Recently one of our users asked: “There are several Windows 64 files on the Github page: an .exe file, a .md5sum file, and a .sha256sum file. Which one is better to download?
We advised you to download the .exe or .zip file, which weighs the most. Those files that weigh a lot are the actual wallet files, and the rest are just checksums. But what are these MD5sum and SHA256sum files, and why do developers place these files next to the download files?
If you doubt the authenticity of the wallet, then it is best to delete it and download it from the official website!
Also, we do not recommend installing wallets of little-known cryptocurrencies on the same PC with other wallets, since there have already been cases in history when new (scam) coins appeared on the market for only one purpose - to steal your coins. When installing a wallet for such a coin, it stole private keys, passwords and much more that were stored on this PC!
Hash MD5 and SHA256
SHA256sum and MD5sum are programs that implement the SHA256 and MD5 algorithms, respectively. These files are primarily used to confirm the integrity and authenticity of a file.
Both MD5 and SHA256 are two different algorithms, and it is up to developers to decide which one to use on the download page. As you can see above, the Ravencoin project developers have provided both an MD5 hash file and a SHA256 hash file to verify the wallet download file.
But this is not typical. Due to security issues in the MD5 algorithm, most developers do not use it. Currently, only SHA256 hashes are widely used.
On the Monero website, you may have noticed SHA256 hash values listed along with the software.
While some developers create and distribute a hash along with each software release, some developers digitally sign each new installer package version with the official developer's signature.
In the Bitcoin core you will find what are called release signatures or in other words release hashes. This is an ASC file that typically contains a SHA256 hash and a PGP signature.
Just download the file and open it with Notepad or Notepad++. You will see a random string of letters and numbers similar to this one.
——BEGIN PGP SIGNED MESSAGE—— Hash: SHA256 5659c436ca92eed8ef42d5b2d162ff6283feba220748f9a373a5a53968975e34 bitcoin-0.17.1-aarch64-linux-gnu.tar.gz aab3c1fb92e47734fadded 1d3f9ccf0ac5a59e3cdc28c43a52fcab9f0cb395bc cryptocurrency -0.17.1- i686-pc-linux-gnu.tar.gz 6aa567381b95a20ac96b0b949701b04729a0c5796c320481bfa1db22da25efdb bitcoin-0.17.1-osx64.tar.gz e3d785d800b71d277959d15b2c2 b33d44dd72c1288e559928a40488dd935c949 bitcoin-0.17.1-osx.dmg 3e564fb5cf832f39e930e19c83ea53e09cfe6f93a663294ed83a32e194bda42a bitcoin-0.17.1.tar.gz e 9245e682126ef9fa4998eabbbdd1c3959df811dc10df60be626a5e5ffba9b78 bitcoin-0.17.1- win32-setup.exe 6464aa2d338f3697950613bb88124e58d6ce78ead5e9ecacb5ba79d1e86a4e30 bitcoin-0.17.1-win32.zip fa1e80c5e4ecc705549a8061e5e7e0aa6b2d26967f99 681b5989d9bd938d8467 bitcoin-0.17.1-win64-setup.exe 1abbe6aa170ce7d8263d262f8cb0ae2a5bb3993aacd2f0c7e5316ae595fe81d7 bitcoin-0.17.1-win64.zip 53ffca45809127c9ba 33ce0080558634101ec49de5224b2998c489b6d0fc2b17 bitcoin-0.17.1-x86_64-linux-gnu. tar.gz ——BEGIN PGP SIGNATURE—— yYo/F2yO57Yacv597rKILLlg29QxEVTqa5+slMdwuU7NP5AdAcQV4EtFqoCOqM7C7 JL/zZWYnTywK3l0hOuCBJiY86izutWME5xgm7Eh3ORj+K6ZYT4iX w2JIkTdumeuS X0WDE3ShH4rb35IaQX75FJLp5R7hLTXiNgng7b8Xhy/62bJ75Ob4HVVSLG1Lkhps vtml10br+78qXiofzk8zaAW6KaG7G9nbBa0hfDjUEsYzA6P5iWA+53ykupc82HNa ZT2g k+wWhNhZOd/ANheriM0eqm/ZlK7oydYRRtf9Tamk+XJgREU1x8cWlMZcCPEE uIUzb7/REvYSjwcwArYLCq/eFPfjQe7jcG2WexnpxxkKJBvu2v4zVw9LLUPll094 BAmfk34iJKhN2cGVhvjO 0Q9GKk0B2HzvhD5xn1Hnlp+NbXVNbKonYvkB71D3GY4W t/eRyv7Erfi4dhHf+8oQ =UEoM ——END PGP SIGNATURE——
This is a cryptographic hash and this information is provided to users to verify the integrity of the file. Cryptocurrency developers and websites advise users to verify the authenticity of the downloaded file before using it. However, most users don't do this or don't know what to do with this information. Therefore, we decided to make an article on this issue. Here in this beginner's guide, we will show you how to verify checksums (SHA256 hash and MD5 hash only, not PGP signatures).
