22

It is often helpful to be able to obtain a good cryptographic checksum of a file, e.g. the SHA-256 hash. This can be used to verify file integrity, so long as you have a reliable source for the hash.

Support for both SHA-256 and MD5 from the command line are provided by default in Ubuntu and probably other flavors of Linux and BSD via the sha256sum and md5sum programs.

On a Mac (10.5) I see the "md5" command-line program, but nothing for SHA-256. Given the hash collision problems with MD5, it is a less-than-ideal choice.

And I can't find any software installed by default on Windows to compute any crypto hashes. The closest to "standard" I've seen was a Microsoft reference to how to download an optional command line program, File Checksum Integrity Verifier utility which can do SHA-1 (which is still relatively safe), but not SHA-256.

One download that I've run across for SHA-256 is hashcalc for cross-platform GUI support, but I haven't vetted it or tried it.

  • Am I missing any default secure hash software (better than MD5) for Windows or Mac?

  • Is there a page somewhere that gives good hashing tool advice for a variety of operating systems? Ideally it would lead to safe, convenient GUI solutions.

Clarification: I'm looking for advice I can share with others, which will help them safely work with hashes. By "safe" I mean something which, for example, a government employee could relatively easily determine to not be too risky. For example, software installed by default, documented and backed by the vendor, is much less risky than installing some third-party executable off the Internet. If it has to be third-party software, then something that is vetted and recommended by experts is preferred.

(Cf. cross-platform signatures)

Community
  • 1
nealmcb
  • 20,544
  • 6
  • 69
  • 116

7 Answers7

15

For Windows, you can use PowerShell, which is installed by default on Windows 7 / Server 2008 R2 and onwards. The Get-FileHash function was introduced in PowerShell v4, which comes with Windows 8.1 and Windows Server 2012 R2. For older PowerShell versions, these scripts from James Manning's blog will do the trick.

Example of Get-FileHash usage:

C:\Windows> Get-FileHash -Algorithm md5 .\notepad.exe

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
MD5             24DA05ADE2A978E199875DA0D859E7EB                                       C:\Windows\notepad.exe

Supported algorithms are SHA1, SHA256, SHA384, SHA512, MACTripleDES, MD5 and RIPEMD160.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Kjetil Limkjær
  • 251
  • 2
  • 3
  • 1
    Interesting, thank you. Can you provide an example of using Get-FileHash? I'm alarmed to see at [Get-FileHash in PowerShell 4.0 -- output in HEX characters please!!!](http://social.technet.microsoft.com/Forums/windowsserver/en-US/e9a35c08-cd2e-4cb7-b609-6f3eaf3bbef2/getfilehash-in-powershell-40-output-in-hex-characters-please?forum=winserverpowershell) that it seems they output in something other than hex for the PowerShell v4 implementation. – nealmcb Nov 10 '13 at 03:24
  • 4
    I've added a usage example - I also saw that post, but it seems like they came to their senses and changed it before RTM. – Kjetil Limkjær Dec 09 '13 at 08:26
  • @nealmcb, Maybe they want you to pipe the output to another function. – Pacerier Mar 15 '15 at 15:11
11

The one tool that comes to mind, particularly for Unixes (or however you're supposed to pluralise that) is openssl:

openssl dgst -sha256 path/to/file

The openssl dgst command provides a lot of common hashing options, and openssl is installed on most Unix systems by default and is also available for Windows. I believe it ships with OSX too. I agree, it is a less than ideal situation for Windows to ship without such a tool.

As for GUI tools, I do not, personally know of any other than HashCalc, which you have already mentioned.

  • Thanks - I found openssl on a nearby Mac (10.5), but it was running OpenSSL 0.9.7l 28 Sep 2006, which does not have "-sha256". It does have "-sha1", so that is a big step up from MD5.... – nealmcb Nov 06 '11 at 21:28
  • @nealmcb Others have seen that issue too -http://www.cs.washington.edu/homes/aczeskis/openssl.html. I wasn't sure OSX shipped with openssl and found that post on upgrading. –  Nov 06 '11 at 21:39
8

In a mixed Windows/Unix environment, what I use for common cryptographic algorithms is:

  • OpenSSL for many calculations, especially hashes (but not HMAC) and X.509 certificate manipulations.
  • Python's hashlib and hmac for SHA and HMAC.

Unfortunately, neither is provided with Windows, they require a separate installation.

Here's a simple one-liner to compute the HMAC of a file using Python. Type the key in hexadecimal in the terminal (or pass it on standard input with echo … |, but beware that the key will then end up in the shell history). The file is read into memory, which won't do for large files.

python -c "import binascii, hashlib, hmac, sys; print hmac.new(binascii.unhexlify(str.strip(sys.stdin.readline())), open(sys.argv[1]).read(), hashlib.sha256).hexdigest()" myfile.dat

On Windows, a simple hash verifier (supporting SHA and a few more, and HMAC) that's usable by a non-technical person is SlavaSoft HashCalc. Unfortunately, it's not open-source, so you may not have the utmost confidence it its operation.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
3

How about USA's NIST (National Institute of Standards and Technology) They run a crypto validation program and list verified implementations of cryptographic hashing algorithms at: http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm

It contains some Java libraries which could be used cross-platform.

this.josh
  • 8,843
  • 2
  • 29
  • 51
2

sphlib is a library which implements many hash functions, written in C. It includes a command-line tool (sphsum) which mimics the behaviour of md5sum / sha1sum and its ilk, and supports MD5 and SHA-256 (and a bunch of other functions). It compiles on all kinds of Unix-like systems (including MacOS) and also on Windows (build instructions are included, but you will need Visual C, MinGW or lccwin32).

sphlib also includes Java implementation of all these hash functions. Speaking of which, both Java and .NET include SHA-256 implementations by default, so you could make a Java applet and/or a C# assembly which do the hashing. Thus, you would rely only on components provided by either Oracle or Microsoft; it would be hard to be more "official" than that.

Besides md5, MacOS X (10.7, at least) includes a utility called shasum which can compute hashes with any of the SHA-* family (SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512). Use it like this:

shasum -a 256 thefilename

to obtain the SHA-256 hash of file thefilename.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
2

I actually created a small python wrapper around the python hashlib api for this exact purpose. I needed to be able to check and compute hashes between nix, mac and windows, particularly sha256.

There is also a small wxPython gui that is optional to use as well.

The code is here: https://github.com/caseydunham/hashy

If installing python is not an option, it would be easy to produce an executable build for this that wouldn't require the python installation.

Casey
  • 895
  • 5
  • 18
1

As @kjetil-limkjær points out, Powershell version 4 and up includes the Get-FileHash cmdlet.

powershell get-filehash -algorithm sha1 <file_to_check>

Use doskey to make a persistent alias that's easier to remember.

doskey sha256sum=powershell get-filehash -algorithm sha256 "$1"
doskey sha1sum=powershell get-filehash -algorithm sha1 "$1"
doskey md5sum=powershell get-filehash -algorithm md5 "$1"
Community
  • 1
Christian Long
  • 111
  • 2