Didier Stevens

Thursday 21 June 2018

Validating Your Downloads

Filed under: Announcement,My Software — Didier Stevens @ 0:00

Occasionally, a comment is posted on my blog to report that the posted hash of a file doesn’t match the hash of the downloaded file. Often, it’s because the reader calculated the hash of my program, and not the hash of the downloaded ZIP file, containing the program.

Let’s clarify this. Here is an example of download details I use in my blog posts:

hash_V0_0_5.zip (https)
MD5: 2A4D61F692D935E27E4BECA642F19D97
SHA256: 5DA5B59EBC6EB0FADEA868E631057BF14C29486405F75D8183C48FE4631B81A2

First you have the HTTP download link to the file, and then you have the HTTPS download link of the same file.

Next, you have the MD5 hash and SHA256 hash of the hosted file, e.g. the ZIP file.

The links and hashes are served by one host (blog.didierstevens.com), and the file is served by another host (didierstevens.com).

To validate that the file you downloaded has not been tampered with, or corrupted during the download, you have to calculate the hash of the downloaded file (if it’s a ZIP file, calculate the hash of the ZIP file, not of the archived files) and compare this with the hash I published.

If you don’t have a tool to do this, you can use my hash.py tool like this:

Blog at WordPress.com.