Checksums

When downloading a big application or a Linux distribution image online, you may have seen long strings of letters and numbers nearby.

These strings are called file hashes or checksums. They are used to quickly verify that the file you received is the file you were expecting, down to the last bit. A hash is generated through a special algorithm designed to produce a unique result for any file – producing vastly different results if even the tiniest change is made to the file.

Many such algorithms exist – currently, the ones recommended to be used are SHA-256 and SHA3. Other algorithms include SHA1, MD5, and CRC32. While these are considered to be insecure (that is, it has been shown that it is possible to generate two different files with the same hash), they are still commonly used for file verification.

How to show the hash for a file

If you want to verify a hash visually – that is, just see the hash and check if it's the same – macOS provides command line-based tools to show hashes for all sorts of hashing algorithms.

To show a SHA256 hash:

shasum -a 256 [filenames]

To show a SHA1 hash:

shasum -a 1 [filenames]

To show an MD5 hash:

md5 -r [filenames]

To show a CRC32 hash:

crc32 [filenames]

(Tip: you can drag a file onto your Terminal window to quickly get its path)

How to verify hashes using checksum files

Sometimes, downloads may come with files with names such as SHA1SUMS. These files are called checksum files and can be used to quickly verify the integrity of multiple files.

A checksum file will generally have multiple lines in the "hash-corresponding filename" format. When you run a command on such a file, your computer will generate and verify hashes for every file that's listed in the checksum file, provided they actually exist inside the folder that you ran the command from. This can be convenient if you have a lot of files you want to verify.

To verify a SHA256 checksum file (usually called SHA256SUMS):

shasum -a 256 -c [SHA256SUMS]

To verify a SHA1 checksum file (usually called SHA1SUMS):

shasum -a 1 -c [SHA1SUMS]

macOS does not provide a way to verify MD5 checksum files by default.

However, it is very easy to install a utility that is able to do that from Homebrew:

brew install md5sha1sum

After you do that, you will be able to verify checksum files using this command:

md5sum -c [MD5SUMS]

Creating your own checksum files

You might have noticed that contents of checksum files and outputs of standard checksum commands are similar. Indeed, to create your own checksum file, all you need to do is save the results of a checksum command to a file. While you can just copy the result from your terminal, there's a slightly easier way.

Using the > operator in bash, you can redirect the output of any terminal command to a file, for example:

shasum -a 256 [files] > [SHA256SUMS]

Terminal with checksums

What do you think? Are you verifying that your downloads arrive safely? Let us know in the comments below!