It is well known that the web is not a safe place.
Downloading software from unknown sources is definitely looking for trouble, but how do you know that the software you are downloading from even a trusted source has not been compromised - especially when the parties make use of third party vendors to host the binaries?
Hash algorithms are a great help with keeping us safe. Consider the following screenshot from Grafana download page:
Notice the line:
This indicates the expected hash value of running the hash function SHA256 on the file located at:
The beauty of this is that if anyone tampered with the file (e.g. by building in a Trojan Horse or some sort of key logging functionality), the hash value for the file would not match the expected value.
So how does one check the hash value for the file? On Windows, I have found it to be quite simple using Windows PowerShell. Simply download the file to your local machine and run the following Powershell command, referencing the location of the downloaded file and specifying the appropriate hash algorithm:
Get-FileHash C:\Tools\Downloads\grafana-4.6.3.windows-x64.zip -Algorithm SHA256
This generated the following output:
It can be seen from the output that the hash value is equal to the expected, which indicates that the file uploaded by Grafana is the same one I downloaded.