哈希值是通过加密算法（如MD5、SHA-1、SHA-256）生成的唯一数字指纹_please download the file and check the sha-256 cod-CSDN博客

验证下载文件的方法如下：

1. 使用哈希值（MD5、SHA-1、SHA-256）

什么是哈希值？
- 哈希值是通过加密算法（如MD5、SHA-1、SHA-256）生成的唯一数字指纹。
- 当文件被下载时，文件的原始来源通常会为该文件提供一个哈希值。
如何验证？
- 在Windows上
  - 你可以使用内置的工具，如PowerShell。例如，要检查名为“example.zip”的文件的SHA-256哈希值：
```
Get - FileHash example.zip - Algorithm SHA256
```
  - 将输出的哈希值与来源提供的哈希值进行比较。如果它们匹配，文件很可能是完整且未被篡改的。
- 在macOS上
  - 打开终端并使用shasum命令用于SHA-1，或shasum - a 256用于SHA-256。例如：
```
shasum - a 256 example.zip
```
- 在Linux上
  - 使用sha256sum命令：
```
sha256sum example.zip
```
  - 同样，将生成的哈希值与预期的哈希值进行比较。

2. 使用数字签名

什么是数字签名？
- 数字签名用于验证文件的真实性。它们是通过文件创建者使用私钥创建的，并且可以使用相应的公钥进行验证。
如何验证？
- 对于软件包（例如，在Linux包管理器中）
  - 当你使用包管理器（如基于Debian的系统的apt或基于Red Hat的系统的yum）安装软件时，包管理器会自动检查软件包的数字签名。如果签名无效，安装将失败。
- 对于其他文件
  - 你可能需要使用工具，如gpg（GNU隐私卫士）。文件创建者应该提供公钥和签名文件（通常以.sig或.asc扩展名结尾）。你可以导入公钥并使用以下命令验证签名：
```
gpg --verify example.zip.sig example.zip
```

3. 使用杀毒/反恶意软件软件

为什么使用杀毒软件？
- 杀毒程序可以扫描下载的文件，查找已知的恶意软件、病毒和其他恶意内容。
如何验证？
- 在Windows上
  - 大多数杀毒程序（如Windows Defender、Norton等）会自动扫描下载的文件。你也可以通过右键单击文件并选择杀毒软件提供的扫描选项来手动扫描文件。
- 在macOS和Linux上
  - 这些操作系统也有可用的杀毒程序，例如ClamAV。你可以安装并使用它们来扫描文件。

4. 检查文件大小

为什么检查文件大小？
- 有时，损坏或不完整的下载可能导致文件大小与预期大小不匹配。
如何验证？
- 将下载的文件大小与来源提供的大小进行比较。你可以在文件属性中（在Windows上）或使用ls - l命令（在macOS和Linux上）查看文件大小。

5. 使用文件完整性检查器

什么是文件完整性检查器？
- 这些是专门设计用于监控和验证文件完整性的工具。
如何验证？
- Tripwire
  - 它是一种流行的文件完整性检查器。你可以设置它来监控特定的目录和文件。如果监控的文件发生任何变化，它会发出警报。
- AIDE（高级入侵检测环境）
  - 它是另一种用于文件完整性检查的工具。它会创建一个文件属性的数据库，并定期检查是否有任何变化。

6. 手动检查（针对某些文件类型）

为什么手动检查？
- 对于某些文件类型（如文本文件、配置文件等），你可以手动打开并检查内容，以确保它们看起来正确。
如何验证？
- 使用文本编辑器或适当的查看器打开文件，并检查是否有明显的损坏迹象或意外内容。

7. 使用文件验证工具

什么是文件验证工具？
- 这些是专门设计用于根据各种标准验证文件完整性的工具。
如何验证？
- WinRAR/7-Zip
  - 如果你下载的是压缩文件（如.rar或.zip），工具如WinRAR或7-Zip可以检查存档的完整性。例如，在WinRAR中，你可以右键单击存档并选择“测试存档”来验证其完整性。
- HashCheck Shell Extension
  - 这是一个Windows工具，它与文件资源管理器集成，并允许你直接从上下文菜单轻松计算和验证文件的哈希值。

