Skip to content

Verify SHA-256 checksum

To put an almost successful scam story short. Do not trust what you see! It may be a "legitimate" document from known sources. For the bare minimum, ask for data integrity verifications using the SHA-256 (SHA-2 family with a digest length of 256 bits). Data providers can so easily generate and publish hashes without even thinking about GDPR. Let's step through a simple example.

First, generate some files with different content:

$ for i in {2345..2348};do date +"%T.%6N" >  bill_${i}.pdf;done 

Then shasum everithing:

$ sha256sum *
c46dd8a87ecabd1e2003d08bb7e0e8702e18767d6b126f4f00ff79b95cc73276  bill_2345.pdf
a1f0219644c86e4490a0a87b86a1717322dfb67c8148cc5205ca4ce8ac64b54e  bill_2346.pdf
3e8d7257bfa1ed995e2ceaf61404b7ab83ac978f62d0a8f09cb2e1b8ed35c181  bill_2347.pdf
6e1f15409e50c5c1253197971a1f04c01fe456a284f6d6c9e4f4a98e5044e2d7  bill_2348.pdf

And then let's generate the publically shareable file ( via the company webpage):

sha256sum * > january_bills.txt

Now, we can distribute those files via a not-so-secure channel. And if the user wants to check file authenticity, it's easily doable:

$ sha256sum bill_2345.pdf
c46dd8a87ecabd1e2003d08bb7e0e8702e18767d6b126f4f00ff79b95cc73276  bill_2345.pdf

If the file is tampered, then result is NOT what you published on your company webpage:

$ echo "tampering" >>  bill_2345.pdf
$ sha256sum bill_2345.pdf
867b5be7d12023f2268f5c9124eb5a518852195019fd3f067322963724b1d5be  bill_2345.pdf