9

What is the equivalent to sha256sum -c in Windows?

I have a set of very important files that I need to copy-to and mirror across many different types of disks in many geographically distinct locations. After relaying the contents to disk via USB, ethernet, fiber, radio, telegram, and signal fires (some of which are more reliable means of transmissions than others!), I want to check the integrity of the data written to disk.

In Debian Linux, file checksums are typically stored in a SHA256SUM "digest" file that's generated using the sha256sum command. It's trivial to use this command to generate this file with the recursive SHA256 checksums of all the files in the current directory and subdirectories. It's also very trivial for the user to use this command to verify the integrity of all the files, recursively. For example, consider this super-critical dataset of cat pictures

user@disp3274:~/Pictures$ tree
.
├── cats
│  ├── cat1.jpeg
│  ├── cat2.jpeg
│  └── cat3.jpeg
└── people
 ├── person1.jpeg
 └── person2.jpeg
2 directories, 5 files
user@disp3274:~/Pictures$

I can generate the checksum file as follows

user@disp3274:~/Pictures$ time sha256sum `find . -type f` > SHA256SUMS
real 0m0.010s
user 0m0.008s
sys 0m0.002s
user@disp3274:~/Pictures$
user@disp3274:~/Pictures$ cat SHA256SUMS 
b2d82e7b8dcbaef4d06466bee3486c12467ce5882e2eabe735319a90606f206a ./people/person2.jpeg
e01f7b240f300ce629c07502639a670d9665e82df6cba9311b87ba3ad23c595d ./people/person1.jpeg
53e056cc91fd4157880fb746255a2f621ebee8ca6351a659130d6228142c1e47 ./cats/cat1.jpeg
a0a73a21b9d26f1bbe4fcfce0acd21964dedf2dc247a5fe99bd9f304aa137379 ./cats/cat2.jpeg
a171fa88d431a531960b6eb312d964ed66cc35afd64bde5dda9b929ad83343f6 ./cats/cat3.jpeg
user@disp3274:~/Pictures$

And I can verify the integrity of all the files as follows

user@disp3274:~/Pictures$ time sha256sum -c SHA256SUMS 
./people/person2.jpeg: OK
./people/person1.jpeg: OK
./cats/cat1.jpeg: OK
./cats/cat2.jpeg: OK
./cats/cat3.jpeg: OK
real 0m0.009s
user 0m0.008s
sys 0m0.000s
user@disp3274:~/Pictures$

In Windows, what is the equivalent built-in tool for generating a SHA256SUMS (or similar digest file using another cryptographic hash function) and verifying the integrity of a set of files, recursively?

asked May 2, 2022 at 14:01
2

3 Answers 3

7

There is no direct equivalent of the SHA256SUMS tool but PowerShell can easily generate a (SHA256) hash of a file or files using the Get-FileHash cmdlet.

If you want to call Get-FileHash for a files in a folder you can combine it with Get-ChildItem. e.g. Get-ChildItem | Get-FileHash or recursively: Get-ChildItem -Recurse | Get-FileHash

answered May 2, 2022 at 17:31
Sign up to request clarification or add additional context in comments.

1 Comment

You've shown how to recursively generate hashes from a set of files, but how are you supposed to recursively verify the integrity of a set of files by checking if they match the aforementioned hashes stored to a digest file? Can you please provide an example execution for a directory tree with a few simple files?
4

You can create a sha256sums file with this command:

Get-ChildItem -Recurse -Exclude sha256sums | Get-FileHash -Algorithm SHA256
| % {$_.Hash + " " + (Resolve-Path -Path $_.Path -Relative)} | Out-File
-FilePath sha256sums -Encoding utf8NoBOM

The -Recurse is optional, omit it if you want to only read files in the current directory.

NB: I tested this on an older version of PS and I had to use -Encoding utf8 for Out-File which include the UTF8 BOM. For sha256sum compatibility I had remove the BOM later using tail -c+4 - a full example will follow...

You can later check a sha256sums file using this command - I used Format-List to avoid line truncation...

Get-Content -Path sha256sums | % {$Hash, $_, $File = $_.Split(" ", 3); if
($Hash) { [PSCustomObject]@{Path=$File; Result=if ((Get-FileHash -Path
$File -Algorithm SHA256).Hash -eq $Hash) { "OK" } else { "FAILED" }}}} |
Format-List

On linux, you can use the standard sha256sum command - just make sure to strip the BOM if you couldn't use utf8NoBOM encoding, and replace the path separators of course. For example if the checksum file has a BOM:

sha256sum -c <(tail -c+4 sha256sums |tr '\\' /)
answered Feb 13, 2024 at 14:22

Comments

3

You can try certutil 

certUtil -hashfile filename SHA256

More details in this article

I wrote this shell script to remove the noise in case anyone finds it useful:

@echo off
SetLocal EnableDelayedExpansion
set P="%1%"
if %P% == "-p" shift
if %P% == "-p" (
 echo:
 echo:sha256: %1%
 echo:
)
certutil -hashfile "%1%" sha256 | wsl -e head -n 2 | wsl -e tail -n 1
if %P% == "-p" (
 echo:
 echo:
 echo:
 pause
)

I created a shortcut in C:\Users\me\AppData\Roaming\Microsoft\Windows\SendTo with the target "C:\Programs\sha256.cmd -p" (the "-p" is to pause and allow me to see the value before the shell window disappears)

answered Aug 26, 2023 at 18:04

2 Comments

How can this be used recursively for a directory with thousands of files and sub directories with files? Can you please provide an example execution for a directory tree with a few simple files?
thank you, much easier than other options to remember.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.