqYqgBbW+0av20sbheqUI7wCavRTa4y
Gyie85fvc6gVA58LaNbNdD2ZJoGSjf9lJdIKgMCnOFJXuocX6xsA4bY1rtjwKXRC
9xr4m9+mI8IM5vHvj1MSEPCWK3bDaoFRH8vFMbThNr7/e5EJ1LGo5cKQ5UQqR/cn
skuiUEGo+W6OBYP1RgRw
=3YAP
-----END PGP SIGNATURE-----

Please note, checksums do not rule out a Github level breach because the attacker could have replaced both the binaries and SHA256 file. That is where the PGP signature comes in. You can use the developers public keys to confirm that the SHA256 file was signed with their private key.

Back to top