Identical OS X Installers have different sizes. Why? Checksum?

Discussion in 'macOS' started by tennisproha, Sep 7, 2016.

  1. tennisproha, Sep 7, 2016
    Last edited: Sep 7, 2016

    tennisproha macrumors 65816

    Jun 24, 2011
    I'm downloading past OS X Installers from the Mac App Store for safekeeping and I keep ending up with different sizes for identical versions. They are all off by a few bytes. This is the first time I've noticed but I do have a fast connection and not a lot of traffic late at night. Why is this?

    Also, Is there a way to checksum with Apple to check the integrity of the file? I don't see a hash posted anywhere. (I'm fairly new to this stuff though so please throughly explain any procedures.) ;)

    I've attached a screenshot of El Capitan and Yosemite Installers for comparison. 'Version' shows the identical versions and 'Size' shows the size differences:

    Screen Shot 2016-09-07 at 4.26.03 AM.png
  2. Isamilis macrumors 6502a

    Apr 3, 2012
    It happen also for me. I just ignored it and use the latest download though. I think it because of the downloaded file is in application format instead of disk image (DMG).
  3. Floris macrumors 68020


    Sep 7, 2007
    Try this ;)

    Store one in one directory
    And the other in another directory

    And then compare?
  4. Weaselboy Moderator


    Staff Member

    Jan 23, 2005
    That .app file is generated dynamically every time you download it since it has your AppleID information in the file, so it is no surprise it is a bit different each time. The checksum would be different each time also for this same reason. Similarly, mine will be different than yours for the same reason.

    What is the same for everybody though is the InstallESD.dmg file inside that application. Apple does not publish the checksum for that, but you can usually find others who have posted it (like here)

    But the installer verifies the file anyway when you run it, so there is no need for concern.

  5. tennisproha, Sep 7, 2016
    Last edited: Sep 7, 2016

    tennisproha thread starter macrumors 65816

    Jun 24, 2011
    Thank you. That was very comprehensive and literally answered any follow-up questions I might have had. I really appreciate it!

    On a related note, besides the different types of checksums, why are there different commands for verifying the same checksum? For instance, with SHA-1, you have:
    openssl sha1
    shasum -a 1
    etc... What's the difference?
  6. grahamperrin, Sep 9, 2016
    Last edited: Sep 9, 2016

    grahamperrin macrumors 601


    Jun 8, 2007
    I thought the same thing, but then discovered that for at least one installer: it's no longer true.

    Alternative shasum 0e063fd87d5b0a4f68dbd35da95b2018748f88eb for InstallESD.dmg for OS X 10.10.5

    With apologies for casting doubt (I'll never find the resources to investigate this for myself) … that page is about single updates. I guess, typically a single .pkg file (or .mpkg metapackage file, although I don't expect Apple to use that phrase in a how-to).

    Within an Apple-provided InstallESD.dmg is each and every package/metapackage signed? And if so, is every signed item automatically verified during Apple's OS installation routine?

    Further: could someone create a variation of Apple's .dmg that includes a simple unsigned script to run an unsigned .pkg or .mpkg? If the answer to this question is yes, then attention to the checksum of the containing .dmg becomes important.

Share This Page