通过使用一种或多种这些方法，你可以显著提高对下载文件的完整性和安全性的信心。
Verifying downloaded files is a crucial step to ensure their integrity and security. Here are several methods you can use:

1. Using Hash Values (MD5, SHA-1, SHA-256)

What are hash values?
- Hash values are unique digital fingerprints generated by cryptographic algorithms (such as MD5, SHA-1, SHA-256).
- When a file is downloaded, the original source often provides a hash value for that file.
How to verify?
- On Windows
  - You can use built - in tools like PowerShell. For example, to check the SHA - 256 hash of a file named “example.zip”:
```
Get - FileHash example.zip - Algorithm SHA256
```
  - Compare the output hash value with the one provided by the source. If they match, the file is likely intact and unaltered.
- On macOS
  - Open Terminal and use the shasum command for SHA - 1 or shasum - a 256 for SHA - 256. For example:
```
shasum - a 256 example.zip
```
- On Linux
  - Use the sha256sum command:
```
sha256sum example.zip
```
  - Again, compare the generated hash with the expected one.

2. Using Digital Signatures

What are digital signatures?
- Digital signatures are used to verify the authenticity of a file. They are created using a private key by the file creator and can be verified using the corresponding public key.
How to verify?
- For software packages (e.g., in Linux package managers)
  - When you install software using package managers like apt (on Debian - based systems) or yum (on Red Hat - based systems), the package manager automatically checks the digital signatures of the packages. If the signature is invalid, the installation will fail.
- For other files
  - You may need to use tools like gpg (GNU Privacy Guard). The file creator should provide the public key and the signature file (usually with a .sig or .asc extension). You can import the public key and verify the signature using commands like:
```
gpg --verify example.zip.sig example.zip
```

3. Using Antivirus/Antimalware Software

Why use antivirus software?
- Antivirus programs can scan downloaded files for known malware, viruses, and other malicious content.
How to verify?
- On Windows
  - Most antivirus programs (like Windows Defender, Norton, etc.) automatically scan downloaded files. You can also manually scan a file by right - clicking on it and selecting the scan option provided by your antivirus software.
- On macOS and Linux
  - There are antivirus programs available for these operating systems as well, such as ClamAV. You can install and use them to scan files.

4. Checking File Size

Why check file size?
- Sometimes, a corrupted or incomplete download may result in a file size that does not match the expected size.
How to verify?
- Compare the size of the downloaded file with the size provided by the source. You can check the file size in the file properties (on Windows) or using the ls - l command (on macOS and Linux).

5. Using File Integrity Checkers

What are file integrity checkers?
- These are specialized tools designed to monitor and verify the integrity of files.
How to verify?
- Tripwire
  - It is a popular file integrity checker. You can set it up to monitor specific directories and files. It will alert you if any changes are detected in the monitored files.
- AIDE (Advanced Intrusion Detection Environment)
  - It is another tool used for file integrity checking. It creates a database of file attributes and periodically checks for any changes.

6. Manual Inspection (for certain file types)

Why manually inspect?
- For some file types (like text files, configuration files, etc.), you can manually open and inspect the contents to ensure they appear correct.
How to verify?
- Open the file using a text editor or appropriate viewer and check for any obvious signs of corruption or unexpected content.

7. Using File Verification Tools

What are file verification tools?
- These are specialized tools designed to verify the integrity of files based on various criteria.
How to verify?
- WinRAR/7 - Zip
  - If you are downloading compressed files (like .rar or .zip), tools like WinRAR or 7 - Zip can check the integrity of the archive. For example, in WinRAR, you can right - click on the archive and select “Test archive” to verify its integrity.
- HashCheck Shell Extension
  - This is a Windows tool that integrates with the file explorer and allows you to easily calculate and verify hash values of files directly from the context menu.

