Check sha1 checksum mac os x

Discussion in 'Mac Basics and Help' started by astojazz1, Jan 24, 2015.

  1. astojazz1 macrumors newbie

    Joined:
    Jun 17, 2014
    #1
    Whats up people,
    I've recently understood that I can check the file integrity of all download files from the interwebs; noobie doobie, kinda. Is this important to do when downloading anything and everything such as Logic Pro X, Yosemite, and basically anything and everything seeing as how the internet, has been and is, the digital wild west.

    Is it really a case of we're all so comfortable with downloading everything thinking that the integrity of all these programs are securely intact but they may be, in fact, some of the time, laced with hacked code or what have you based on their path that they've traveled over the net to get to my computer?

    Computers have been, are and will be playing a big role on the world stage I figure since we have things now like the "Hour of Code" why should I not learn how to check the security of the files/programs that are being downloaded onto my computer. If anyone can provide an answer, in detail, I would greatly appreciate it. Thanks everyone.
     
  2. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #2
  3. boast macrumors 65816

    boast

    Joined:
    Nov 12, 2007
    Location:
    Phoenix
    #3
    You can, in terminal, do md5 /path/to/file, or shasum /path/to/file, but if the download source doesn't provide the checksum it is of no use.

    But all OS' have this sort of check (Windows verified files, OS X "Gatekeeper", Linux checksum verification), as long as the developer plays along.
     
  4. astojazz1 thread starter macrumors newbie

    Joined:
    Jun 17, 2014
    #4
    Am I correct when I assume that when files/programs are traveling across the net they can be intercepted and corrupted before reaching your computer or how does this process work? Why should I check the sha1 of all my downloads and how do I know that the systems in place to check the checksums are doing their job properly?
     
  5. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #5
    If the transfer uses HTTPS, this assumption is wrong. HTTPS hosts are authenticated using digital certificates, and the integrity of the data is verified using MACs.
    http://en.wikipedia.org/wiki/HTTP_Secure
    http://en.wikipedia.org/wiki/Transport_Layer_Security
    http://en.wikipedia.org/wiki/Message_authentication_code

    Even if the transfer doesn't use HTTPS, data integrity can still be verified, if the data source has a trustworthy channel to communicate message digests. It depends on what app is doing the transfer. There isn't a single answer.

    If you don't know what digital certificates or MACs are, then you should spend some time learning the fundamentals of digital cryptography. I'm not saying that to blow you off, but because cryptography is not a simple subject to condense, and there is plenty of information about it around the web, so it serves no purpose to repeat it here.

    In other words, if you're interested, then reliable and extensive information is fairly easy to find.

    You should check the SHA1 (or other message digest) of downloads if you have a heightened desire for security. If you don't have that desire, then don't. It's your choice.

    It depends on your need for security. If that need is very high, then you'd verify everything, including the CPU, the memory, the disk, and the circuit boards itself. You'd also personally verify every piece of software on the system, including the integrity-checking software itself. This would rapidly become a very large task, bordering on an infinite regress into what one decides is ultimately trustworthy or not.

    You're the one who raised the subject, so it's up to you to explain to everyone what level of security you need. If you don't know, then you need to educate yourself about security and its related technology.

    There isn't a single simple answer.
     
  6. doynton macrumors 6502

    Joined:
    Oct 19, 2014
    #6
    That is a lot of questions. Bear with me.
    No. You are worrying about the wrong thing. If you download something and it has the SSL padlock you can be fairly sure that your downloaded not changed in transit. That doesn't mean you downloaded the correct thing though.

    You don't send programs across the net but lets imagine I wrote one and put it in a file called doynton.dmg for you to download. My one is a useful utility but someone else has made a file with the same name which when you install it copies all your contacts and mails them to me.
    So you know that you have the version from the developer and not something else downloaded from cnet.com etc with the same name that does something completely different.
    You rely on others checking. If I write a program for you to download there is a one in several trillion chance you will find another with the same SHA. If you really want to know the mathmatical calculations you can look it up on wikepedia http://en.wikipedia.org/wiki/Secure_Hash_Algorithm but I wouldn't bother - you have to trust someone.

    Any decent developer will give you the SHA (or another hash). You can then (and should) check it before you install anything to make sure it is theirs and not someone elses file which happens to have the same name.

    If the standard (free) terminal method is too annoying you can use hashtab (from http://implbits.com/products/hashtab/ ). It used to be free but costs a few bob now. Obviously you should check the hash before using it.

    ----------

    EDIT:
    Why? Seems a perfectly reasonable question to me.
     
  7. cool11 macrumors 65816

    cool11

    Joined:
    Sep 3, 2006
    #7
    I decided to download as file image from a third-party site, the new osx, sierra, which is free in any case.
    I did it because in my job I have tremendous internet speed, instead of my home.
    But I want to check the checksum.
    Can somebody tell me what is the checksum of sierra, and how to check the image I have?
     

Share This Page