TIP: How To Do MD5 and SHA1 File Checksum Validation

It’s always a good idea to calculate an MD5 or SHA1 file checksum to validate file integrity after download or transfer, especially when dealing with firmware binaries. While most modern systems are smart enough to validate images before attempting an installation, not all are so wise, and I’m sure I’m not the only one to have seen a device bricked (or stuck in ROMMON or a similar bootloader or equivalent) after a bad image was uploaded.

File Checksum

Here’s a quick reference guide to creating file checksums on Macos (OSX), Windows and Linux.

File Checksum Validation

There are various ways to check md5/sha1 checksums depending on your preferred platform. Vendors tend to publish the MD5 or SHA1 checksums (or both) for downloadable files, so it’s silly not to do checksum validation and confirm that the file has downloaded completely and uncorrupted. I try to validate after each time I transfer a file so that I don’t waste time sending a corrupted file on to the next hop. For example:

  • Download image file from Cisco’s website
  • — View the checksum and compare
  • SCP the file to a target jump server
  • — View the checksum and compare
  • SCP the file to the end device

The tools to validate a checksum vary depending on the platform, but here are the most common ways:

File Checksum on OSX (aka MacOS)

I’m not aware of a built-in graphical way to view checksums on a Mac, but OSX has an easy md5 command in the default shell There’s no sha1 command equivalent, but thankfully openssl—which is a deceptively feature-rich toolkit—can do both, and is installed by default on OSX:

osx_bash-3.2$ md5 n6000-uk9.7.1.4.N1.1.bin
MD5 (n6000-uk9.7.1.4.N1.1.bin) = 9a00b78dc42bb12f233aeff572e87d09

osx_bash-3.2$ openssl md5 n6000-uk9.7.1.4.N1.1.bin
MD5(n6000-uk9.7.1.4.N1.1.bin)= 9a00b78dc42bb12f233aeff572e87d09

osx_bash-3.2$ openssl sha1 n6000-uk9.7.1.4.N1.1.bin
SHA1(n6000-uk9.7.1.4.N1.1.bin)= b211eef614c0566c7729292228ded44c82272d5d

File Checksum on Windows

Windows, last time I checked, has no built-in tools to calculate an md5 or sha1 checksum. There are plenty of third party application that can be installed, some of which add checksums to file properties, and some which are standalone applications. Sadly, I’m not in a position to recommend any of them, as I haven’t used them.

For a long time, Microsoft has offered an unsupported tool called FCIV (File Checksum Integrity Verifier), which despite not mentioning support for anything above Windows 2000, I gather does actually work on some later Windows versions; but who wants to rely on an unsupported tool?

Instead the only built-in method I’m aware of is certutil, and since it’s free, supported, and it works, why not use it?

C:\>certutil -hashfile n6000-uk9.7.1.4.N1.1.bin MD5
MD5 hash of file n6000-uk9.7.1.4.N1.1.bin:
9a 00 b7 8d c4 2b b1 2f 23 3a ef f5 72 e8 7d 09
CertUtil: -hashfile command completed successfully.

C:\>certutil -hashfile n6000-uk9.7.1.4.N1.1.bin SHA1
SHA1 hash of file n6000-uk9.7.1.4.N1.1.bin:
b2 11 ee f6 14 c0 56 6c 77 29 29 22 28 de d4 4c 82 27 2d 5d
CertUtil: -hashfile command completed successfully.

File Checksum in Linux

Linux distributions typically seem to include the tools md5sum and sha1sum; most will also have openssl installed as well. If you’re dunning Cisco’s DCNM, you’ll be pleased to know that these tools are available there also:

[root@dcnm]# openssl md5 n6000-uk9.7.1.4.N1.1.bin
MD5(n6000-uk9.7.1.4.N1.1.bin)= 9a00b78dc42bb12f233aeff572e87d09

[root@dcnm]# md5sum n6000-uk9.7.1.4.N1.1.bin
9a00b78dc42bb12f233aeff572e87d09  n6000-uk9.7.1.4.N1.1.bin

[root@dcnm]# openssl sha1 n6000-uk9.7.1.4.N1.1.bin
SHA1(n6000-uk9.7.1.4.N1.1.bin)= b211eef614c0566c7729292228ded44c82272d5d

[root@dcnm]# sha1sum n6000-uk9.7.1.4.N1.1.bin
b211eef614c0566c7729292228ded44c82272d5d  n6000-uk9.7.1.4.N1.1.bin

If you have other tools or commands to suggest (so long as they aren’t blatant product plugs) please add them in the comments so others can benefit!

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.