rhash

With shipping a software package outside of my company, I learned that there is a policy that requires to make sure the package is as we created it. When I asked on standard approach, I was told that it is not defined yet, so I should come with my own idea on how to make it happen.

So I started analysis of the options to create a checksum of the package. My idea was simple (ideally single executable) command-line program that can create the checksum in some standard format like Simple File Verification (SFV) and then check the files listed in it.

After some search I found rhash tool that covers all requirements above. It is also multi-platform and it is quite simple to use. To create the checksums run:

rhash --sha3-512 supplied-program.7z -o supplied-program.sha3

The generated .sha3 file contains the digest and filename like this:

40768bc9bbc62234e576854e04ad1fe9e3255d8ca78532c05a2838f51a9604cc294b8a185eca7f2c8cb49f2ea1dbd579357b49312f67e29dd52004bc24008ce1  supplied-program.7z

Checking is really simple:

rhash -c supplied-program.sha3

It produces output like this:

--( Verifying supplied-program.sha3 )-------------------------------------------
supplied-program.7z                             OK
--------------------------------------------------------------------------------
Everything OK

Such check is quite easy to put into a batch file and provide the customer with instructions on how to make sure that what they got is what we actually sent.