-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add doc to verify .NET download checksums (#8420)
* Add doc to verify .NET download checksums * Update Documentation/verifying-binaries.md Co-authored-by: Martin Costello <martin@martincostello.com> --------- Co-authored-by: Martin Costello <martin@martincostello.com>
- Loading branch information
1 parent
2fa55a9
commit ab1f94a
Showing
1 changed file
with
64 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| # How to verifying .NET downloads | ||
|
|
||
| After downloading a .NET file, verify it for security by calculating the file's checksum on your computer and comparing it to the original checksum. This will verify the file has not been tampered with or corrupted. | ||
|
|
||
| ## Examples | ||
|
|
||
| The verification process involves a few steps. | ||
|
|
||
| 1. Download the checksum file for the release into the same directory as the installer you downloaded. Links to the checksum file are found in the Release Notes. | ||
| 2. Then, compare the download checksum with the checksum value or file. If there is a match, the download is valid. | ||
|
|
||
| We'll use [.NET 7.0.5](https://github.com/dotnet/core/blob/main/release-notes/7.0/7.0.5/7.0.5.md) in the examples. | ||
|
|
||
| ### Linux and MacOS | ||
|
|
||
| #### To see the downloaded file checksum for comparison | ||
|
|
||
| `$ sha512sum dotnet-sdk-7.0.203-osx-x64.pkg` | ||
|
|
||
| You can then compare the checksum with the value provided after [downloading .NET](https://dot.net) | ||
|
|
||
| #### To compare against the checksum file provided for each .NET release | ||
|
|
||
| Download checksum file using curl: | ||
|
|
||
| ```bash | ||
| curl -O https://dotnetcli.blob.core.windows.net/dotnet/checksums/7.0.5-sha.txt | ||
|
|
||
| ``` | ||
|
|
||
| Verify the checksum matches: | ||
|
|
||
| ```bash | ||
| sha512sum -c 7.0.5-sha.txt --ignore-missing | ||
| ``` | ||
|
|
||
| If the output states the file is valid ('OK'), then it's ready to use. | ||
|
|
||
| ### Windows | ||
|
|
||
| #### To see the downloaded file checksum for comparison | ||
|
|
||
| - In the cmd prompt - `certutil -hashfile dotnet-sdk-7.0.203-win-x64.exe SHA512` | ||
| - In PowerShell - `(Get-FileHash 'dotnet-sdk-7.0.203-win-x64.exe' -Algorithm SHA512).Hash` | ||
|
|
||
| You can then compare the checksum with the value provided after [downloading .NET](https://dot.net) | ||
|
|
||
| #### To compare against the checksum file provided for each .NET release | ||
|
|
||
| You can use PowerShell to perform the the checksum comparison. | ||
|
|
||
| Download checksum file using `curl` (_`curl` is an alias of `Invoke-WebRequest`_): | ||
|
|
||
| ```powershell | ||
| curl https://dotnetcli.blob.core.windows.net/dotnet/checksums/7.0.5-sha.txt -OutFile 7.0.5-sha.txt | ||
| ``` | ||
|
|
||
| Verify the checksum matches: | ||
|
|
||
| ```powershell | ||
| (Get-Content .\7.0.5-sha.txt | Select-String "dotnet-sdk-7.0.203-win-x64.exe").ToString().Contains((Get-FileHash 'dotnet-sdk-7.0.203-win-x64.exe' -Algorithm SHA512).Hash.ToLower()) | ||
| ``` | ||
|
|
||
| If the output states the file is valid ('True'), then it's ready to use. |