An .SFV file is a file generated by a program such as WinSFV or QuickSFV. It is used to check a group of downloaded files for errors using a checksum. Whoever posted the files that you downloaded would normally generate the .SFV file and post it. After you downloaded these files, you would run a check to make sure there were no errors when you received them.

To use .SFV files, you need find a copy of WinSFV or QuickSFV. After installing the program, it associates the .SFV extension with QuickSFV or WinSFV.

After you download a large set of files, such as an episode of Doctor Who called The Power of Kroll, you can check the files to verify that there were no errors when you downloaded the files.

An example of what is in an .SFV file:


; Generated by WIN-SFV32 v1.01a on 2000-10-09 at 02:03.28
;
;     10000000  01:46.24 2000-10-09 Kroll_DiVX_1of4.r00
;     10000000  01:46.26 2000-10-09 Kroll_DiVX_1of4.r01
;     10000000  01:46.28 2000-10-09 Kroll_DiVX_1of4.r02
;     10000000  01:46.30 2000-10-09 Kroll_DiVX_1of4.r03
;     10000000  01:46.32 2000-10-09 Kroll_DiVX_1of4.r04
;     10000000  01:46.34 2000-10-09 Kroll_DiVX_1of4.r05
;     10000000  01:46.36 2000-10-09 Kroll_DiVX_1of4.r06
;     10000000  01:46.40 2000-10-09 Kroll_DiVX_1of4.r07
;     10000000  01:46.42 2000-10-09 Kroll_DiVX_1of4.r08
;      8917545  01:46.44 2000-10-09 Kroll_DiVX_1of4.r09
;     10000000  01:46.22 2000-10-09 Kroll_DiVX_1of4.rar
Kroll_DiVX_1of4.r00 CC70127C
Kroll_DiVX_1of4.r01 82A866AC
Kroll_DiVX_1of4.r02 3ACB391B
Kroll_DiVX_1of4.r03 EB7A42DE
Kroll_DiVX_1of4.r04 49D9DFD0
Kroll_DiVX_1of4.r05 6ACCD727
Kroll_DiVX_1of4.r06 9502EBB4
Kroll_DiVX_1of4.r07 F4485E7B
Kroll_DiVX_1of4.r08 107E8E54
Kroll_DiVX_1of4.r09 DBE77D6D
Kroll_DiVX_1of4.rar D0916789
;Q1-1bfe29b24493910
;Q1-/+A=

The first part of the program lists the files to be checked, and their file sizes. Note that each part is about 10 megs in size. The second part of the .SFV file has the names of each file and the CRC checksum for each part. When you run the .SFV program, it generates a CRC checksum and compares it to the checksum in the file. If they don't match, the program will tell you. You may need to re-download the bad part to get a complete episode of Doctor Who.

If you are unfamiliar with the extension .RAR and .R00, .R01 etc., it is a file archiver program similar to WinZip. It uses the RAR compression technique, and if preferred on Usenet because you can set individual part sizes. If I unarchived the file Kroll_DiVX_1of4.rar, it would be a file that was about 108 megs in size.

It sounds good on paper - download the tiny .SFV file along with whatever you're downloading, and with one click you can discover if the file is correct or not. An especially good idea on usenet, you might think, due to the unreliable transmission method, and interesting undocumented interactions between user agents. And it would be, too, if the implementation wasn't so fundamentally flawed.

SFV has never been rigidly specified, in the way that other protocols or file formats have. It can be roughly described as

name of file, <space>, CRC32 of file (in hexadecimal), <line break>. Any line beginning with a semicolon is a comment.
The upshot of this loose specification is that very few SFV programs are fully compatible with any other - Some SFV programs generate (and can parse) files with DOS line breaks, others with UNIX ones. When a filename contains spaces, the correct behaviour is undefined - the most common approach seems to be to read the last eight characters on a line as the CRC, and the rest as the filename. To add information that should have been in the specification from day one (such as the file size, date) without breaking backward compatibility, many programs add proprietary extensions as comments. It goes without saying that each program's proprietary extensions are not fully compatible with any other program; it is common to see lines such as
; Bogus line to fool Win-SFV and its lame compatiblity.

The biggest flaw with SFV, however, is the hash used. CRC32 is not cryptographically secure, meaning that it is easy to work out not only the hash that corresponds to a file, but the alterations necessary to make a file correspond to a given hash. While CRC32 is effective against random corruption, missing only 1 in 2^32 errors, it is not in any way secure against deliberate tampering. Unimportant bytes in a file can be manipulated to produce a file with the same filesize and CRC32, but different contents, in a trivial amount of time. Trusting a SFV file to verify any form of executable code (applications, Java applets, shell scripts, WMV/ASF movies, etc.) is simply asking for it, as a malicious third party can (with a minimum of effort) produce a backdoored executable file that is verified as correct by an 'official' SFV file.

Despite their flaws, .SFV files will be around as long as uninformed people keep producing them. Please consider using any of the following solutions instead of .SFV files:

  • GNU md5sum, a GPL application that generates files very similar to .SFV, but using the cryptograpically secure MD5 hash function. It is (to all intents and purposes) not possible to tamper with a file and keep the same MD5sum.
  • .PAR/.PAR2, well-specified file formats that uses reed-solomon coding to detect and repair errors in a file. .PAR/.PAR2 can repair a file if sections of it are missing/damaged . PAR/PAR2 stores an MD5sum of the file, making tampering impossible.

Go get:
PAR/PAR2 programs and specifications from http://parchive.sourceforge.net/
GNU md5sum as part of GNU textutils from http://www.gnu.org/software/textutils/textutils.html

Log in or register to write something here or to contact authors.