Verifying Downloads with SHA-1 Hashes

To verify your copy of Metasploit Pro, Rapid7 provides a SHA-1 hash and PGP signature keys. Using the SHA-1 hash will determine if the file was corrupted or modified during download. If the SHA-1 hash of the file does not match the SHA-1 hash Rapid7 has provided, do not run the installer and let us know that there is an issue with the file.

Verify SHA-1 on Windows

You can use checksums to verify your downloaded file is identical to the original. You can use the built-in Windows utility for generating checksums or you can use a third-party utility.

Requirements

To verify the SHA-1 hash for a file on Windows, install a program that computes cryptographic SHA-1 hash values of files.

The following instructions are for FCIV. If you've opted for a different hash verification program, you will need to visit its documentation.

Using FCIV to Verify SHA-1

In a terminal type fciv.exe -sha1 <filename>

Example: fciv.exe -sha1 /Users/tperry/Downloads/metasploit-latest-windows-x64-installer.exe The hash is returned as hash and filename.

Example: 055478b3ed2c99237f051862b8cb56b79b915038 metasploit-latest-windows-x64-installer.exe

Compare the returned hash to the one provided in the Metasploit Pro download.

Verifying SHA-1 on Linux

You can use the built-in program sha1sum to verify that your downloaded file is identical to the original.

Requirements

Sha1sum is automatically included as part of Linux installs.

Using sha1sum to Verify SHA-1

In the terminal type shasum <filename>.

Example: shasum metasploit-latest-linux-x64-installer.run

The hash is returned as hash and filename. Example: 4d4daa59f581fba5d23a17190f6dad5b2b6d89d8 metasploit-latest-linux-x64-installer.run

Compare the returned hash to the one provided in the Metasploit Pro download.

Resources

Download Metasploit ProDownload FCIV for Windows