Windows

    On Windows, you can open up a command prompt and use the certUtil command.  

Usage: certUtil -hashfile <filepath> SHA256

C:\Users\turtleflax>certUtil -hashfile "C:\Users\turtleflax\Downloads\pivx-3.0.6-win64-setup-unsigned.exe" SHA256
SHA256 hash of C:\Users\turtleflax\Downloads\pivx-3.0.6-win64-setup-unsigned.exe:
2ae1e5f9e6b7ca6119891fd09713b3fca53d52f4c36bb84b4528a4b9440b88ec
CertUtil: -hashfile command completed successfully.



Mac

    On Mac, you can open a terminal window and use the openssl command.

Usage: openssl sha -sha256 <filepath>

openssl sha -sha256 pivx-3.0.6-osx-unsigned.dmg




Linux

    On linux, you can open a terminal window and use the sha256sum command.

Usage: sha256sum <filepath>

pi@barry:~$ sha256sum ~/Downloads/pivx-3.0.6-x86_64-linux-gnu.tar.gz
1b987933112560641ac3d8f9b56509ae5dcfc2df2179a1a07b6c9535744d8e58  pivx-3.0.6-x86_64-linux-gnu.tar.gz





Why would I want to do this process?


   PIVX Core releases are posted to github with their SHA256 checksum values in a file called SHA256SUMS.asc.  You can open this file in notepad or any other text editor to view the contents.  You will see that it is a PGP signed message with a SHA256 value for each associated binary file with that PIVX Core version.  The purpose of the SHA256 value is to confirm that the file you downloaded matches the official github release file exactly.  If it does not, it could indicate a download problem or MITM (Man in the Middle) attack.  


Here is an example SHA256SUMS.asc file from the v3.0.6 release:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

141be1f2305dc133cb96f6fe7122f53be99f1bb6ed88a8f36199ab3e436d1f2e  pivx-3.0.6-aarch64-linux-gnu.tar.gz
46e157d13a3718868732e6c86110d699c6fc8b9087b08774611240700a5718bb  pivx-3.0.6-arm-linux-gnueabihf.tar.gz
f49d4f3140b7231539a40b2704487940f2520654b48684eaef50cc52d56fda68  pivx-3.0.6-i686-pc-linux-gnu.tar.gz
80677ac9c9c6b0656fd9c6c8958d5e00518ab2f3fb4baddf024d7ea11b16df5b  pivx-3.0.6-osx64.tar.gz
5eedaa29157f586ea28f0b558ff526bae6d164a5cafacb4f65f871625d8249d5  pivx-3.0.6-osx-unsigned.dmg
87fafd709e602537c4e9d4f02b397181c82e260d967fa4d50fb0813d30117bc0  pivx-3.0.6.tar.gz
a1e58750b217ab8a1ca12e2f157c92de652c664221f79731453540c3a9a175b1  pivx-3.0.6-win32-setup-unsigned.exe
970e08bf934daf00612b3bb53c71b063bbc952a9b9f26f7f813307f00fcb4e71  pivx-3.0.6-win32.zip
2ae1e5f9e6b7ca6119891fd09713b3fca53d52f4c36bb84b4528a4b9440b88ec  pivx-3.0.6-win64-setup-unsigned.exe
f113435a0e514bf3d8ac7a0186d9013a5dbfe95fe2000111b8a03abb508f8870  pivx-3.0.6-win64.zip
1b987933112560641ac3d8f9b56509ae5dcfc2df2179a1a07b6c9535744d8e58  pivx-3.0.6-x86_64-linux-gnu.tar.gz
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCAAGBQJaH52hAAoJEDvc2i2HqIHZfU0P/jHiqzOoZra2hDaqW/jnLTH9
/BNmeDxd4B1/zpYo/uHS/xML+IKuscp/VPWxJ9AYVX19FP7SZo4HLfjHfmEBggGO
weqNxHmK7Etik3kOqx6d+cTXG/7OLz2EPMEuJgrR1byfgg51j1eGTQ5jGnOSI/VU
NuG1CXr5CfUBJm8fxFqoQ+yb9nmkhqmNA0mbJyczg5q8bZcabUj1eviI9GVJB9Ck
5nncL74bK0Qthj15nfPhcRT8Du79m7QZ5vmR1uZDBWlxad36HGQ+wbd2w4A3U8gp
TM7tIiHpYKYSD1SmE0rz6OYkZJGYbV2dj0CEIBNJudYlSB72BFwgDFsW0b9LGuKn
VzqHUFSXgSykTjIQH12F57oe8sdLvtnIoX5CFSrHwNF5Q/8gJimGKyumg3u1TPYx
owq5WSeBxZOmSXasX1kR6zelBMulF5fKpzQU1jBPLhiRzp9Q+JWsyBET+69fj74f
IwOqEVKfAGSzTmcZvqA+Sf4yJAf7ijmxBrqYqgBbW+0av20sbheqUI7wCavRTa4y
Gyie85fvc6gVA58LaNbNdD2ZJoGSjf9lJdIKgMCnOFJXuocX6xsA4bY1rtjwKXRC
9xr4m9+mI8IM5vHvj1MSEPCWK3bDaoFRH8vFMbThNr7/e5EJ1LGo5cKQ5UQqR/cn
skuiUEGo+W6OBYP1RgRw
=3YAP
-----END PGP SIGNATURE-----



    Please note, checksums do not rule out a Github level breach because the attacker could have replaced both the binaries and SHA256 file. That is where the PGP signature comes in.  You can use the developers public keys to confirm that the SHA256 file was signed with their private key.