Check and verify md5/sha1/sha256 checksums for MacOS X when I download files

last updated in Categories , , ,

Malware is becoming more and more common for macOS. I wanted to make sure file I downloaded files such as an ISO image or firmware are safe before install on my system. How do I verify md5 or sha1 or sha256 checksums for my Apple MacOS X when I download files from the Internet?

Matching the checksum of a download file is necessary and useful in some cases. The main reason is to make sure that one can validate the transmission was ok. The downloaded file was not corrupted or modified during the transfer. You need to use the shasum command to compute or verify SHA message digests.
Check and verify md5/sha1/sha256 checksums for MacOS X
A checksum is nothing but a digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.

Syntax to check and verify md5/sha1/sha256 checksums for MacOS X

To print or check SHA checksums use the following syntax:
shasum -a algorithm filename
shasum -a algorithm -c input.txt


  1. -a algorithm : It can be 1 (default), 224, 256, 384, and 512.
  2. -c input.txt : Check SHA sums against given list usually stored in a text file.


Open the Terminal application and grab the latest firmware using wget command:
$ wget
Verify the file:
$ ls -lh
Unzip the file using unzip command:
$ unzip
Sample outputs:

  inflating: RT-AC87U_380.66_6.trx   
  inflating: README-merlin.txt       
  inflating: Changelog.txt           
  inflating: sha256sum.sha256

Your firmware file named RT-AC87U_380.66_6.trx. You can verify its integrity with sha256sum.sha256 file as follows:
$ shasum -a 256 -c sha256sum.sha256
Sample outputs:

RT-AC87U_380.66_6.trx: OK

If file is modified during transmission or by malware on the remote server you will get an error that read as follows:
$ shasum -a 256 -c sha256sum.sha256
Sample outputs:

RT-AC87U_380.66_6.trx: FAILED
shasum: WARNING: 1 computed checksum did NOT match 

You must delete the file immediately using the rm command:
$ rm RT-AC87U_380.66_6.trx
To calculate SHA-256 checksum for an iso file named foo.iso, run:
$ shasum -a 256 foo.iso

Verifying an SHA-1 checksum

The syntax is:
$ shasum -a 1 -c input.txt
$ shasum -a 1 filename
$ shasum -a 1 centos.iso
To see more info about the shasum command type:
$ shasum --help
Sample outputs:

Usage: shasum [OPTION]... [FILE]...
Print or check SHA checksums.
With no FILE, or when FILE is -, read standard input.
  -a, --algorithm   1 (default), 224, 256, 384, 512, 512224, 512256
  -b, --binary      read in binary mode
  -c, --check       read SHA sums from the FILEs and check them
  -t, --text        read in text mode (default)
  -U, --UNIVERSAL   read in Universal Newlines mode
                        produces same digest on Windows/Unix/Mac
  -0, --01          read in BITS mode
                        ASCII '0' interpreted as 0-bit,
                        ASCII '1' interpreted as 1-bit,
                        all other characters ignored
  -p, --portable    read in portable mode (to be deprecated)
The following two options are useful only when verifying checksums:
  -s, --status      don't output anything, status code shows success
  -w, --warn        warn about improperly formatted checksum lines
  -h, --help        display this help and exit
  -v, --version     output version information and exit
When verifying SHA-512/224 or SHA-512/256 checksums, indicate the
algorithm explicitly using the -a option, e.g.
  shasum -a 512224 -c checksumfile
The sums are computed as described in FIPS PUB 180-4.  When checking,
the input should be a former output of this program.  The default
mode is to print a line with checksum, a character indicating type
(`*' for binary, ` ' for text, `U' for UNIVERSAL, `^' for BITS, `?'
for portable), and name for each FILE.
Report shasum bugs to

Another option: openssl command

You can use the openssl command as follows to get and verify checksum.

Verifying an SHA-1 checksum with the openssl command

$ openssl sha1 filename
$ openssl sha1 ~/isoimages/unetbootin-mac-625.dmg
SHA1(/Users/veryv/isoimages/unetbootin-mac-625.dmg)= 8a44b5095ed9b05f8a2643a5df91e932467a0e7

Verifying an SHA256 checksum with the openssl command

$ openssl dgst -sha256 filename
$ openssl dgst -sha256 ~/isoimages/CentOS-7-x86_64-Minimal-1611.iso
SHA256(/Users/veryv/isoimages/CentOS-7-x86_64-Minimal-1611.iso)= 27bd866242ee058b7a5754e83d8ee8403e216b93d130d800852a96f41c34d86a

Verifying an MD5 checksum with the openssl command

$ openssl md5 filename
$ openssl md5 /etc/passwd
MD5(/etc/passwd)= 5e7f80888f3d491c4963881364048c24

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

2 comment

  1. I created a simple Applescript for that and put it into the Finder menu bar (or the Dock). And then i can simply Drag any file on that icon and i get the corresponding hash.

    on open f
    	set filePath to POSIX path of f as string
    	display dialog (do shell script "md5 -q \"" & filePath & "\"")
    end open

    Have a question? Post it on our forum!