Using SHA-512 Checksum

Discussion in 'Mac Basics and Help' started by doubledee, Feb 15, 2015.

  1. doubledee macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #1
    I am trying to install FileZilla on my MBP, and came across this article: FileZilla warns of large malware campaign

    Like I'm not already nervous enough... :rolleyes:


    After going back and looking at the filezilla-project.org download page again, I see they offer a SHA-512 hash

    I have used check sums in the past for MD5 and SHA1, but I can't figure out how to do it for the FileZilla file/packet I just downloaded.

    In my downloads folder I now have this...

    FileZilla_3.10.1.1_macosx-x86.app.tar.bz2

    Is that like a .zip file or something?


    How can I check to make sure that this downlaoded file/packet/zip matches the check sum provided on Mozilla's page??


    I found this page in the Mac Developer Library: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/shasum.1.html


    And after looking at it, I did this...

    1.) Open Terminal
    2.) Type shasum -a 512 -c
    3.) Dragged the .bz2 file thingy into Terminal
    4.) Hit Enter


    When I do this I get a page of errors... :(


    How can I check the FileZilla download to be sure it isn't infected with malware???

    Thanks,


    Debbie
     
  2. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #2
  3. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #3
    So how am I supposed to do it then?

    Drag both the downloaded file and the checksum file into Terminal?

    (I tied that and it failed.)

    Code:
    ??z@ý??;ԉؘ/e?뱺DUBG?????Z??d??<??%:?W??l???o?Y??J?I??^*?????8???GtǸA???:?`_q|??~?
                                     ??e|f???9 ?????1?S?B?m\??m?C{Ԡ???: No such file or directory
    ??z@ý??;ԉؘ/e?뱺DUBG?????Z??d??<??%:?W??l???o?Y??J?I??^*	????8???GtǸA???:?`_q|??~?
                                     ??e|f???9 ?????1?S?B?m\??m?C{Ԡ???: FAILED open or read
    shasum: 
    
    

    Debbie
     
  4. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #4
    First, post the exact command line you're using. Copy and paste it exactly as it appears in the Terminal window. Paste it into a post here.


    Second, post the exact URL of the SHA-512 hash file. I looked on the filezilla website and didn't immediately see anything obvious. I'm not going to start guessing what you saw or what you downloaded.

    If it's simply published on a page, then the post the URL of that page. By "published on a page", I mean that there is a web page where the hash is shown. This would be distinct from having a separately downloadable file containing the hash.


    Third, this is from the shasum man page:
    When verifying SHA-512/224 or SHA-512/256 checksums, indicate the
    algorithm explicitly using the -a option, e.g.

    shasum -a 512224 -c checksumfile

    The sums are computed as described in FIPS-180-4. When checking, the
    input should be a former output of this program.
    The default mode is to
    print a line with checksum, a character indicating type (`*' for binary,
    ` ' for text, `?' for portable, `^' for BITS), and name for each FILE.
    The part I've hilited in red is an example that shows the correct use of the -c option. In short, the checksumfile is given on the command line. This is why it's important for us to see the exact command line you executed. We can't tell what's wrong with your command line unless we can see your actual command line.

    The part I've hilited in blue should make it clear what a checksumfile should be. Is the checksumfile you downloaded in that format? If not, it won't be usable by shasum.


    I suggest the following command line:
    Code:
    shasum -a 512 PATH_TO_YOUR_FILE_GOES_HERE
    
    The output should be the calculated SHA-512 hash for the file. You can then manually compare it (e.g. by lining it up in a TextEdit window) with the expected SHA-512 hash obtained from the Filezilla website.

    You can also run a simple test of shasum on any file located on your computer. The purpose of this is for you to learn how shasum works. You can then apply what you learn to determine if the hash is correct for the Filezilla download.
     
  5. doubledee, Feb 15, 2015
    Last edited: Feb 15, 2015

    doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #5
    chown33,

    First off, didn't mean to be a pain. (I thought I pasted my command above...)


    Still had a hard time understanding what you typed, even though you color-coordinated things for me!

    Here what I ran in Terminal...
    Code:
    shasum -a 512 -c /path/to/FileZilla_3.10.1.1_macosx-x86.app.tar.bz2 /path/to/FileZilla_3.10.1.1.sha512
    

    The first file-path is to the zip I downloaded to my Mac from this page...
    https://filezilla-project.org/download.php?show_all=1

    The second file-path is from the CheckSumFile that I downloaded to my Mac at the bottom of the page under Checksums...

    https://filezilla-project.org/download.php?show_all=1


    What is unclear to me is that if shasum is to compare the file I downloaded and the CheckSumFile, then shouldn't BOTH paths be in the command line?!

