Every now and then, I want to make sure that a file I’m downloading — especially from a mirror site — hasn’t been currupted in transit, or more likely poisoned with malware. I was downloading the ImgBurn utility from a mirror site today, and something made me think I should be careful.
The main site lists md5 and sha1 hashes, so I looked for a tool to calculate the hash of the file I had downloaded. I found the “File Checksum Integrity Verifier” tool — KB841290. It can derive md5, sha1, or both for one or more files.
I was surprised to find that the file I had downloaded from SpeedLabs mirror did not match:
//
// File Checksum Integrity Verifier version 2.05.
//
c4647eb75a2340af0f57a8bc3fb3d4e5a63f5172 setupimgburn_2.4.1.0.exe
I downloaded the file again from ImgBurn directly, and the hash matched. If I have a moment, I will try the mirror again, just in case it was a corrupt transfer. Maybe I’ll even run it in a VM, just to see what I get infected with.
Three cheers for geek intuition!
[UPDATE 2008-07-02] While skimming through Windows PowerShell Cookbook, I noted recipe 17.10, “Program: Get the MD5 or SHA1 Hash of a File.” Coolness!
