What is the best way to calculate a checksum for a file that is on my machine?
Solution 1
Any MD5 will produce a good checksum to verify the file. Any of the files listed at the bottom of this page will work fine. http://en.wikipedia.org/wiki/Md5sum
Solution 2
The CertUtil is a pre-installed Windows utility, that can be used to generate hash checksums:
CertUtil -hashfile pathToFileToCheck [HashAlgorithm]
HashAlgorithm choices: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
So for example, the following generates an MD5 checksum for the file C:\TEMP\MyDataFile.img:
CertUtil -hashfile C:\TEMP\MyDataFile.img MD5
To get output similar to *Nix systems you can add some PS magic:
$(CertUtil -hashfile C:\TEMP\MyDataFile.img MD5)[1] -replace " ",""
Solution 3
I personally use Cygwin, which puts the entire smörgåsbord of Linux utilities at my fingertip --- there's md5sum and all the cryptographic digests supported by OpenSSL. Alternatively, you can also use a Windows distribution of OpenSSL (the "light" version is only a 1 MB installer).
Solution 4
On Windows : you can use FCIV utility : http://support.microsoft.com/kb/841290
On Unix/Linux : you can use md5sum : http://linux.about.com/library/cmd/blcmdl1_md5sum.htm
Solution 5
Checksum tabs: http://code.kliu.org/hashcheck/
This has worked great for me on windows for a while now. It allows easy copying and pasting of checksums. It has box to type/paste check sums from webpages and show matches or non matches quite well.
Comments
-
Bialecki almost 2 years
I'm on a Windows machine and I want to run a checksum on the MySQL distribution I just got. It looks like there are products to download, an unsupported Microsoft tool, and probably other options. I'm wondering if there is a consensus for the best tool to use. This may be a really easy question, I've just never run a checksum routine before.
-
Jerph over 15 yearsFor just checking a checksum Cygwin seems a little heavy. Especially since there are 5KB executable for checking the MD5
-
Adam Hawes over 15 yearsIt might be heavy but it is a valid answer, particularly when considering a Unixy program (MySQL) is involved.
-
Zenexer over 10 yearsFor those of us who consider Cygwin an essential tool, it's a perfect answer.
-
CJBS about 9 yearsThis is a much easier choice than FCIV, given that this is pre-installed . -
CJBS about 9 yearsNote: this doesn't come pre-installed on Win XP, but given that that OS is now obsolete, that shouldn't be a problem.
-
CJBS about 9 yearsFCIV isn't pre-installed. CertUtil is (on newer Windows OSes) - See answer below: stackoverflow.com/a/28922976/3063884
-
Michael Sorens almost 9 yearsThis handy little utility is rather understated here. First I have no relation to the author(s)---I just think it is a great utility! It lets you generate a hash file of your choice from the context menu in Windows Explorer for a single file or a group of files. You can later double-click that hash file to automatically run a hash verification of those files. I use this frequently to generate a hash for large files I want to copy, then copy the hash file with it, and at the destination, double-click to verify they survived intact.
-
npocmaka almost 9 yearsfor XP/2003 Admin tool kit are needed - microsoft.com/en-us/download/details.aspx?id=7045 -
Old Badman Grey almost 9 yearsIt is worth noting that md5sum also comes with git bash (mingw)
-
Iceberg almost 9 years@Laisvis - with your explanation, I went from 0 to done in about 2 minutes. I came to this page looking for how to do it. Your answer was simple and perfect.
-
antiduh over 8 yearsThis answer is no longer good advice. MD5 is vastly insecure nowadays. Using MD5 to validate downloaded files is not secure. -
Zack Jannsen about 8 years+1 for recommending pre-installed version. What better way to ensure secure software to check security and save additional steps hunting, downloading, installing, and validating.
-
J.J about 8 years@antiduh Seeing as you get the hash from the same place you download it from, your argument is moot. You're limited by the hash provided by the website.
-
rvpals almost 8 yearsCan someone please tell me how to check file checksum for using certUtil generated Hash ? command line. Would that be just use the same commandline to generate the Hash on the file (after the file was received on the target machine) ?
-
Kosta Tenedios almost 8 yearsLet's note that the user just wants to verify that the downloaded file has not been corrupted. If you take a look at https://en.wikipedia.org/wiki/MD5#Security you will come across this key sentence in the opening paragraph: "Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption."
-
Kebman over 7 yearsHow would you go about using that to make a simple hash out of a string rather than a file?
-
Ravindra HV about 7 yearsWhere can I find the list of available hash-algorithms? I tried
certutil -hashfile -?but did not get the list of options. The website does not have it as well. -
sandyiit almost 7 yearsHence the download location is provided.
-
Hey over 6 years@J.J A lot of official websites make you download the actual binary from another domain, so the argument is valid. You can download a modified VLC from a malicious mirror via the official site, which will be detected by a checksum.
-
Jonathin about 6 yearsWhile it is true that 7-zip provides hashes for all of the items listed above, it lacks a way to simply copy-paste it's results directly. CertUtil, since it is a CMD program, does provide copy-paste functionality. -
java-addict301 about 6 years@antiduh then why don't you suggest the alternative? -
antiduh about 6 years@Arno - That is my exact point. A malicious mirror could assemble a VLC binary that has a virus in it, but has the same exact checksum as published on the website; that is because Hash-MD5 is insecure. HMAC-MD5 is better (for now), but there are still better alternatives.
-
antiduh about 6 years@java-addict301 - Because I'm not here to hold your hand. You could spend about 5 minutes searching for hashing best practices and find an up-to-date answer. Owasp.org is a great resource.
-
java-addict301 about 6 years@antiduh I asked not because I'm too lazy to search, but because RTFM is never an appropriate 'answer' on Stackoverflow (which is what your answer implied).
-
asachet over 5 yearsExcellent solution, but the link is outdated. The safest place to get this software now is github.com/gurnec/HashCheck -
Elpy about 5 yearsIt's also possible to use 7z.exe via the CMD, for example
7z.exe h -scrcSHA256 -- /path/to/your/file.txtproduces a sha256 hash. -
mwfearnley over 3 years@RavindraHV CertUtil has changed/evolved subtly over time. I just checked: in 2008 (~Windows 7) it doesn't list them, but in 2012R2 (~Windows 8.1) or later it does. I'd just try each in the above list, just note the older versions are probably case-sensitive ('MD5' not 'md5').
-
MC_Nyquist about 2 yearsI agree with this approach, and it is the one I would use for taking a fingerprint of a file to check its integrity. I just want to add that these days MD5 IS NOT GOOD FOR ANY OTHER CRYPTOGRAPHIC USE CASE other than this. :-) Happy Hashing
