Verifying the Download

Before you begin

The steps on this page describe how to verify the authenticity of the downloaded copy of the Card Conformance Tool (CCT). Download the latest release by selecting the Latest release .zip file link at https://github.com/GSA/piv-conformance/releases. Note that the release comment includes the SHA-256 hash of the zip file. When you run any of the commands described below, the expected SHA256 sum should match the SHA-256 hash in the release comment.

For the following procedures, replace any instance of [PathToZipFile] with the file path to your copy of the downloaded CCT release (.zip file), omitting the brackets. If the file path to your copy of the CCT contains spaces, you must enclose [PathToZipFile] with quotation marks ("), for instance, "C:\Program Files\CCT". The distribution .zip file name includes a release version and timestamp of the year, month, day, hour, and minute that the file was built, denoted by [YYYYMMDDhhmm]. For example, the file "fips201-card-conformance-tool-1.0.7-20210220075731" indicates release version "1.0.7" and a build date of February 20, 2021.

Verify with Microsoft Command Prompt via Certutil or OpenSSL

• Click Start, type cmd, and press Enter.

  The Command Prompt opens.

• Run one of the following commands:

  • Certutil

    certutil -hashfile [PathToZipFile]\fips201-card-conformance-tool-[Release-Number]-[Release-Date].zip SHA256

  • OpenSSL

    openssl sha256 "[PathToZipFile]"\fips201-card-conformance-tool-[Release-Number]-[Release-Date].zip

Verify with Microsoft PowerShell

• Click Start, type powershell, and press Enter.

  Windows PowerShell opens.

• Run the following command:

  Get-FileHash "[PathToZipFile]"\fips201-card-conformance-tool-[Release-Number]-[Release-Date].zip | Format-List

Verify with Linux/OS X and OpenSSL

• Open a terminal window, and run the following command:

  openssl sha256 "[PathToZipFile]"/fips201-card-conformance-tool-[Release-Number]-[Release-Date].zip