Discover one of the most effective ways to check the integrity of signed executables downloaded from the internet. Learn how to check MD5 checksums and protect your device from harmful downloads
Infected executables are one of the most common malware file types chosen by attackers. These malicious files are often disguised as genuine software updates to trick you into downloading and running their harmful applications to wreak havoc on your device and cost a great deal to your organization. To give you a better idea, Sophos’ State of Ransomware 2021 report revealed that the average total cost of recovery from a ransomware attack went up from $761,106 in 2020 to $1.85 million in 2021.
In such a dangerous environment, checking that a downloaded file is authentic and hasn’t been modified has become crucial to the safety and security of your organization and its data.
In our first article of this series, you learned that checksums are special strings of data that can help you to truly accomplish this comparison and validation. You then learned how to check a file checksum to verify the integrity of a file. In this last article of the series, we’ll walk you through the process of generating an MD5 checksum to check the veracity of a signed executable’ signature.
Why Checking an Exe’s MD5 Checksum Matters, Even if the File Is Signed
Executables signed with a code signing certificate are already more secure than unsigned ones. However, in cybersecurity, you can never be too cautious. This is why, in addition to checking the code signing certificate, if a checksum is displayed alongside the .exe file, you should also compare it with the one you’ll generate after the download to check if they match.
How to Check MD5 Checksum of a Signed Executable in 5 Easy Steps
Even if you can always use a third-party software to generate MD5 checksums, using Window’s command prompt will avoid you the hassle of installing yet another specific tool. This process is easy, fast, and works like a charm.
1. Download the Signed Executable
To show you how to check the MD5 of a signed downloaded executable file, we’ll download the last version of KeePass installer for Windows. KeePass is a well-known free and open source password manager.
At the bottom of the download page, there’s a link that takes you to the signature and checksum details info that you’ll need in order to verify the executable’s integrity.
Image Source: KeePass’s Integrity page
2. Open the Windows Command Prompt Tool
Now that you have all the information, open the Window’s command prompt by clicking the Start button.
Type cmd in the run bar.
Select the Run as Administrator
3. Navigate to the Directory Where You Saved the .Exe
Use the cd (change directory) command to go to the folder where the downloaded KeePass-2.50-Setup.exe is saved.
4. Generate the MD5 Checksum Using the CertUtil Command
Type certUtil -hashfile followed by the filename (in this case, KeePass-2.50-Setup.exe) and MD5. It would look like this: certUtil -hashfile KeePass-2.50-Stepup.exe MD5.
Press Enter.
This will generate the following checksum:
5. Compare the Two Checksums
Check that the returned value of the checksum you generated matches with the original MD5 checksum displayed on the download webpage. If they match, the .exe has not been modified and you can install your KeePass without issues. If they don’t, there’s something wrong and you should be careful. The file may be infected, or something may have downloaded incorrectly. Regardless of the reason, you shouldn’t trust the file.
Let’s take a quick look at the two checksums for comparison:
Image caption: The KeePass-2.50-Setup.exe original checksum from KeePass’s official Integrity page.
How to Generate an MD5 Checksum Using Windows PowerShell
To make it even easier, if you have Windows 8.1 or Windows 10, you can also use PowerShell to generate your checksum as described below:
1. Download the Signed Executable
Let’s take the same .exe file as an example.
Image Source: KeePass Downloads Page
2. Open a PowerShell Window
In Windows 10, click on the search icon near the Start
Type powershell.
Select Run as Administrator.
Image Source: How to open a PowerShell window in Windows 10.
3. Generate the MD5 Checksum Using the Get-FileHash Command
Type Get-FileHash followed by the path where the downloaded .exe is located (which should start with a period) and –Algorithm MD5. The command will look like this: Get-FileHash .\Downloads\KeePass-2.50-Setup.exe –Algorithm MD5.
Press Enter.
This will generate the checksum.
4. Compare the Two Checksums
Now you’re ready to compare the generated MD5 checksum with the original one to ensure they match:
Image Source: KeePass’s original checksum from the Integrity page.
There we go — no sweat! You’ve learned two easy ways to generate an MD5 checksum of an executable with minimal effort.
Final Thoughts on How to Check an MD5 Checksum
I hope these three articles on checksums helped you to learn a new method to protect you and your organization from malware and installation errors. While organizations have already implemented good security practices, attackers continuously develop new ways to infiltrate genuine files with malicious codes.
Even if there’s no silver bullet in IT security, understanding how to protect your devices and data at the fullest extent and with the right tools can make a difference. Including checksums in your security best practices is a way to perform a more in-depth security check, helping you and your organization to mitigate risks and stay ahead of downloading threats.
Don’t take unnecessary risks — leverage the power of checksums to keep your organization and its data secure!
Code Signing Best Practices
Download thisCode Signing Best Practices guideto improve your software and supply chain security.
Help keep your end users safe from supply chain attacks.
Prove your software's authenticity using digital identity.
Protect your software's integrity by preventing alterations.
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Email Us
+1 (727) 291-0611
Chat Now
