How can I compare a file's SHA256 hash in PowerShell to a known value?

Question

If I've downloaded a file with a known SHA256 hash, how can I use PowerShell to check that the file matches the expected hash?

Answer 1

I use this command in Powershell:

(Get-Content -Delimiter " " -Head 1 .\myApp.exe.sha256).trim() -eq (Get-FileHash .\myApp.exe).Hash.toLower()

I must use this because my sha256 file contains hash and filename separated by space.

Answer 2

How about:

Compare-Object -ReferenceObject (Get-Content -Path <path/to/hash-file>) -DifferenceObject (Get-FileHash <path/to/test-file> -Algorithm SHA512).Hash.ToLower()

Where <path/to/hash-file> should be replaced with the path to a file containing the expected hash and <path/to/test-file> should be replaced with the file to test the hash against.

Answer 3

The Get-FileHash cmdlet computes hashes for files, and SHA256 is its default hash algorithm.

To compute the hash of a file:

Get-FileHash .\path\to\foo.zip

This produces something like:

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          15DC0502666851226F1D9C0FE352CCAF0FFDEFF2350B6D2D08A90FCD1F610A10       C:\Users\me\path\to\foo.zip

To compare to the known value, extract the computed hash value alone from the output of Get-FileHash, then compare it to the expected value as a (quoted) string literal. Conveniently this comparison appears to be case-insensitive

(Get-FileHash .\path\to\foo.zip).Hash -eq "15dc0502666851226f1d9c0fe352ccaf0ffdeff2350b6d2d08a90fcd1f610a10"

True

...or if you've got the expected hash in a file, say expected-hash.sha256

(Get-FileHash '.\path\to\foo.zip').Hash -eq (Get-Content .\expected-hash.sha256)

True