By using one or a combination of these methods, you can significantly increase the confidence in the integrity and security of your downloaded files.
Here are the common methods to verify downloaded files:

Check file size: Compare the size of the downloaded file with the size information provided on the official website or download source. If there is a significant difference, it may indicate that the file has been corrupted or incompletely downloaded.
Verify file integrity using checksums: Many software vendors provide checksum values (such as MD5, SHA-1, or SHA-256) for their downloadable files. You can use a checksum verification tool to calculate the checksum of the downloaded file and compare it with the provided value. If they match, the file is likely to be intact.
Check file extensions and signatures: Ensure that the file has the correct extension and that its signature matches the expected format. For example, a PDF file should have a.pdf extension and exhibit the proper PDF file structure.
Use digital signatures: Some files may be digitally signed by the publisher. You can check the digital signature to verify the authenticity and integrity of the file. This requires the appropriate software and the ability to validate the signature against a trusted certificate authority.
Scan for viruses and malware: Run a virus scan on the downloaded file using reliable antivirus software. This helps detect any malicious code or viruses that may have been attached to the file.
Compare with known good copies: If possible, compare the downloaded file with a known - good copy of the same file. This can be done by visually inspecting the contents or using a file comparison tool.
Check for file authenticity: For some important files, such as software installers or official documents, you can check the authenticity of the file by verifying the source and ensuring that it comes from a trusted and legitimate website.
This page describes how to verify a file, downloaded from a mirror, by checksum or by signature.

All official releases of code distributed by the Apache Software Foundation are signed by the release manager for the release. PGP signatures and SHA/MD5 checksums are available along with the distribution.

You are encouraged to download the releases from our mirrors. Signatures and checksums are only available from the official Apache Software Foundation site.
Our download pages point you to the mirrors for releases and to the official site for signatures and checksums.

CHECKING HASHES
File hashes are used to check that a file has been downloaded correctly. They do not provide any guarantees as to the authenticity of the file.

The checksum of a file is a fixed length string, that (in practice) uniquely identifies the contents of the file. Two files are (only) equal if their checksums are equal. Comparing the checksums of two files is as good as comparing the two files themselves.

There are lots of checksum algorithms ; we use SHA-1, SHA-256, SHA-512 and MD5.
The download page shows which checksum files are available for the original file.

To check a hash, you have to compute the proper checksum of the file you just downloaded ; then compare it with the published checksum of the original.

compute the checksum of your file … compare with
Windows Linux Mac
SHA-1 certUtil -hashfile file SHA1 sha1sum file shasum -a 1 file file.sha1
SHA-256 certUtil -hashfile file SHA256 sha256sum file shasum -a 256 file file.sha256
SHA-512 certUtil -hashfile file SHA512 sha512sum file shasum -a 512 file file.sha512
MD5 certUtil -hashfile file MD5 md5sum file md5 file file.md5
Only if you check the hash can you be certain that your download hasn’t been modified ; for instance on the mirror - or the download itself may be incomplete or faulty.

CHECKING SIGNATURES
The following example details how signature interaction works. The example is for the Apache HTTP Server project, but applies equally to other ASF projects.

In this example, you are already assumed to have downloaded httpd-2.0.44.tar.gz (the release) and httpd-2.0.44.tar.gz.asc (the detached signature).

This example uses The GNU Privacy Guard. Any OpenPGP-compliant program should work successfully.

First, we will check the detached signature (httpd-2.0.44.tar.gz.asc) against our release (httpd-2.0.44.tar.gz).

N.B. you must specify both the detached signature and the release file.
If the release file is omitted, GPG will only check the signature against the release file if the signature is a detached signature. If the .asc file is a self-contained signed file, GPG will only check that, and will not verify the release. (This should not happen if the signature file was downloaded from an ASF server, but it is safer to always specify the release filename)

% gpg --verify httpd-2.0.44.tar.gz.asc httpd-2.0.44.tar.gz
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Can’t check signature: public key not found
This means that we don’t have the release manager’s public key (DE885DD3) in our local system. You now need to retrieve the public key from a key server. One popular server is pgpkeys.mit.edu (which has a web interface ). The public key servers are linked together, so you should be able to connect to any key server.

