Open source software products like LibreOffice or Apache provide a checksum. This article describes how to use the checksum to verify the integrity of the software you download.
The checksum is a way of verifying that the product you have downloaded onto your computer is the same as the product published on the vendor’s website. In other words, the attacker has not managed to inject malware or other nasties into the software product on the vendor’s website or while you downloaded it. Verifying the checksum is a part of good computer hygiene that will help to protect your computer.
To verify the checksum you calculate the hash value of the software product downloaded on to your computer. The MD5 and SHA1 hash algorithms gives some confidence about the data integrity of the download, as they can be subverted by an attacker. The SHA256 hash algorithm gives more confidence about the data integrity of the download, as it is a cryptographically stronger hashing algorithm.
1. First navigate to the target website and download the software product to your computer, like this:
2. Click on the ‘Info’ link below the ‘Download’ button. The ‘Info’ web page displays the checksums of the current version of LibreOffice.
3. From the Microsoft Windows Command Prompt, navigate to the download and use the “certutil” command to calculate the hash value. No other software is required, it is already built in to Microsoft Windows.
Microsoft Windows [Version 10.0.17134.376] (c) 2018 Microsoft Corporation. All rights reserved. C:\>cd Downloads C:\Downloads>certutil -hashfile LibreOffice_6.1.2_Win_x64.msi sha256 SHA256 hash of LibreOffice_6.1.2_Win_x64.msi: ddd4cf674cc2543f7d5f375562853386793fc6003fe70fa270baf905af7f00fe CertUtil: -hashfile command completed successfully.
4. Copy the SHA256 value and search for the value in the ‘Info’ web page. If the SHA256 value is highlighted in the ‘Info’ web page gives us confidence about the data integrity of the download.