Verify file integrity with Sigcheck: a complete step-by-step guide

File integrity is the fine line between a reliable download and a serious problem on your computer. Checking it with appropriate tools like Sigcheck makes the difference between installing with peace of mind or playing Russian roulette with the software. In this article, you'll see, in detail and without further ado, how to use it. Sigcheck, hashes and signatures to make sure that what you have on disk is exactly what it should be.

In addition to Sigcheck, we will review hash functions (MD5, SHA-1, SHA-2, SHA-3, BLAKE2/3), how to do it from Windows and Linux without installing anything, how to validate lists and how to support you in VirusTotal and PGP signatures When the file comes with .sig or your package manager expects it. All explained with a practical approach, step by step and with commands ready to copy.

What is Sigcheck and why it's a good idea to have it handy?

Sigcheck is a command-line utility from Sysinternals (Microsoft) that displays the version, timestamp, digital signature, and certificate chain of files; it can also query the status of malware en VirusTotal, even uploading samples if they don't exist. In other words, it tells you if an executable is signed and trusted, and if your hash has been detected by antivirus engines.

Among its virtues, it stands out that it can list certificates from system stores, check revocations (or disable them on demand), and recursively traverse directories to hunt for unsigned binaries. In a real-world scenario, you'll use it to find Unsigned files in System32, verify chain expiration dates and obtain hashes to compare them with official sources.

Essential syntax and key options of Sigcheck

The executable accepts several combinations, starting with the general syntax: sigcheck [options]Below you have the most useful flags for everyday life, all of them designed to audit signatures, hashes, and reputation of files.

Featured options for output and detail:

• -a: Displays extended version information, with entropy measure (bits per byte) of the content.
• -h: prints hashes of the file.
• -i: shows the catalogue and the chain of signatures.
• -m: dumps the manifesto.
• -n: outputs only the version number.
• -c/-ct: comma- or tab-separated CSV output for automate reports.

Options for route and format:

• -s: traverses subdirectories.
• -e: examines only executable images (ignores the extension).
• -l: follows symbolic links and junctions.
• -nobanner: hides the startup banner; ideal in silent scripts.

Integration with VirusTotal:

• -vt: accept the VirusTotal Terms of Use (required for viewing).
• -v[rs]: Query reputation by hash; add "r" to open reports with detection and "s" to upload unanalyzed files.
• -u: If VirusTotal is enabled, it shows unknown or detected; if not, it shows only unsigned files.
• -o: Performs VT searches using hashes previously captured in a Sigcheck CSV (offline-friendly mode).

Certificates and revocation:

• -t[u][v]: dumps the contents of a certificate store; with -tu you query the user store, and with -tv you filter by Microsoft's roots of trust.
• -r: Disables revocation checking (use wisely).
• -p: Validates against a specific signing policy (by GUID), useful in corporate environments.

Other useful features:

• -d: dumps contents of a catalog file.
• -f: Searches for signatures in a specified catalog file.

Classic usage example for hunting unsigned binaries in System32:

sigcheck -u -e C:\\Windows\\System32

From that list, calmly investigate the purpose of each element. unsigned before making decisions.

Checking integrity and reputation with Sigcheck in practice

If you want to combine signatures and AV reputation, first accept the VT terms and run a query with sample upload if necessary. This allows you to cross-reference local cryptographic integrity with the collective intelligence of dozens of engines.

Suggested sequence for VT reputation:

1. Accept terms: sigcheck -vt <archivo>
2. Check and open positive reports: sigcheck -vrs <archivo>
3. Filter unknowns/positives in a tree: sigcheck -u -s -v <carpeta>

This way you can quickly detect problematic executables, reinforcing the verification of integrity and provenance.

For mass audits, it is advisable to export to CSV and work with spreadsheets or a SIEM. With -h you get hashes and with -ct easy to parse tabs: sigcheck -h -ct -s C:\\Rutas\\De\\Interes > inventario.tsv. Afterwards, you can use -o on that CSV/TSV for offline queries to VT when you have network again.

Hash functions: what they are, which ones to use, and why they matter

A hash is equivalent to the fingerprint of a file: if you change a single bit, its resulting value is completely different. That's why they're widely used to verify whether a download is identical to the original or to ensure that a forensic disk remains intact.

Classical algorithms and practical impact:

• MD5: very fast and widespread in its day, but with collisions; it is not safe for adversarial integrity. However, it is still present in internal workflows where speed is paramount and the risk is low.
• SHA-1: also has collision problems; best avoided for new uses.
• SHA-2 (224/256/384/512): Current standard for integrity and authentication; SHA-256 is the wildcard recommended by manufacturers and distributions.
• SHA-3: Modern NIST-approved alternative, with output lengths equivalent to SHA-2.
• BLAKE2/BLAKE3: very fast and safe; useful when you need high performance for large volumes.

Remember that hash functions are one-way: storing passwords as hashes requires specific schemes (e.g., bcrypt or Argon2), not a fast hash like unhardened SHA-256.

Verify on Windows without installing anything: PowerShell and Certutil

Windows comes with built-in tools that solve most cases. With PowerShell You can get the hash in a second and compare it with the one published by the provider, which allows you to rapid validation before installing.

PowerShell:

Get-FileHash "C:\\Ruta\\archivo.ext" -Algorithm SHA256

Compare the result with the official hash; if it matches, the download has not been altered. You can change SHA256 to SHA1, SHA384 or SHA512 depending on what the site publishes.

