Welcome : Rob Hindle's Musings - Hash Check Described
Why provide a Hash Check on a File?
You should expect proof that a file has not been tampered with from what the author intended/provided. This should be a reasonable expectation and can be accomplished in many ways. Programs signed against a common trusted certificate is similar/replacement strategy. This within the Windows PowerShell considerations are the use of Execution-Policy of AllSigned or RemoteSigned. The main differences of these approaches surround the need to do some type of execution on the file to find out. In a signed program, at execution time you check if it is signed against something that you trust. In the case of a HASH check oce the file is downloaded it can be verified without ever starting execution of the file.
For my GIT projects I have decided to provide independant Hash Values located at two differernt locations using three differerent algorithmns. While each file hash is a "fingerprint-like" value determined from the individual file there is still mathematically the chance of a "hash collision" (See Note1 below). While a duplication of one fingerprint is possible the chances become expoentially less through the provision of three 3 different hash values. You will also note that I have provided hash values for Non-Executable files as well. In our growing environment of data driven configurations it is becoming increasingly important to consider the contents of support files as part of the whole of what software will do and the integrity of the Computer Community capabilities..
Microsoft is one of the few major software suppliers that provides a hash value check for downloads. I note that typically these Hash values are only for the .MSI download and not the expanded list of processed, replaced, updated or deleted files contained within the .MSI after processing. In a US DoD study to confirm the software used by the US Military it found that fewer than XX% (I think I remember only 30%) of commercial products and software vendors provide hash check values in order to confirm downloads. Many more provide signed code for providing similar information.
Having, managing and maintaining hash profiles of all executables on a machine are a key part of any WhiteListing process. At the executable level this is typically using just one hash algorithmn for speed (calculation and reference checking) and storage reasons. It is relating to the WhiteListing concept of operating a Computer Community, that ties the Hash Check tool into any secure or DEVSECOPS integration. Running a hash check profile against incoming files, against new development builds and propagating the HashCheck profiles in Continous Integration and Continuous Deployment (CD/CI) environments means that any working WhiteList system can be maintained and confirmed even in near real-time. Tying a Hash Check profile to a Change Management / Release Management / Deployment Management transaction (either bringing in new software and files or taking old software and files) provides a highly exact matching and inventory capability for any organization.
NOTE1: In performing a WhiteList profile of the files associated with W10 and W2016 I note that there are about 3 duplicate hash values for different programs within the set. What we think of as a Non-Probability in real-life ends up happening more often thatn we would wish. We need to expect this un-expected and recognize it as reality.