Malware is becoming more and more common for macOS. I wanted to make sure file I downloaded files such as an ISO image or firmware are safe before install on my system. How do I verify md5 or sha1 or sha256 checksums for my Apple MacOS X when I download files from the Internet?
Matching the checksum of a download file is necessary and useful in some cases. The main reason is to make sure that one can validate the transmission was ok. The downloaded file was not corrupted or modified during the transfer. You need to use the shasum command to compute or verify SHA message digests.
A checksum is nothing but a digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.
Syntax to check and verify md5/sha1/sha256 checksums for MacOS X
To print or check SHA checksums use the following syntax:
shasum -a algorithm filename
shasum -a algorithm -c input.txt
- -a algorithm : It can be 1 (default), 224, 256, 384, and 512.
- -c input.txt : Check SHA sums against given list usually stored in a text file.
Open the Terminal application and grab the latest firmware using wget command:
$ wget http://www.mediafire.com/file/ff04qcobujqek27/RT-AC87U_380.66_6.zip
Verify the file:
$ ls -lh RT-AC87U_380.66_6.zip
Unzip the file using unzip command:
$ unzip RT-AC87U_380.66_6.zip
Archive: RT-AC87U_380.66_6.zip inflating: RT-AC87U_380.66_6.trx inflating: README-merlin.txt inflating: Changelog.txt inflating: sha256sum.sha256
Your firmware file named RT-AC87U_380.66_6.trx. You can verify its integrity with sha256sum.sha256 file as follows:
$ shasum -a 256 -c sha256sum.sha256
If file is modified during transmission or by malware on the remote server you will get an error that read as follows:
$ shasum -a 256 -c sha256sum.sha256
RT-AC87U_380.66_6.trx: FAILED shasum: WARNING: 1 computed checksum did NOT match
You must delete the file immediately using the rm command:
$ rm RT-AC87U_380.66_6.zip RT-AC87U_380.66_6.trx
To calculate SHA-256 checksum for an iso file named foo.iso, run:
$ shasum -a 256 foo.iso
Verifying an SHA-1 checksum
The syntax is:
$ shasum -a 1 -c input.txt
$ shasum -a 1 filename
$ shasum -a 1 centos.iso
To see more info about the shasum command type:
$ shasum --help
Usage: shasum [OPTION]... [FILE]... Print or check SHA checksums. With no FILE, or when FILE is -, read standard input. -a, --algorithm 1 (default), 224, 256, 384, 512, 512224, 512256 -b, --binary read in binary mode -c, --check read SHA sums from the FILEs and check them -t, --text read in text mode (default) -U, --UNIVERSAL read in Universal Newlines mode produces same digest on Windows/Unix/Mac -0, --01 read in BITS mode ASCII '0' interpreted as 0-bit, ASCII '1' interpreted as 1-bit, all other characters ignored -p, --portable read in portable mode (to be deprecated) The following two options are useful only when verifying checksums: -s, --status don't output anything, status code shows success -w, --warn warn about improperly formatted checksum lines -h, --help display this help and exit -v, --version output version information and exit When verifying SHA-512/224 or SHA-512/256 checksums, indicate the algorithm explicitly using the -a option, e.g. shasum -a 512224 -c checksumfile The sums are computed as described in FIPS PUB 180-4. When checking, the input should be a former output of this program. The default mode is to print a line with checksum, a character indicating type (`*' for binary, ` ' for text, `U' for UNIVERSAL, `^' for BITS, `?' for portable), and name for each FILE. Report shasum bugs to firstname.lastname@example.org
Another option: openssl command
You can use the openssl command as follows to get and verify checksum.
Verifying an SHA-1 checksum with the openssl command
$ openssl sha1 filename
$ openssl sha1 ~/isoimages/unetbootin-mac-625.dmg
Verifying an SHA256 checksum with the openssl command
$ openssl dgst -sha256 filename
$ openssl dgst -sha256 ~/isoimages/CentOS-7-x86_64-Minimal-1611.iso
Verifying an MD5 checksum with the openssl command
$ openssl md5 filename
$ openssl md5 /etc/passwd