% gpg --keyserver pgpkeys.mit.edu --recv-key DE885DD3
gpg: requesting key DE885DD3 from HKP keyserver pgpkeys.mit.edu
gpg: trustdb created
gpg: key DE885DD3: public key “Sander Striker striker@apache.org” imported
gpg: Total number processed: 1
gpg: imported: 1
In this example, you have now received a public key for an entity known as ‘Sander Striker striker@apache.org’ However, you have no way of verifying this key was created by the person known as Sander Striker. But, let’s try to verify the release signature again.

% gpg --verify httpd-2.0.44.tar.gz.asc httpd-2.0.44.tar.gz
gpg: Signature made Sat Jan 18 07:21:28 2003 PST using DSA key ID DE885DD3
gpg: Good signature from “Sander Striker striker@apache.org”
gpg: aka “Sander Striker striker@striker.nl”
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Fingerprint: 4C1E ADAD B4EF 5007 579C 919C 6635 B6C0 DE88 5DD3
At this point, the signature is good, but we don’t trust this key. A good signature means that the file has not been tampered with. However, due to the nature of public key cryptography, you need to additionally verify that key DE885DD3 was created by the real Sander Striker.

Any attacker can create a public key and upload it to the public key servers. They can then create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would succeed because the key was not the ‘real’ key. Therefore, you need to validate the authenticity of this key.

VALIDATING AUTHENTICITY OF A KEY
You may download public keys for the Apache project developers from our website or retrieve them from the public PGP keyservers (see above). However, importing these keys is not enough to verify the integrity of the signatures. If a release verifies as good, you need to validate that the key was created by an official representative of the Apache HTTP Server Project.

The crucial step to validation is to confirm the key fingerprint of the public key.

% gpg --fingerprint DE885DD3
pub 1024D/DE885DD3 2002-04-10 Sander Striker striker@apache.org
Key fingerprint = 4C1E ADAD B4EF 5007 579C 919C 6635 B6C0 DE88 5DD3
uid Sander Striker striker@striker.nl
sub 2048g/532D14CA 2002-04-10
A good start to validating a key is by face-to-face communication with multiple government-issued photo identification confirmations. However, each person is free to have their own standards for determining the authenticity of a key. Some people are satisfied by reading the key signature over a telephone (voice verification). For more information on determining what level of trust works best for you, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.

Most of the Apache HTTP Server developers have attempted to sign each others’ keys (usually with face-to-face validation). Therefore, in order to enter the web of trust, you should only need to validate one person in our web of trust. (Hint: all of our developers’ keys are in the KEYS file.)

For example, the following people have signed the public key for Sander Striker. If you verify any key on this list, you will have a trust path to the DE885DD3 key. If you verify a key that verifies one of the signatories for DE885DD3, then you will have a trust path. (So on, and so on.)

pub 1024D/DE885DD3 2002-04-10 Sander Striker striker@apache.org
sig E2226795 2002-05-01 Justin R. Erenkrantz
sig 3 DE885DD3 2002-04-10 Sander Striker
sig CD4DF205 2002-05-28 Wolfram Schlich
sig E005C9CB 2002-11-17 Greg Stein
sig CC8B0F7E 2002-11-18 Aaron Bannert
sig DFEAC4B9 2002-11-19 David N. Welton
sig 2 82AB7BD1 2002-11-17 Cliff Woolley
sig 2 13046155 2002-11-28 Thom May
sig 3 19311B00 2002-11-17 Chuck Murcko
sig 3 F894BE12 2002-11-17 Brian William Fitzpatrick
sig 3 5C1C3AD7 2002-11-18 David Reid
sig 3 E04F9A89 2002-11-18 Roy T. Fielding
sig 3 CC78C893 2002-11-19 Rich Bowen
sig 3 08C975E5 2002-11-21 Jim Jagielski
sig 3 F88341D9 2002-11-18 Lars Eilebrecht
sig 3 187BD68D 2002-11-21 Ben Hyde
sig 3 49A563D9 2002-11-23 Mark Cox
…more signatures redacted…
Since the developers are usually quite busy, you may not immediately find success in someone who is willing to meet face-to-face (they may not even respond to your emails because they are so busy!). If you do not have a developer nearby or have trouble locating a suitable person, please send an email to the address of the key you are attempting to verify. They may be able to find someone who will be willing to validate their key or arrange alternate mechanisms for validation.