Certutil (symbol of the system or PowerShell):

certutil -hashfile "C:\\Ruta\\archivo.ext" SHA256

It's great for scripting and batch checking; it aligns your algorithms with those declared by the Manufacturer on your website

Verification in Linux: cksum, md5sum, sha256sum and list validation

In GNU/Linux, you have standard sums in coreutils. For internal integrity, you can use cksum (CRC32), and for real security, sha256sum/sha512sum. The mechanics are identical: you compute locally and compare with the published hash.

Basic commands:

• CRC32 Quick: cksum archivo
• MD5: md5sum archivo
• SHA-256: sha256sum archivo

The alternatives sha1sum, sha224sum, sha384sum, sha512sum They work the same; choose the algorithm indicated by the source.

Checklists: When you have a lot of files, it is more convenient to work with .sfv/.md5 lists, etc. To validate them you can use cksfv o cf, very useful tools in terminal.

Examples with lists:

• Install cksfv: sudo apt install cksfv
• Check a list: cksfv -g /ruta/lista.sfv
• Create new list: cksfv fichero1 fichero2 > listado.sfv

With cf You will have extensive support (.sfv, .md5, .par2, .crc, sha1sum, md5sum…):

• Install: sudo apt install cfv
• Check: cfv -f /ruta/test.sfv
• Create: cfv -C -flista.sfv -tsfv documento.pdf documento2.jpg

PGP signatures and .sig files: the case of .tar.zst.sig packages

Si downloads a package with a .sig file attached (typical in distributions like Arch), the verification is no longer a simple hash, but a cryptographic signature with OpenPGP. The goal here is to confirm that the file was signed by the maintainer's key and that it has not been tampered with.

How to manually verify with GnuPG:

1. Import the maintainer's public key or sync your distro's keyring.
2. Run: gpg --verify paquete.tar.zst.sig paquete.tar.zst

If GnuPG indicates a valid signature and the key belongs to the trusted developer, integrity and authorship are guaranteed. On Arch, pacman y makepkg They automate this using pacman-key; manually, the process is identical: validate that the PGP signature matches the downloaded file.

Compare files to each other: Is this copy identical to the original?

To verify that a copied file is faithful to the original, calculate the hash of both and compare them. If the values ​​match, the copy is correct. bit by bit identicalIf they differ, something changed along the way (damage, truncation, editing…).

Quick example:

• Original: sha256sum documento.bin
• Copy: sha256sum documento_copia.bin

By comparing them you get the certainty that the process (transfer, storage, compression) has preserved the integrity.

Free graphical tools for all kinds of flows

If you prefer a user-friendly interface, there are very efficient and lightweight utilities. Several work on Windows, Linux, and macOS, with support for multiple algorithms and extra features like comparing folders, checking catalogs, or generate lists.

Recommended selection:

• QuickHash (Win/Linux/macOS): Open source, clear GUI, supports MD5, SHA-1/2/3, xxHash, BLAKE2/3; includes modules for text, single file, multiple files, verified copy, comparing two files/folders, and disk hash.
• Hash My Files (Windows, portable): generates mass hashes (SHA*, CRC32, MD5), integrates context menu and works with drag and drop.
• multi-hasher (Windows): Hashes for folders and subfolders; supports CRC32, MD5, RIPEMD-160, SHA-1/256/384/512.
• MD5 & SHA Checksum Utility (Windows): Get and verify MD5, SHA-1, SHA-256, SHA-512, export to CSV/HTML/TXT.

More interesting options:

• HashCalc: Calculates hashes, checksums, and HMACs; supports multiple algorithms and large sizes.
• MD5 Hash Check: compares values ​​and integrates into the context menu; supports a wide range of algorithms.
• Hasher Lite: Simple, drag & drop, processes up to 100 files per batch in its free version.
• DeadHash: Supports MD4, MD5, SHA-1/224/256/384/512, RIPEMD160, CRC32; ideal for quick checks.
• Hash generator: generates MD2/3/4/5, CRC32, Whirlpool, RIPEMD, HAVAL families; useful for basic integrity.
• FCIV (File Checksum Integrity Verifier): Classic Microsoft tool for MD5/SHA-1/256.
• Checksum Control: open source and cross-platform (Win/macOS/Linux) for MD5 and SHA-1.

HashCheck on Windows: Explorer integration

HashCheck adds a "Checksum" tab to file properties in Windows, displaying CRC-32, MD4, MD5, and SHA-1 values. From there, you can save a checksum file, and when you open it later, the program will tell you if the file has been checked. modified since you generated the hash.

Typical flow:

1. File Properties > Checksum tab > Save List.
2. You edit the file (or replace it) and reopen the list.
3. HashCheck marks discrepancies in red (incorrect) if it detects changes. This is a very convenient way to audit folders complete with a single control file.

Beyond Integrity: When and Why to Use Each Approach

Usa hashes when your source publishes the expected value; you just need to recalculate locally and compare. Use PGP signatures when the distribution or project publishes .sig or maintainer public keys. If you suspect an executable, combine digital signature + VirusTotal to build reputation and trust.

Other real-world applications of hashes:

• Verify forensic chains of custody and evidence.
• Detect duplicate files (same hash, same content) and save space.
• Message and document security with digital signatures (hash + private key encryption).
• Malware detection by databases of signatures (known hashes of threats).

Risks, collisions and good practices

Although MD5 and SHA-1 have shown collisions, using SHA-256/512 or SHA-3 gets you out of that gray area. For passwords, avoid fast hashes and use algorithms that slow derivation (bcrypt, scrypt, Argon2). Always check via HTTPS and from official sources to avoid manipulated hashes on fraudulent sites.

If you need performance, BLAKE2/BLAKE3 are excellent, and in forensic investigations MD5+SHA-1 is sometimes calculated for speed and compatibility. legacy tools, even knowing its cryptographic limits.