Verify a downloaded file against a checksum on Windows

The internet can be dangerous. You might think that you are downloading a specific file, but perhaps something fishy is going on and you are downloading a file with a virus in it or something.

The software vendors which think about security might provide you with a ‘checksum’, that is a string of characters which represents the identification of a file. If the file is tampered with (a virus/malware is added) then the checksum will change. So we want to verify that the checksum of your file is the same as the checksum that our software vendor has given us.

Let’s try it out

You can easily find out the checksum of a file on Windows. For example, let’s say we have downloaded the Ubuntu server from here: https://cloud-images.ubuntu.com/wsl/jammy/current/

-img-

So first we are going to download the file. You can click on it to download it, or you can use the command prompt and use ‘curl’, the ‘-O’ will save the download under the same filename it already has:

curl https://cloud-images.ubuntu.com/wsl/jammy/current/ubuntu-jammy-wsl-amd64-wsl.rootfs.tar.gz -O

-img-

In the directory on the server you also see a file named ‘SHA256SUMS’, open that and you will see this:

-img-

In this case we have downloaded the ‘amd64 > tar.gz‘ file, that’s the second one from the top, we can see that the checksum of that file should be the one which starts with ‘dd6e…’.

Generate the checksum has for our file

Now we will see if the file we have downloaded is in fact the correct file, or if some hacker has found a way to provide us with a different file with a potential virus in it.

You can run ‘certutil -hashfile ’, in this case the algoritm that Ubuntu provides in their list is ‘SHA256’, so we can run that like this:

certutil -hashfile ubuntu-jammy-wsl-amd64-wsl.rootfs.tar.gz sha256

-img-

Compare the checksums

Now the quickest way to compare the two strings is to just copy the hash string that was generated in your command prompt, and then go back to the ‘SHA256SUMS’ file on the Ubuntu site and so a ‘Search on Page’ (CTRL+F) and paste in the hash, you can quickly see if it matches or not:

-img-

Luckily our checksum hash matches the one on the website, so we can be sure that the file we have downloaded is in fact the original file from Ubuntu.

Source: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil#-hashfile