Checking downloaded file hash values

It is well known that the web is not a safe place.

Downloading software from unknown sources is definitely looking for trouble, but how do you know that the software you are downloading from even a trusted source has not been compromised - especially when the parties make use of third party vendors to host the binaries?

Hash algorithms are a great help with keeping us safe. Consider the following screenshot from Grafana download page:

Grafana Download Snip

Notice the line:

SHA256: 7c15ab1767b9bf3b324a76ee188ab5ce79e602c4e81950b8d94f9a34c33346f

This indicates the expected hash value of running the hash function SHA256 on the file located at:

https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-4.6.3.windows-x64.zip

The beauty of this is that if anyone tampered with the file (e.g. by building in a Trojan Horse or some sort of key logging functionality), the hash value for the file would not match the expected value.

So how does one check the hash value for the file? On Windows, I have found it to be quite simple using Windows PowerShell. Simply download the file to your local machine and run the following Powershell command, referencing the location of the downloaded file and specifying the appropriate hash algorithm:

Get-FileHash C:\Tools\Downloads\grafana-4.6.3.windows-x64.zip -Algorithm SHA256

This generated the following output:

PowerShell Output

It can be seen from the output that the hash value is equal to the expected, which indicates that the file uploaded by Grafana is the same one I downloaded.