Software Hash & Verification Guidelines

Home  /  Software Articles  /  Hash & Verification

This guide explains how to compute and verify the cryptographic hashes required for software articles in Biochemoinfo Journal. It is referenced from both the Open-Source and the Commercial software author guidelines.

Why do we require hashes?

A repository link or download URL guarantees nothing about which version of the software a future reader will encounter. A hash is a cryptographic fingerprint — it lets any reader, on any computer, in any year, confirm that the file they have is byte-for-byte identical to the version reviewed at submission. It is the difference between a citation and a verifiable citation.

1. SHA-256 vs. SHA-512 vs. MD5 vs. SHA-1
2. Computing a Git Commit Hash

To get the commit hash of the version you want to publish:

cd /path/to/your/repo git rev-parse HEAD # Output: a3f5b9e2c8d1f4a7b6c9d2e5f8a1b4c7d0e3f6a9

If your repository is using SHA-256 mode (Git 2.29+):

git rev-parse --verify HEAD

It is good practice to also create a signed tag for the published version:

git tag -s v1.0.0 -m "Version 1.0.0 — submitted to Biochemoinfo Journal" git push origin v1.0.0
3. Computing a SHA-256 Hash of an Archive
LinuxmacOS
sha256sum your-tool-v1.0.0.tar.gz # Linux output: # 7d2b8f1a9e4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e... your-tool-v1.0.0.tar.gz shasum -a 256 your-tool-v1.0.0.tar.gz # macOS output (same hash, different command)

For SHA-512:

sha512sum your-tool-v1.0.0.tar.gz shasum -a 512 your-tool-v1.0.0.tar.gz
Windows (PowerShell)
Get-FileHash -Algorithm SHA256 .\your-tool-v1.0.0.zip # Output: # Algorithm Hash Path # SHA256 7D2B8F1A9E4C5D6E7F8A9B0C1D2E3F4A5B6C7D8E... ...
Windows (Command Prompt)
certutil -hashfile your-tool-v1.0.0.zip SHA256
Important: Hash output is case-insensitive in comparison, but always reproduce the hash in the paper using lowercase hexadecimal for consistency. Different tools may print uppercase or lowercase by default.
4. Depositing in Zenodo
  1. Sign in at zenodo.org. ORCID sign-in recommended.
  2. If your code is on GitHub, enable the GitHub–Zenodo integration: every release tag automatically creates a Zenodo deposit with its own DOI. Documentation: GitHub citation docs.
  3. Otherwise, click New Upload, attach the .tar.gz or .zip archive, fill in metadata (title, authors, version, license), and publish. You will receive a permanent DOI.
  4. After the deposit is published, compute the SHA-256 of the file you uploaded and confirm that Zenodo displays the matching MD5/SHA in its file metadata. The SHA-256 you put in the paper must match the hash of the file present in Zenodo.
5. Depositing in Software Heritage
  1. Visit archive.softwareheritage.org/save.
  2. Enter your repository URL (Git, Mercurial, or SVN supported).
  3. Click Save Code Now. The archive will crawl the repository, typically within minutes for small projects.
  4. Once archived, retrieve the SWHID (Software Heritage Identifier) for your specific revision. A SWHID for a release looks like swh:1:rel:abc123def456....
  5. Include this SWHID in the Verification Block in your paper.
6. Archiving Documentation Pages (Tier 3 only)

For commercial software, the paper must also reference archived snapshots of the product's documentation pages.

Capture, at a minimum: the homepage, the technical documentation, the pricing/licensing page, and any feature description page that is referenced in your paper.

7. Common Pitfalls
Hash mismatch after re-uploading

Don't re-create the archive after computing the hash. If you compute a hash for v1.0.0.tar.gz, then re-tar the directory (even with no content change), the new file will have a different hash because tarballs include timestamps and file ordering metadata. Compute the hash of the exact file you upload, and don't recreate it afterwards.

Line-ending differences (Windows vs. Linux)

If your archive contains source files with mixed CRLF/LF line endings, building on different platforms can produce different binaries. For Tier 1 reproducibility, configure .gitattributes with explicit line-ending rules:

* text=auto eol=lf *.bat text eol=crlf *.png binary *.jpg binary
Forgetting to publish the Zenodo deposit

Zenodo allows draft uploads. A draft does not have a public DOI and cannot be cited. After uploading, make sure you click Publish — not just Save.

Reproducible builds (advanced)

For maximum integrity, advanced authors may want their builds to be byte-identical when reproduced from source. This is the Reproducible Builds standard. It is not required by Biochemoinfo Journal, but is recommended for high-impact tools where long-term auditability matters.

8. Verifying Someone Else's Software (For Readers)

If you want to verify a paper's software:

  1. Find the Verification Block in the paper.
  2. Download the archive from the Zenodo DOI listed.
  3. Run the platform-appropriate hash command above.
  4. Compare the output to the SHA-256 in the Verification Block. They must match exactly.

If they do not match, the file has been altered, corrupted, or replaced. Contact the journal at info@biochemoinfojournal.com with details.

9. Where Does This Sit in the Submission Workflow?
  1. Finalize the version of your software you intend to publish.
  2. Tag it in Git (git tag v1.0.0) and push.
  3. Create the release archive (.tar.gz or .zip).
  4. Compute the SHA-256 of the archive.
  5. Upload the archive to Zenodo → obtain DOI.
  6. Trigger Software Heritage to archive the repository → obtain SWHID.
  7. Tier 3 only: Capture documentation snapshots in Wayback Machine and archive.today.
  8. Insert all identifiers and hashes into the Verification Block in the paper.
  9. Submit the paper to the journal.

Questions about hashes, archives, or verification? info@biochemoinfojournal.com.