Check sha1 checksum mac os x

Discussion in 'Mac Basics and Help' started by astojazz1, Jan 24, 2015.

  1. astojazz1 macrumors newbie

    Jun 17, 2014
    Whats up people,
    I've recently understood that I can check the file integrity of all download files from the interwebs; noobie doobie, kinda. Is this important to do when downloading anything and everything such as Logic Pro X, Yosemite, and basically anything and everything seeing as how the internet, has been and is, the digital wild west.

    Is it really a case of we're all so comfortable with downloading everything thinking that the integrity of all these programs are securely intact but they may be, in fact, some of the time, laced with hacked code or what have you based on their path that they've traveled over the net to get to my computer?

    Computers have been, are and will be playing a big role on the world stage I figure since we have things now like the "Hour of Code" why should I not learn how to check the security of the files/programs that are being downloaded onto my computer. If anyone can provide an answer, in detail, I would greatly appreciate it. Thanks everyone.
  2. Weaselboy Moderator


    Staff Member

    Jan 23, 2005
  3. boast macrumors 65816


    Nov 12, 2007
    You can, in terminal, do md5 /path/to/file, or shasum /path/to/file, but if the download source doesn't provide the checksum it is of no use.

    But all OS' have this sort of check (Windows verified files, OS X "Gatekeeper", Linux checksum verification), as long as the developer plays along.
  4. astojazz1 thread starter macrumors newbie

    Jun 17, 2014
    Am I correct when I assume that when files/programs are traveling across the net they can be intercepted and corrupted before reaching your computer or how does this process work? Why should I check the sha1 of all my downloads and how do I know that the systems in place to check the checksums are doing their job properly?
  5. chown33 macrumors 604

    Aug 9, 2009
    If the transfer uses HTTPS, this assumption is wrong. HTTPS hosts are authenticated using digital certificates, and the integrity of the data is verified using MACs.

    Even if the transfer doesn't use HTTPS, data integrity can still be verified, if the data source has a trustworthy channel to communicate message digests. It depends on what app is doing the transfer. There isn't a single answer.

    If you don't know what digital certificates or MACs are, then you should spend some time learning the fundamentals of digital cryptography. I'm not saying that to blow you off, but because cryptography is not a simple subject to condense, and there is plenty of information about it around the web, so it serves no purpose to repeat it here.

    In other words, if you're interested, then reliable and extensive information is fairly easy to find.

    You should check the SHA1 (or other message digest) of downloads if you have a heightened desire for security. If you don't have that desire, then don't. It's your choice.

    It depends on your need for security. If that need is very high, then you'd verify everything, including the CPU, the memory, the disk, and the circuit boards itself. You'd also personally verify every piece of software on the system, including the integrity-checking software itself. This would rapidly become a very large task, bordering on an infinite regress into what one decides is ultimately trustworthy or not.

    You're the one who raised the subject, so it's up to you to explain to everyone what level of security you need. If you don't know, then you need to educate yourself about security and its related technology.

    There isn't a single simple answer.
  6. doynton macrumors 6502

    Oct 19, 2014
    That is a lot of questions. Bear with me.
    No. You are worrying about the wrong thing. If you download something and it has the SSL padlock you can be fairly sure that your downloaded not changed in transit. That doesn't mean you downloaded the correct thing though.

    You don't send programs across the net but lets imagine I wrote one and put it in a file called doynton.dmg for you to download. My one is a useful utility but someone else has made a file with the same name which when you install it copies all your contacts and mails them to me.
    So you know that you have the version from the developer and not something else downloaded from etc with the same name that does something completely different.
    You rely on others checking. If I write a program for you to download there is a one in several trillion chance you will find another with the same SHA. If you really want to know the mathmatical calculations you can look it up on wikepedia but I wouldn't bother - you have to trust someone.

    Any decent developer will give you the SHA (or another hash). You can then (and should) check it before you install anything to make sure it is theirs and not someone elses file which happens to have the same name.

    If the standard (free) terminal method is too annoying you can use hashtab (from ). It used to be free but costs a few bob now. Obviously you should check the hash before using it.


    Why? Seems a perfectly reasonable question to me.
  7. cool11 macrumors 65816


    Sep 3, 2006
    I decided to download as file image from a third-party site, the new osx, sierra, which is free in any case.
    I did it because in my job I have tremendous internet speed, instead of my home.
    But I want to check the checksum.
    Can somebody tell me what is the checksum of sierra, and how to check the image I have?

Share This Page