How to verify WZIS Software's package file integrity?


Each package released by WZIS Software and able to be downloaded from www.wziss.com has a sha2 384bit checksum, and to further protect the packages, we also generate a Certificate for the checksum, so now even when hacker is able to replace the package and its sha2 384bit checksum, the Certificate can help you to detect the hacking.

The following is an example of our software package's integrity information displayed at our web site:


asftp-3.3_SunOS.sparc-m64.wzpkg size:259561 sha384sum:
K2GyF8Spq0xb8xdQ1lqYgVTVxGkiYk/zhxxR/vKwVobJzEtTnbB3EUjBQxuL4smh 
Cert:f.P/kOipUhvgM7a$EmkVKsIFDcrY7NmSXoX2c.


To verify a package's checksum against its Certificate, our wzpkgadm software includes a program -- /usr/local/bin/pkgcertvfy. You can use following ways to verify:

  1. Save the 2 lines: 384bit checksum and the Cert line, into a file, make sure no extra space or other characters are added. And then

$ cat file_name|pkgcertvfy

  1. $ pkgcertvfy 384bit_check_sum 'Cert_line'

Note the single quote around the Cert_line: it's needed because the line includes a '$' sign.


To generate SHA2 384bit checksum, our wzpkgadm package, which is needed for all our software packages, has the pkgsum command installed under /var/wzpkg directory, so you can use that for the purpose.