2.2 KiB
How to verifying .NET downloads
After downloading a .NET file, verify it for security by calculating the file's checksum on your computer and comparing it to the original checksum. This will verify the file has not been tampered with or corrupted.
Examples
The verification process involves a few steps.
- Download the checksum file for the release into the same directory as the installer you downloaded. Links to the checksum file are found in the Release Notes.
- Then, compare the download checksum with the checksum value or file. If there is a match, the download is valid.
We'll use .NET 7.0.5 in the examples.
Linux and MacOS
To see the downloaded file checksum for comparison
$ sha512sum dotnet-sdk-7.0.203-osx-x64.pkg
You can then compare the checksum with the value provided after downloading .NET
To compare against the checksum file provided for each .NET release
Download checksum file using curl:
curl -O https://dotnetcli.blob.core.windows.net/dotnet/checksums/7.0.5-sha.txt
Verify the checksum matches:
sha512sum -c 7.0.5-sha.txt --ignore-missing
If the output states the file is valid ('OK'), then it's ready to use.
Windows
To see the downloaded file checksum for comparison
- In the cmd prompt -
certutil -hashfile dotnet-sdk-7.0.203-win-x64.exe SHA512 - In PowerShell -
(Get-FileHash 'dotnet-sdk-7.0.203-win-x64.exe' -Algorithm SHA512).Hash
You can then compare the checksum with the value provided after downloading .NET
To compare against the checksum file provided for each .NET release
You can use PowerShell to perform the the checksum comparison.
Download checksum file using curl (curl is an alias of Invoke-WebRequest):
curl https://dotnetcli.blob.core.windows.net/dotnet/checksums/7.0.5-sha.txt -OutFile 7.0.5-sha.txt
Verify the checksum matches:
(Get-Content .\7.0.5-sha.txt | Select-String "dotnet-sdk-7.0.203-win-x64.exe").ToString().Contains((Get-FileHash 'dotnet-sdk-7.0.203-win-x64.exe' -Algorithm SHA512).Hash.ToLower())
If the output states the file is valid ('True'), then it's ready to use.