But why do this!? I'm downloading the wallet from an official source anyway, so why should I check the authenticity of the downloaded wallet? Also, what is a checksum and how does checking the checksum help?
Checking hash in Windows 10.
Starting with Windows 10 2004 (May 2022 Update), Microsoft begins offering hashes to help you verify the data integrity and authenticity of a downloaded Windows 10 ISO file.
A hash is a mathematical signature (text string) that is calculated using a cryptographic algorithm (SHA-1, SHA-256, MD5) for the chunk data. If any change occurs after the checksum has been calculated, the hash data value will also change.
In this case, the SHA256 hashes that Microsoft provides allow you to use PowerShell to verify that the Windows 10 ISO file you download has not been tampered with or corrupted.
This guide will teach you how to verify the integrity and authenticity of a Windows 10 version 2004 ISO file.
What does a checksum mean and how does it work?
A checksum is a random hash value that is created when the contents of a program are scanned. Developers often create and distribute these checksum strings with the release of each wallet software. But why is this necessary?
One of the main concerns of cryptocurrency users is security and trust. When downloading files online, we cannot be 100% sure that the file is original, even if you downloaded it from an official source. There is a possibility that a third party could change the file in transit or hack the server hosting the file and replace it with a malicious version.
But here's the thing: if any third party tries to change the software by even 1 bit, then the output hash value of the checksum string will be completely different from the value provided by the developer.
By checking the checksums, users can verify the authenticity of the file and ensure that they have downloaded an official copy of the wallet software published by the developer.
One standardized way to determine whether a program file has been modified from its original state is to check its hash value (checksum verification).
Simply calculate the software checksum and compare it with the one provided by the developer. If they match, then the file is genuine; if not, then either the download is corrupted or the file has been modified.
Checking the hash of downloaded files before using them is generally a good security check. If you are not sure about the authenticity of the file, but do not know how to check the checksum, follow the instructions below.
Option via File Explorer extension
There is a free application that allows you to integrate such functionality into Windows Explorer. It's called Hashtab, this application is free for non-commercial use and you can easily download it from the official website: https://implbits.com/products/hashtab/
To do this, select the free version (Free) and click on the Download button.
After installing the program, a new tab “File hashes” will appear in the Explorer context menu. By selecting it, the program will automatically calculate hashes for the selected file depending on which algorithms are selected in its settings.
To calculate SHA-256, you need to select the desired file (the hash of which we will calculate), right-click and select “Properties”.
Next, you need to select “Settings”.
In the settings, you need to tick the SHA-256 algorithm and click on the “OK” button
After that, on this tab you can see the SHA-256 Hash sum of the selected file.
How to check checksum (MD5/SHA256) on Windows, Linux and Mac?
To explain all this better, we will show all the sequential steps with a specific example - checking the checksum of the Monero GUI wallet to make sure that we downloaded a truly genuine file. You can use the same steps to verify the checksum of any cryptocurrency wallet download files.
First download the wallet file or software for which you want to verify the checksum.
Windows:
Go to your downloads folder or wherever you downloaded the file. Now press SHIFT simultaneously and right click on the downloaded file/archive folder to open a PowerShell window which will open the Command Prompt.
Type "dir" without quotes and press Enter to display a list of all the files and folders in that directory.
Now highlight the file for which you want to check the checksum and press CTRL + C to copy it. Then enter the following command to check the MD5 and SHA256 hash:
MD5: CertUtil -hashfile filename MD5
SHA256: CertUtil -hashfile filename SHA256 (Example: CertUtil -hashfile monero-gui-win-x64-v0.14.0.0.zip SHA256)
When finished, press Enter. The command window will now display the hash value of the file depending on the algorithm you choose. If you selected the SHA256 algorithm, it will display the SHA256 hash. If you selected the MD5 algorithm, it will display the MD5 hash.
Linux:
The procedure is the same for Linux and Mac, except that you don't open a command prompt. We will use a terminal window instead.
