How do I verify the checksum or hash of a downloaded file on the command line?

If I have downloaded a file from the internet, and the source website has provided a checksum or hash (eg. SHA-256), how do I verify that the hash of the downloaded file matches the hash reported on the site?

For example, I’ve downloaded a file, and the website states that the SHA-256 hash for it is:

d9cd63f187db2daea1371289508c63a7a24c46316f15ac61f030a7d6ea423915

I do know how to create an SHA-256 hash of the downloaded file using:

shasum -a 256 /path/to/downloaded.pkg

However, I don’t want to do a manual, a.k.a. eyeball, check of the hash. Instead I want to compare the two hashes using a command like diff, preferably by executing a single command-line.


Solution 1:

You have already received answers on how to do an automatised comparison of the two hash values to ensure they are completely alike. I just wanted to add a different angle on how to compare the hash values.

Actually it is in almost any case enough to to an "eyeball comparison". I.e. if you check that first few characters and the last few characters are the same, and it "looks the same" - then this is a really good verification.

If you're trying to do an automatised comparison "by heart", there's a risk that you accidentally enter the wrong command line or somehow subtly alter the meaning of the command.

The alternative to doing it by heart is to spend time finding and cutting-pasting the script/command line every time you need to check. This can lead to situations where we simply forego the check, because we're in a hurry or feel it is low risk.

The reason why an "eyeball comparison" is most often enough is that for an attacker it is really, really hard to create a file with a SHA-256 hash that is "almost the same" as for the original file. It's almost as hard as creating a SHA-256 hash that is the same as for the original file. You could probably assume that if they can create one, they can create the other.

The properties of SHA-256 (and indeed any cryptographic hash) is such that even the slightest change to the file results in a widely different hash value.

Solution 2:

When you first calculate the sum of a file, it produces an output consisting of the sum, two spaces, and the name of the file that produced that sum. If you redirect that output to a file, you can later use the "-c" (for "check") option to automatically check every file listed, to see if the sum still matches.

So, create a text file called "checksum.txt" with one line:

d9cd63f187db2daea1371289508c63a7a24c46316f15ac61f030a7d6ea423915  downloaded.pkg

Then run the command:

shasum -a 256 -c checksum.txt

The command will calculate the sha-256 checksum of the file "downloaded.pkg", compare the result with the precomputed value, and tell you if it matched or not.

You might not even have to create the sum file yourself; most of the time, websites that provide checksums will let you download a text file that's already in the proper format.