How to check and verify md5/sha1/sha256 checksums for Apple MacOS X when I download files

Posted on in Categories , , , last updated June 30, 2017

Malware is becoming more and more common for macOS. I wanted to make sure file I downloaded files such as an ISO image or firmware are safe before install on my system. How do I verify md5 or sha1 or sha256 checksums for my Apple MacOS X when I download files from the Internet?

You need to use the shasum command to compute or verify SHA message digests.
apple-macos-verify-checksum-sha1-sha256-md5
A checksum is nothing but a digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.

Syntax

To print or check SHA checksums use the following syntax:
shasum -a algorithm filename
shasum -a algorithm -c input.txt

Where,

  1. -a algorithm : It can be 1 (default), 224, 256, 384, and 512.
  2. -c input.txt : Check SHA sums against given list usually stored in a text file.

Examples

Open the Terminal application and grab the latest firmware using wget command:
$ wget http://www.mediafire.com/file/ff04qcobujqek27/RT-AC87U_380.66_6.zip
Verify the file:
$ ls -lh RT-AC87U_380.66_6.zip
Unzip the file using unzip command:
$ unzip RT-AC87U_380.66_6.zip
Sample outputs:

Archive:  RT-AC87U_380.66_6.zip
  inflating: RT-AC87U_380.66_6.trx   
  inflating: README-merlin.txt       
  inflating: Changelog.txt           
  inflating: sha256sum.sha256

Your firmware file named RT-AC87U_380.66_6.trx. You can verify its integrity with sha256sum.sha256 file as follows:
$ shasum -a 256 -c sha256sum.sha256
Sample outputs:

RT-AC87U_380.66_6.trx: OK

If file is modified during transmission or by malware on the remote server you will get an error that read as follows:
$ shasum -a 256 -c sha256sum.sha256
Sample outputs:

RT-AC87U_380.66_6.trx: FAILED
shasum: WARNING: 1 computed checksum did NOT match 

You must delete the file immediately using the rm command:
$ rm RT-AC87U_380.66_6.zip RT-AC87U_380.66_6.trx
To calculate SHA-256 checksum for an iso file named foo.iso, run:
$ shasum -a 256 foo.iso

Verifying an SHA-1 checksum

The syntax is:
$ shasum -a 1 -c input.txt
OR
$ shasum -a 1 filename
OR
$ shasum -a 1 centos.iso
To see more info about the shasum command type:
$ shasum --help
Sample outputs:

Usage: shasum [OPTION]... [FILE]...
Print or check SHA checksums.
With no FILE, or when FILE is -, read standard input.
 
  -a, --algorithm   1 (default), 224, 256, 384, 512, 512224, 512256
  -b, --binary      read in binary mode
  -c, --check       read SHA sums from the FILEs and check them
  -t, --text        read in text mode (default)
  -U, --UNIVERSAL   read in Universal Newlines mode
                        produces same digest on Windows/Unix/Mac
  -0, --01          read in BITS mode
                        ASCII '0' interpreted as 0-bit,
                        ASCII '1' interpreted as 1-bit,
                        all other characters ignored
  -p, --portable    read in portable mode (to be deprecated)
 
The following two options are useful only when verifying checksums:
  -s, --status      don't output anything, status code shows success
  -w, --warn        warn about improperly formatted checksum lines
 
  -h, --help        display this help and exit
  -v, --version     output version information and exit
 
When verifying SHA-512/224 or SHA-512/256 checksums, indicate the
algorithm explicitly using the -a option, e.g.
 
  shasum -a 512224 -c checksumfile
 
The sums are computed as described in FIPS PUB 180-4.  When checking,
the input should be a former output of this program.  The default
mode is to print a line with checksum, a character indicating type
(`*' for binary, ` ' for text, `U' for UNIVERSAL, `^' for BITS, `?'
for portable), and name for each FILE.
 
Report shasum bugs to [email protected]

Another option: openssl command

You can use the openssl command as follows to get and verify checksum.

Verifying an SHA-1 checksum with the openssl command

$ openssl sha1 filename
$ openssl sha1 ~/isoimages/unetbootin-mac-625.dmg
SHA1(/Users/veryv/isoimages/unetbootin-mac-625.dmg)= 8a44b5095ed9b05f8a2643a5df91e932467a0e7

Verifying an SHA256 checksum with the openssl command

$ openssl dgst -sha256 filename
$ openssl dgst -sha256 ~/isoimages/CentOS-7-x86_64-Minimal-1611.iso
SHA256(/Users/veryv/isoimages/CentOS-7-x86_64-Minimal-1611.iso)= 27bd866242ee058b7a5754e83d8ee8403e216b93d130d800852a96f41c34d86a

Verifying an MD5 checksum with the openssl command

$ openssl md5 filename
$ openssl md5 /etc/passwd
MD5(/etc/passwd)= 5e7f80888f3d491c4963881364048c24

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

2 comment

  1. I created a simple Applescript for that and put it into the Finder menu bar (or the Dock). And then i can simply Drag any file on that icon and i get the corresponding hash.

    on open f
    	set filePath to POSIX path of f as string
    	display dialog (do shell script "md5 -q \"" & filePath & "\"")
    end open
    

Leave a Comment