Technical Info

How To Find The Checksum Of A LibreOffice Download On Microsoft Windows

Open source software products like LibreOffice or Apache provide a checksum. This article describes how to use the checksum to verify the integrity of the software you download.

The checksum is a way of verifying that the product you have downloaded onto your computer is the same as the product published on the vendor’s website. In other words, the attacker has not managed to inject malware or other nasties into the software product on the vendor’s website or while you downloaded it. Verifying the checksum is a part of good computer hygiene that will help to protect your computer.

To verify the checksum you calculate the hash value of the software product downloaded on to your computer. The MD5 and SHA1 hash algorithms gives some confidence about the data integrity of the download, as they can be subverted by an attacker. The SHA256 hash algorithm gives more confidence about the data integrity of the download, as it is a cryptographically stronger hashing algorithm.

1. First navigate to the target website and download the software product to your computer, like this:

LibreOfficeDownload.png

https://www.libreoffice.org/download/download/

2. Click on the ‘Info’ link below the ‘Download’ button. The ‘Info’ web page displays the checksums of the current version of LibreOffice.

LibreOfficeChecksum.png

https://download.documentfoundation.org/libreoffice/stable/6.1.2/win/x86_64/LibreOffice_6.1.2_Win_x64.msi.mirrorlist

3. From the Microsoft Windows Command Prompt, navigate to the download and use the “certutil” command to calculate the hash value. No other software is required, it is already built in to Microsoft Windows.

Microsoft Windows [Version 10.0.17134.376]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>cd Downloads

C:\Downloads>certutil -hashfile LibreOffice_6.1.2_Win_x64.msi sha256
SHA256 hash of LibreOffice_6.1.2_Win_x64.msi:
ddd4cf674cc2543f7d5f375562853386793fc6003fe70fa270baf905af7f00fe
CertUtil: -hashfile command completed successfully.

4. Copy the SHA256 value and search for the value in the ‘Info’ web page. If the SHA256 value is highlighted in the ‘Info’ web page gives us confidence about the data integrity of the download.

LibreOfficeChecksumSearch.png

We hope this helps,
Standard
Technical Info

Finding the Hash Value of a File on Microsoft Windows

Many vendors provide a hash value along with the file download itself. These hash values were previously generated using SHA1 or MD5 hash algorithms, but these hash algorithms have become weaker as computers have become faster and vulnerabilities have been identified in the hash algorithms. For these reasons hash values are typically generated using SH256 or stronger hash algorithms.
The idea is to generate the hash value on your computer using the file downloaded and compare it against the hash value published on the vendor’s web site. This validates that the file downloaded has not modified while it was in-transit over the Internet. In other words, have you downloaded the same file onto your computer that the vendor has published on their web site? There are two tools to generate the hash value of a downloaded file on Microsoft Windows. Both FCIV and CertUtil are available from Microsoft for free and are command line utilities.
Of course, an attacker could modify both the file download and the hash value published on their website. In this case there is no indication that the file download and the hash value have been compromised. For example, this happened to Linux Mint in February 2016 in a ‘supply chain’ style attack:

FCIV

FCIV stands for ‘File Checksum Integrity Verifier’ and was released in May 2004. It is a separate utility that can be downloaded from Microsoft. The ‘fciv.exe’ file then needs to be made available through the system environment variables in Microsoft Windows.
FCIV is a short, concise command. However, it can only compute SHA1 and MD5 hash algorithms. This makes it unsuitable for modern hash values that use stronger hash algorithms.
Example:
fciv [hash_algorithm] [hash_file]

C:>fciv -sha1 "./hello-world.txt"
//
// File Checksum Integrity Verifier version 2.05.
//
b6fe6281d53e8a66d6ab47e0a39a809dad901a0e ./hello-world.txt

CertUtil

CertUtil is a powerful command included in Microsoft Windows as part of Certificate Services. No download or modification of the system environment variables is required. More information about the command is available here:
CertUtil is a longer command. However, it supports MD2, MD4, MD5, SHA1, SHA256, SHA384, and SHA512. It also seems to receive updates by Microsoft.
Example:
certutil -hashfile [hash_file] [hash_algorithm]

C:>certutil -hashfile "./hello-world.txt" sha1
SHA1 hash of ./hello-world.txt:
b6fe6281d53e8a66d6ab47e0a39a809dad901a0e
CertUtil: -hashfile command completed successfully.
We hope this helps,
Standard