It’s always a good idea to calculate an MD5 or SHA1 file checksum to validate file integrity after download or transfer, especially when dealing with firmware binaries. While most modern systems are smart enough to validate images before attempting an installation, not all are so wise, and I’m sure I’m not the only one to have seen a device bricked (or stuck in ROMMON or a similar bootloader or equivalent) after a bad image was uploaded.
Here’s a quick reference guide to creating file checksums on Macos (OSX), Windows and Linux.
File Checksum Validation
There are various ways to check md5/sha1 checksums depending on your preferred platform. Vendors tend to publish the MD5 or SHA1 checksums (or both) for downloadable files, so it’s silly not to do checksum validation and confirm that the file has downloaded completely and uncorrupted. I try to validate after each time I transfer a file so that I don’t waste time sending a corrupted file on to the next hop. For example:
- Download image file from Cisco’s website
- — View the checksum and compare
- SCP the file to a target jump server
- — View the checksum and compare
- SCP the file to the end device
The tools to validate a checksum vary depending on the platform, but here are the most common ways:
File Checksum on OSX (aka MacOS)
I’m not aware of a built-in graphical way to view checksums on a Mac, but OSX has an easy
md5 command in the default shell There’s no
sha1 command equivalent, but thankfully
openssl—which is a deceptively feature-rich toolkit—can do both, and is installed by default on OSX:
osx_bash-3.2$ md5 n6000-uk18.104.22.168.N1.1.bin MD5 (n6000-uk22.214.171.124.N1.1.bin) = 9a00b78dc42bb12f233aeff572e87d09 osx_bash-3.2$ openssl md5 n6000-uk126.96.36.199.N1.1.bin MD5(n6000-uk188.8.131.52.N1.1.bin)= 9a00b78dc42bb12f233aeff572e87d09 osx_bash-3.2$ openssl sha1 n6000-uk184.108.40.206.N1.1.bin SHA1(n6000-uk220.127.116.11.N1.1.bin)= b211eef614c0566c7729292228ded44c82272d5d
File Checksum on Windows
Windows, last time I checked, has no built-in tools to calculate an md5 or sha1 checksum. There are plenty of third party application that can be installed, some of which add checksums to file properties, and some which are standalone applications. Sadly, I’m not in a position to recommend any of them, as I haven’t used them.
For a long time, Microsoft has offered an unsupported tool called FCIV (File Checksum Integrity Verifier), which despite not mentioning support for anything above Windows 2000, I gather does actually work on some later Windows versions; but who wants to rely on an unsupported tool?
Instead the only built-in method I’m aware of is
certutil, and since it’s free, supported, and it works, why not use it?
C:\>certutil -hashfile n6000-uk18.104.22.168.N1.1.bin MD5 MD5 hash of file n6000-uk22.214.171.124.N1.1.bin: 9a 00 b7 8d c4 2b b1 2f 23 3a ef f5 72 e8 7d 09 CertUtil: -hashfile command completed successfully. C:\>certutil -hashfile n6000-uk126.96.36.199.N1.1.bin SHA1 SHA1 hash of file n6000-uk188.8.131.52.N1.1.bin: b2 11 ee f6 14 c0 56 6c 77 29 29 22 28 de d4 4c 82 27 2d 5d CertUtil: -hashfile command completed successfully.
File Checksum in Linux
Linux distributions typically seem to include the tools
sha1sum; most will also have
openssl installed as well. If you’re dunning Cisco’s DCNM, you’ll be pleased to know that these tools are available there also:
[[email protected]]# openssl md5 n6000-uk184.108.40.206.N1.1.bin MD5(n6000-uk220.127.116.11.N1.1.bin)= 9a00b78dc42bb12f233aeff572e87d09 [[email protected]]# md5sum n6000-uk18.104.22.168.N1.1.bin 9a00b78dc42bb12f233aeff572e87d09 n6000-uk22.214.171.124.N1.1.bin [[email protected]]# openssl sha1 n6000-uk126.96.36.199.N1.1.bin SHA1(n6000-uk188.8.131.52.N1.1.bin)= b211eef614c0566c7729292228ded44c82272d5d [[email protected]]# sha1sum n6000-uk184.108.40.206.N1.1.bin b211eef614c0566c7729292228ded44c82272d5d n6000-uk220.127.116.11.N1.1.bin
If you have other tools or commands to suggest (so long as they aren’t blatant product plugs) please add them in the comments so others can benefit!