SHA256: sha256sum / | MD5: md5sum /
Mac: shasum -a 256 filename
Now compare the hash value generated in the command window with the hash value distributed by the wallet developer. To do this, simply copy them and check them manually.
If you received the correct sequence, then the wallet file is official. You can install it. However, if the hash values do not match, do not install the file!
Either the downloaded file is corrupted or it may be malicious. Be sure to delete such a file, download it again, and then check the checksum to ensure that the check result is positive. If the hash values do not match the second time, turn to another source.
Note. Developers often publish the hash values of downloadable wallets on their website and Github. It should be noted that each hash value is unique and different for each wallet version.
Therefore, it is important that you check the integrity of the wallet software each time you download a new version. This way, you can be sure that the wallet software you are using is an official, verified copy.
How to check that Windows 10 ISO has not been damaged or tampered with.
To check the ISO checksum for Windows 10, follow these steps:
Step 1: Open File Explorer.
Step 2: Navigate to the folder containing the Windows 10 ISO file.
Step 3: Type the following command in the address bar and press Enter:
powershell
Step 4: Type the following command to check the SHA256 hash of the Windows 10 ISO file and press Enter:
Get-FileHash .\Win10_2004_Russian_x64.iso
Tip: in this command, be sure to change the file name (Win10_2004_Russian_x64.iso) to match your download.
Validate the hash result based on the hashes provided by Microsoft.
For example, D4CDA51B4F4B61E3D82A6EF04B8860F93C62FFA48D387A9AC28855C2E9CFC5BD should be the checksum result when checking the ISO file for 64-bit architecture Windows May 2022 Update (in Russian), and 58665BFE9DAF754708A8C6D8348BFA4 6C26D7017EB78F5C425589ADB70393C64 is the checksum result when checking a 64-bit Windows May 2022 Update ISO file (in Ukrainian).
If the output matches, then you can be sure that the ISO file is not damaged and is genuine.
Windows 10 version 2004 SHA256 hash values.
Here is a list of hash values for each architecture and language in Windows 10 version 2004:
- Arabic 64-bit: 869BA1848C444140C87A6995A136ED8CD7F14DFE69907023BACF430229770D02
- Arabic 32-bit: 0BA24CF7E94FBFDC0666FE01D082EEFCDB48940D2462C8C584E237CB7B42DA05
- Bulgarian 64-bit: B6C88B2CB1618C83D2DB59DC79BB4935F8EFC3DC5279AE9C7A4A6B2D7B62A6A0
- Bulgarian 32-bit: 211D2044E4A90C363E76EABF395EBF6638560F06655C5C397C2525D317787E24
- Chinese Simplified 64-bit: E04E4B96B2CBE7A2AFE4889630958B46CD70F5DFF39A8283E8AD106C3D2F75B5
- Chinese Simplified 32-bit: 325D3B31FFB86586572997CF036A615244AC073879F977BFB0F0467E5F0B5169
- Chinese Traditional 64-bit: 4975BB3A9BB0FEA8DA772E366836E48E33EBA4DB0E7513C1E0F3A3087607C439
- Chinese Traditional 32-bit: 25ACE770E8FD366AE0C861B0E01561CB5DEBD537ABB181584EE7EF16938022EF
- Croatian 64-bit: 497151C206697842712A63637ED702A1AF05CBEC73A728D8CD341BBA1FCC9ACF
- Croatian 32-bit: 4F6178F8FB17E8D0AAB2554355D68D05AFA918402B2B5762F72F68EC4B553D61
