Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Check sha1 checksum mac os x

A

astojazz1

macrumors newbie
Original poster
Jun 17, 2014
16
1
Whats up people,
I've recently understood that I can check the file integrity of all download files from the interwebs; noobie doobie, kinda. Is this important to do when downloading anything and everything such as Logic Pro X, Yosemite, and basically anything and everything seeing as how the internet, has been and is, the digital wild west.

Is it really a case of we're all so comfortable with downloading everything thinking that the integrity of all these programs are securely intact but they may be, in fact, some of the time, laced with hacked code or what have you based on their path that they've traveled over the net to get to my computer?

Computers have been, are and will be playing a big role on the world stage I figure since we have things now like the "Hour of Code" why should I not learn how to check the security of the files/programs that are being downloaded onto my computer. If anyone can provide an answer, in detail, I would greatly appreciate it. Thanks everyone.
 
You can, in terminal, do md5 /path/to/file, or shasum /path/to/file, but if the download source doesn't provide the checksum it is of no use.

But all OS' have this sort of check (Windows verified files, OS X "Gatekeeper", Linux checksum verification), as long as the developer plays along.
 
Am I correct when I assume that when files/programs are traveling across the net they can be intercepted and corrupted before reaching your computer or how does this process work? Why should I check the sha1 of all my downloads and how do I know that the systems in place to check the checksums are doing their job properly?
 
astojazz1 said:
Am I correct when I assume that when files/programs are traveling across the net they can be intercepted and corrupted before reaching your computer or how does this process work?
Click to expand...

If the transfer uses HTTPS, this assumption is wrong. HTTPS hosts are authenticated using digital certificates, and the integrity of the data is verified using MACs.
http://en.wikipedia.org/wiki/HTTP_Secure
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://en.wikipedia.org/wiki/Message_authentication_code

Even if the transfer doesn't use HTTPS, data integrity can still be verified, if the data source has a trustworthy channel to communicate message digests. It depends on what app is doing the transfer. There isn't a single answer.

If you don't know what digital certificates or MACs are, then you should spend some time learning the fundamentals of digital cryptography. I'm not saying that to blow you off, but because cryptography is not a simple subject to condense, and there is plenty of information about it around the web, so it serves no purpose to repeat it here.

In other words, if you're interested, then reliable and extensive information is fairly easy to find.

Why should I check the sha1 of all my downloads ...
Click to expand...
You should check the SHA1 (or other message digest) of downloads if you have a heightened desire for security. If you don't have that desire, then don't. It's your choice.

... and how do I know that the systems in place to check the checksums are doing their job properly?
Click to expand...
It depends on your need for security. If that need is very high, then you'd verify everything, including the CPU, the memory, the disk, and the circuit boards itself. You'd also personally verify every piece of software on the system, including the integrity-checking software itself. This would rapidly become a very large task, bordering on an infinite regress into what one decides is ultimately trustworthy or not.

You're the one who raised the subject, so it's up to you to explain to everyone what level of security you need. If you don't know, then you need to educate yourself about security and its related technology.

There isn't a single simple answer.
 
That is a lot of questions. Bear with me.
astojazz1 said:
Am I correct when I assume that when files/programs are traveling across the net they can be intercepted and corrupted before reaching your computer or how does this process work?
Click to expand...
No. You are worrying about the wrong thing. If you download something and it has the SSL padlock you can be fairly sure that your downloaded not changed in transit. That doesn't mean you downloaded the correct thing though.

You don't send programs across the net but lets imagine I wrote one and put it in a file called doynton.dmg for you to download. My one is a useful utility but someone else has made a file with the same name which when you install it copies all your contacts and mails them to me.
astojazz1 said:
Why should I check the sha1 of all my downloads
Click to expand...
So you know that you have the version from the developer and not something else downloaded from cnet.com etc with the same name that does something completely different.
astojazz1 said:
how do I know that the systems in place to check the checksums are doing their job properly?
Click to expand...
You rely on others checking. If I write a program for you to download there is a one in several trillion chance you will find another with the same SHA. If you really want to know the mathmatical calculations you can look it up on wikepedia http://en.wikipedia.org/wiki/Secure_Hash_Algorithm but I wouldn't bother - you have to trust someone.

Any decent developer will give you the SHA (or another hash). You can then (and should) check it before you install anything to make sure it is theirs and not someone elses file which happens to have the same name.

If the standard (free) terminal method is too annoying you can use hashtab (from http://implbits.com/products/hashtab/ ). It used to be free but costs a few bob now. Obviously you should check the hash before using it.

----------

EDIT:
chown33 said:
....it's up to you to explain to everyone what level of security you need. If you don't know, then you need to educate yourself about security and its related technology.
Click to expand...
Why? Seems a perfectly reasonable question to me.
 
I decided to download as file image from a third-party site, the new osx, sierra, which is free in any case.
I did it because in my job I have tremendous internet speed, instead of my home.
But I want to check the checksum.
Can somebody tell me what is the checksum of sierra, and how to check the image I have?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back