verifying windows installers

[jojo69]

Can some one walk me through the procedure to verify the sha256sum of an installer in windows?

I looked back 4 pages here and worked through several search engine hits but did not find what I need.

Trying to get an offline signer set up.

thanks

[jojo69]

OK, I think I got it figured out, I will post it here as given recent events others may be doing this for the first time in many years.

>right click on the windows icon and choose "Windows PowerShell" from the drop

>at that prompt

Code:

Get-FileHash path to your file (eg;C:\Downloads\armory_0.96.5_win64.exe) -A SHA256

and press enter, this will return a long hex string

>compare this string to the one for your specific download in the file at https://github.com/goatpig/BitcoinArmory/releases/download/v0.96.5/sha256sum.txt.asc    it does not appear to be case sensitive, the power shell returns all caps, the string should match but the one in the signed file is lowercase letters.

>you can automate the comparison with a little more code

Code:

(Get-FileHash path to your file (eg;C:\Downloads\armory_0.96.5_win64.exe) -A SHA256).hash -eq "paste the hash here"

note that there do not seem to be context menus in the power shell, I was able to paste the string with Ctrl V however.  This should return "True" which in my case it did.

I think that's it, really simple.

If anyone has anything to add please do.

[bob123]

If anyone has anything to add please do.

You didn't verify the authenticity yet.

All you did was to compare that the hash of your downloaded file matches the hash posted on github.

What you additionally want to do is to verify that these are the correct hashes.
The file you have linked (sha256sum.txt.asc) is a signed file. You need to check that the signature matches goatpig's PGP key, which can for example be found on github.

Only after that signature matches, you can be sure that your downloaded file needs to have that hash to be the original file signed by goatpig.