- Czech 64-bit: 673927697D64316CCA7BE258ABFA07F6C861317B404D10AA6A77EBDB1395026F
- Czech 32-bit: F9F8F881F8F71D3186C3963BDD85A734C0634EAFEDACC7E4C461A12C2C31893A
- Danish 64-bit: 2281062E4013AAD18320B53A8192D0F0C03C7A0D2D12F674E9BC8FE0E0B3C59E
- Danish 32-bit: A6D29392006DD9629640F39B4AD1BC92B81C9116EC15AEC59713D6D99770543C
- Dutch 64-bit: 059D59BFB72260DEC0981C0747190FEB6FA7911E6653F071FACE0B91490FE84A
- Dutch 32-bit: D37E044F03F5C27164731213C19B08C4655ACAE3D55B4D1D82867ED1675E7D6A
- English 64-bit: A9EFD2329ED805A6A58E0E0101F9B22AD4031E80E2C663C571CD004DB26D2F31
- English 32-bit: 34DEDA035093417D811DBE4A6EB4CCB6A5D9E86F586395C93DE3C73D5D9B5D2B
- English International 64-bit: 4D7D73409B36E44462C690EC58AE0DC6846B01307799432FBD542388D4AD30E7
- English International 32-bit: 982E7E93B31CB5790DAEF5CB4C48A0A18A993333C43AEEC94970883E049BA324
- Estonian 64-bit: EC0991DE5189D54312B93AE61187836299C109C167D48C3BDF9771AC5CC4402B
- Estonian 32-bit: C33BCAA592C563636B5C69517F3904E7D0436ED9FDA5201756C5694A48AA6E2A
- Finnish 64-bit: 35008D60E05E99A27D8FFD0F9BF91CA0CF1ABD293AD02A8A4B6A6680567498F9
- Finnish 32-bit: C5276BD1580EE4FA9D23B27D6108DA0CDEA36FA972AE51BCF850F622221A2539
- French 64-bit: 567EAB53626F7865F93D96BDCCC61C5D63F5B95F6CC9C82CA6AABF5282BEED90
- French 32-bit: B717494E2C8D63E7DA0A1537A45EC5EE0F3C4F3DCAD488AD444A0779DAF3B8B3
- French Canadian 64-bit: 84F7792CF7C2F5CBF963C54494FD4B51F097F201B93E4DFC966A21D9EE262A68
- French Canadian 32-bit: 8FE59E2E703952F4EC58AC084EC7F9DB48B647B8101631DF8FA741275B849061
- German 64-bit: 17C710909A722392A32B3A4364471838588C2F408B4B6DBCDCE990F0547F1074
- German 32-bit: 83C5C496424BB6D8775C5AFEA92DD893E4DBB7AE2D6DA0BEFC85605B77AD5178
- Greek 64-bit: E8B637253D1CD4EE6AA0C1562C1AE5C80C7250614D35FB39A4B6D1CB431B80A5
- Greek 32-bit: 3FD3717399E2223401AAF0F14DF68139488AD3F80567954FB12C5C94F01F2432
- Hebrew 64-bit: EE314732FBBB9EB2A8E58B32F63747432C9C45317EAD06E46E037B25F90CF618
- Hebrew 32-bit: 6AB6B03E2AC85609F7F80970B622EBED4C3E0D3893FFC77D6B7F76BCC94DC5CC
- Hungarian 64-bit: 0EA3DD7EECF65BA355E0961311B5659C13474B36F3A517F336D34D7E1A4C7139
- Hungarian 32-bit: E49CF557B7CBF072BBCF1CD35271B37CCAF87819670290ECDE30DE1FD6B0E888
- Italian 64-bit: CA6DE4BF66E1DBB83612D6DD34E554403DB1208439D8F28EC151565E4A9F4028
- Italian 32-bit: DB3D52F36B1E718C9B01AA3761F75C107A9D5922705D45C9E89C166ABD0B7B14
- Japanese 64-bit: 6FEC5075735660F482405C2AA0283EA76C70F88AAAE20E05A26E836B95BB8998
- Japanese 32-bit: A33266C617E21FCE9D29A43684866EF3C9A24ACB3B48806A9729CAC099C96189
- Korean 64-bit: DC03ECB2B5090BB219DE90091361CCFA0E5310C5EDCDEE9A0EAE3E42BE81804E
- Korean 32-bit: 7DB4E81418210C79CE6AF9D85FB6E48ECAAB37D1DBB35B5156DCEA8C82C5706D
- Latvian 64-bit: 06379A910F38AC29C7A81961049B1381E7FD8CA53BB4F1BABB07692DC932ED95
- Latvian 32-bit: D36E4B6688259E7651C5EEEA6B97A7E48D07049AE2EB87D5B5CE20CAE48EECE7
- Lithuanian 64-bit: C9374915B6E6695EABCF8EAD5F4335B58D47EB2A4096B74198CF8ADE7FE33720
- Lithuanian 32-bit: A58EDDC8B2ACD78A3B418E7FC5DB831350D6776953E119D5F0476544186162BC
- Norwegian 64-bit: 248EB95D23A5B06203C2ED605F9AC3BF778EC3953DA7AF76C3F5B38F6DB59198
- Norwegian 32-bit: 956F5CA9EDD36880C9CDE425B11BD710F1440A3BEDE4071246A927BAE5F49E92
