Search code examples
c#cmd

C# Should I use CertUtil to compute hash of a zip file

Answer might be a bit opinion-based but really important to me as I am pretty sure that certutil is accurate. Not sure for c# MD5 class.

I have a zip file and to verify if it's correct, I want to find its MD5 hash value. This is to then extract the zip file and use its contents in my C# .Net Framework 4.8 console application.

I have currently asked clients (each client has a my men appointed for tech support) to use CertUtil -hashfile command to get the hash and verify it but now, I guess due to increase in clients, I must automate it in my app and give a relief to my men.

I am confused should I use CertUtil and get the output in a C# string using Process.Start() or should i use the .net framework's MD5 class.

C# app is deployed only on windows 10 and I have administrative access to it so not finding certutil isn't an excuse.

Using CertUtil it will be something like this:

    public static bool check_correct_installation()
        {
            var md5Checksum = "";
            var startInfo = new ProcessStartInfo
            {
                WindowStyle = ProcessWindowStyle.Hidden,
                FileName = "cmd.exe",
                Arguments = $"/C  CertUtil -hashfile \"{HolocronFolders["Root"]}\" MD5 | find /i /v \"md5\" | find /i /v \"certutil\"",
            };
            using var process = new Process {StartInfo = startInfo};
            process.OutputDataReceived += (sender, e) => md5Checksum = e.Data;
            process.Start();
            
            var fileToRead = $"{HolocronFolders["Council"]}\\force.sith";
            if (!File.Exists(fileToRead)) return false;
            var sithForce = JsonSerializer.Deserialize<SithForce>(File.ReadAllText(fileToRead));
            return sithForce != null && sithForce.Checksum.Md5.ToString() != md5Checksum.Trim();
        }
Solution

  • Yes, opinion based, but still here is mine:

    Well, you're launching 4(!) processes for each signature you create (cmd.exe, certutil.exe and 2x find.exe). That alone would drag me away from it.

    Then, the MD5 classes are being used in a multitude of applications projects, I would say there is no objective way to distrust them, unless you have a proven example where they were "wrong" or an security advisory, etc. that says so.

    Finally, the MD5 implementation uses the underlying Windows API (see here to look into the rabbit whole) anyway. So chances are that it uses the same code (in the end) aus CertUtil.exe.