Verifying Downloads with SHA-1 Hashes
To verify your copy of Metasploit Pro, Rapid7 provides a SHA-1 hash and PGP signature keys. Using the SHA-1 hash will determine if the file was corrupted or modified during download. If the SHA-1 hash of the file does not match the SHA-1 hash Rapid7 has provided, do not run the installer and let us know that there is an issue with the file.
Verify SHA-1 on Windows
You can use checksums to verify your downloaded file is identical to the original. You can use the built-in Windows utility for generating checksums or you can use a third-party utility.
Requirements
To verify the SHA-1 hash for a file on Windows, install a program that computes cryptographic SHA-1 hash values of files.
The following instructions are for FCIV. If you've opted for a different hash verification program, you will need to visit its documentation.
Using FCIV to Verify SHA-1
In a terminal type fciv.exe -sha1 <filename>
Example: fciv.exe -sha1 /Users/tperry/Downloads/metasploit-latest-windows-x64-installer.exe
The hash is returned as hash and filename.
Example: 055478b3ed2c99237f051862b8cb56b79b915038 metasploit-latest-windows-x64-installer.exe
Compare the returned hash to the one provided in the Metasploit Pro download.
Verifying SHA-1 on Linux
You can use the built-in program sha1sum to verify that your downloaded file is identical to the original.
Requirements
Sha1sum is automatically included as part of Linux installs.
Using sha1sum to Verify SHA-1
In the terminal type shasum <filename>.
Example: shasum metasploit-latest-linux-x64-installer.run
The hash is returned as hash and filename.
Example: 4d4daa59f581fba5d23a17190f6dad5b2b6d89d8 metasploit-latest-linux-x64-installer.run
Compare the returned hash to the one provided in the Metasploit Pro download.