- Polish 64-bit: EF21D12C098017615BFC9A325A7244576654C4C6834934CB6D1658AB981D6501
- Polish 32-bit: 2B646F0566745600216B76BE163C409B1A8DEB2205CABEBA8A12DBD2961F4E8E
- Brazilian Portuguese 64-bit: 9F8AB79DCC6628C6DF6EC633890EA841AB2446BA25A414E7BD947D75BAC82CCD
- Brazilian Portuguese 32-bit: 9D121F073AA068BAFD8B6425C721CB8D923C76A8BD9714D9723B195726BD5BF0
- Portuguese 64-bit: 81D02C6B6553A842DFEB28EA3A4E1C7714DC9CA1852FC0F348FE8047AD822EF0
- Portuguese 32-bit: 2E8945C774C9D47DDBC7B4E244E15DE869D534D1F834856A04C93DD79477C3E0
- Romanian 64-bit: 8C505C9203516CCDE25429683CEFFA706ABE29DB507FDED344EFCDC58592BF7A
- Romanian 32-bit: 18A621A73EB68D8B04F46BB5023D182F1A96C84D72371C63A23926A82CC8AA43
- Russian 64-bit: D4CDA51B4F4B61E3D82A6EF04B8860F93C62FFA48D387A9AC28855C2E9CFC5BD
- Russian 32-bit: 0DC53C74F861938E47490861DC1AA4F917BD4C567173C1B43B14B9999E363B0C
- Serbian Latin 64-bit: 261494434A95D5A03F251AF32A52621A5ABA6776DC84B2ED6D748C862F0B14FA
- Serbian Latin 32-bit: 748E16E39CF61EEC0999FFE10C420A0DC071038CDD379895966AC2C4BD16DC68
- Slovak 64-bit: 6E9B813E01032B0D22D682EB9914CB1C4E4880797B11A98E808788ABDB653948
- Slovak 32-bit: E4906F6F7A6FAD9675106463D76C2A78AD77107F8CFD86BCD4595C50D95C0E70
- Slovenian 64-bit: 35174A0080D1EAA8CD619591E54ED10E4D5549166F029BF7A6729EEF2532F7FB
- Slovenian 32-bit: 779A879244063C9BBE11EC02F17383AD265F11D775C3C001DC23E8818F14820A
- Spanish 64-bit: 443CFA90E2D0A8FCA281294997C9C9CA605D33FC78A010B39F04728E64C0B343
- Spanish 32-bit: 7C14C8FA47E48D24E9CD777DF6B079352CB6F37079382645875569DDBEBA1964
- Spanish (Mexico) 64-bit: 78814BF445C237F58556B18008FDAC64E32B16B2400C04EE17BFA79E8CC4319A
- Spanish (Mexico) 32-bit: D0A86807136F13B3EB483A524DBCB156CDFF573036F3330D5FB7975BE812F31F
- Swedish 64-bit: 29943DF2747F37CF20FE3D08D729F50638486A8E0D95366227A0C5B6427337FC
- Swedish 32-bit: E916B76AF280E14FD00CF2D067A14D9A0B14E76AFF60853EC80C8115DD48CE48
- Thai 64-bit: DC897C2AF3AEADA082B28A34B7852D906EAACE00CA232A1F759CAC878CDD9AC1
- Thai 32-bit: 6EFEA4AA404044C941D7D0B001583808500CF5BCA890A359AB1E6D9DF3F9B754
- Turkish 64-bit: E099123E84BAD6C89431ABABB6F00A67989E5257D33815B32304D6095D38F50F
- Turkish 32-bit: AE29E2B65CB52DE482F1BD2204D28CD47A94A02B9D6C85713025AAE1D1893625
- Ukrainian 64-bit: 58665BFE9DAF754708A8C6D8348BFA46C26D7017EB78F5C425589ADB70393C64
- Ukrainian 32-bit: 61AE0D59D4B0061930A2CC63C9D738A2620CA6D4A09072B2B663000A3437B38E
Microsoft provides hash values when you use this method to download a Windows 10 ISO file.
Digital signatures: GPG/PGP signatures
But what if the website gets hacked and the hacker manages to change both the wallet file and the hash values? Yes, this happens sometimes and that's why most developers don't publish hash values and binaries in the same place.
PGP is now widely used, which is a more secure way to check the integrity of a file. In addition to the SHA256 hash, some developers publish signed PGP hashes of the wallet installer. Some, on the other hand, only provide GPG signatures.
We'll cover more about GPG and digital signature verification in a separate article soon. If you have any questions, be sure to ask them in the comments!