I often compare SHA256 sums of software and have to trust my eyes that the two hashes are the same. Most of the time I just look at the first 5 characters, alongside the last five characters, but I don't look at the middle, and I really should.
Some hashes could deliberately look the same but have 2-3 characters different, and I wouldn't know, unless I look at each character individually, but who does that?
It is a bit of effort, but you can make the computer do the verification for you by writing (or generating) a simple text file. Using Perl shasum because I'm on a mac at the moment, but Linux sha256sum works the same:
$ echo hi > some_file
$ shasum -a 256 some_file > check
$ cat check
98ea6e4f216f2fb4b69fff9b3a44842c38686ca685f3f55dc48c5d3fb1107be4 some_file
$ shasum -a 256 -c check
some_file: OK
$ echo $?
0
$ echo bye > some_file
$ shasum -a 256 -c check
some_file: FAILED
shasum: WARNING: 1 computed checksum did NOT match
$ echo $?
1
Edit: Oh cool, at least perl's shasum allows reading from stdin so you can even skip the file if you're just copying some check file off the software's website:
$ shasum -a 256 -c - <<EOF
> 98ea6e4f216f2fb4b69fff9b3a44842c38686ca685f3f55dc48c5d3fb1107be4 some_file
> EOF
some_file: OK
Any hash calculations using a "read from stdin or a pipe" strategy, in my experience, is fraught with issues caused by an extra newline at the end of the input possibly being there today, and not in later checks, or vice-versa.
When people claim they wrote a prediction at some later date, they always have to document the EXACT command used to avoid this, e.g. `echo "smart prediction" | md5sum`
Sure. The case in question is verifying a hash someone else gave you, so the problem you mention is present regardless of what verification method you're using.
There is one method that might help, the "astronomer's blink": open two editor tabs, paste the expected and the actual hash in either tab, then quickly switch between tabs using the keyboard (eg. Ctrl+PgUp/Dn if your editor supports this). Can also be used for comparing ordered JSON output when in a hurry.
(The term comes from https://en.wikipedia.org/wiki/Blink_comparator and someone wrote about this in a tech context as well, but I forgot where I read it. I'm seeing one search hit with the exact expression, so it could have been something close as well.)
If you are going to take the effort to paste into an editor you might as well paste both hashes into same tab, put the cursor on one and let the ide highlight all occurances. Ctrl-c + Ctrl-f for those with less sophisticated editors.
Heck, most editors even come with a “compare selection with clipboard” option.
Malware that replaces crypto addresses on webpages is already aware of this - they try to generate addresses with similar starting and ending characters since most people aren't checking the whole thing.
It is weird that this doesn't exist. The algorithm is pretty simple and there are libraries for it, but I couldn't find a generic command-line tool that shows one after hashing any file.
This might be a cool contribution to coreutils (which contains the `sha256sum`, `sha1sum`, `md5sum`, ... programs)
It looks like they discussed it on the mailing-list years ago when it was being selected, but nothing since. Maybe they forgot about it? This is strange.
I often compare SHA256 sums of software and have to trust my eyes that the two hashes are the same. Most of the time I just look at the first 5 characters, alongside the last five characters, but I don't look at the middle, and I really should.
Some hashes could deliberately look the same but have 2-3 characters different, and I wouldn't know, unless I look at each character individually, but who does that?