Verifying SHA-256 sums


Why?

While all distribution channels support TLS encryption to ensure the authenticity of the data, it is good practice to verify downloads by its sum.

Historically, the MD5 and SHA-1 hashing algorithms are commonly used. However, MD5 has been explicitly considered insecure for quite a while now, and SHA-1 has been deprecated as well due to possible collision and preimage attacks. This is why we choose to use SHA-256, which should be good for quite a few years.

Under each release in the Download page you will find the full SHA-256 sum of the zip archive or tarball as we distribute it. When you verify locally, your hash and the published hash should match. If they don't, then your release has possibly been tampered with and you should exercise caution.


How?

It is likely you already have the sha256sum binary in your distribution as it is part of the GNU coreutils. If not, your distribution likely has a package. In Debian, it is coreutils.

To verify, simply run sha256sum with the zip archive or tarball as its only argument. For example:
$ sha256sum /usr/local/src/swiperproxy-v1.1.tar.gz

Compare this hash to the published hash for the release you downloaded and make sure they match.

See sha256sum --help or man sha256sum for more information.