- Download your artifact.
- Download the SHA sums for your artifact.
- Generate SHA sums for your downloaded artifact.
- Verify the generated SHA of the download is found in the SHA sums file. If it is not found, your download is not to be trusted.
Let’s take Vagrant 1.6.5 as an example.
a94a16b9ed...38f8d826c8 vagrant_1.6.5.dmg d79b1408be...9ab3043e40 vagrant_1.6.5.msi 78cd956742...100aebb46c vagrant_1.6.5_i686.deb 997f69514d...84b85b07ac vagrant_1.6.5_i686.rpm e2c7af6d03...c9fb96a122 vagrant_1.6.5_x86_64.deb 90730fd10c...f8399852df vagrant_1.6.5_x86_64.rpm
- Generate a SHA256 against Vagrant 1.6.5.dmg:
openssl dgst -sha256 vagrant_1.6.5.dmg
The output will be something like:
- Grep for your generated SHA256 within the SHA sums file:
grep 'a94a16b9ed...38f8d826c8' 1.6.5_SHA256SUMS
If a result is not found that would indicate that Vagrant download was malicious or corrupt.