    (The Manual makes it sound like you just enter in the CheckSumFile when using the -c switch?!)

    ------
    BTW, I got this to work by just doing this...
    Code:
    shasum -a 512 /path/to/FileZilla_3.10.1.1_macosx-x86.app.tar.bz2 
    
    ...and then manually comparing the results from that to the CheckSum listed on the download page. (It works but is a pain on the eyes!!)

    Sincerely,


    Debbie
     
  6. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #6
    The order of files in your command line is backwards.

    The example from the man page showed the -c option needing a checksumfile. That filename should be first, as the example plainly shows.

    Any remaining files given on the command line would be the files whose hash is to be checked.


    If you still can't get things to work, then open the "FileZilla_3.10.1.1.sha512" file in TextEdit. You can then see what the correct hash should be.

    Then do the simple command line I showed before:
    Code:
    shasum -a 512 /path/to/FileZilla_3.10.1.1_macosx-x86.app.tar.bz2
    
    The output will be the calculated hash for the bz2 file. Copy it and paste it into a TextEdit window. Line them up so one line is directly above the other. If there are any differences in the hashes, they should be visually apparent in short order.
     
  7. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #7
    I tried switching things around, but no luck...
    Code:
    user1$ shasum -a 512 -c /Users/user1/Documents/FileZilla_3.10.1.1.sha512 /Users/user1/Documents/FileZilla_3.10.1.1_macosx-x86.app.tar.bz2 
    shasum: FileZilla_3.10.1.1_macosx-x86.app.tar.bz2: No such file or directory
    FileZilla_3.10.1.1_macosx-x86.app.tar.bz2: FAILED open or read
    shasum: FileZilla_3.10.1.1_i586-linux-gnu.tar.bz2: No such file or directory
    FileZilla_3.10.1.1_i586-linux-gnu.tar.bz2: FAILED open or read
    shasum: FileZilla_3.10.1.1_win32-setup.exe: No such file or directory
    FileZilla_3.10.1.1_win32-setup.exe: FAILED open or read
    shasum: FileZilla_3.10.1.1_win32.zip: No such file or directory
    FileZilla_3.10.1.1_win32.zip: FAILED open or read
    shasum: FileZilla_3.10.1.1_x86_64-linux-gnu.tar.bz2: No such file or directory
    FileZilla_3.10.1.1_x86_64-linux-gnu.tar.bz2: FAILED open or read
    shasum: WARNING: 5 of 5 listed files could not be read
    
    Guess I am stuck with the manual process...


    Debbie
     
  8. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #8
    The '-c' option reads a file that contains checksums. That checksum file contains a several lines. Each line contains a checksum followed by the name of the file with that checksum. The name of file that's going to be checked is given in the checksum file, not on the command line.

    In your case, the name of the file you are interested in is 'FileZilla_3.10.1.1_macosx-x86.app.tar.bz2'. The error is that the file with that name is not in your current directory. You need to 'cd Documents' first. Then:

    Code:
    shasum -a 512 -c FileZilla_3.10.1.1.sha512 
    Clearly that checksum file contains other file names. So you will still get errors for the files you didn't download. But you'll get an OK or NOT OK for the file you are interested in.

    Keep in mind that all the checksum can tell you is whether the file transferred OK or not. Not whether it contains malware or not. The checksum has no way to know that.
     
  9. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #9
    I still don't see how your command can work when we haven't given the checksum command the name of the file we want to check?!

    Does it just assume we want to check a file where...

    File Name = *FileZilla_3.10.1.1_macosx-x86.app.tar.bz2

    and

    CheckSum = 74b915e42e2fc2bb712e7a90ab815ac036ed7ce3f882e6ec6d7a3849195a65dd4375e784cf2657775aa7347f419b7b5844f533a173d78f1ce251ba426e8fe6a6

    in the current directory??

    Sincerely,


    Debbie

    P.S. I decided to not use FileZilla since the creator likes to store login credentials in PLAIN-TEXT!!!

    Regardless, I am always open to learning more command-line tricks! :)
     
  10. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #10
    The checksum file contains the name of the file to check.

    Simplified the checksum file contains lines like this:

    Code:
    a1b2c3d4 file1.txt
    e5f67890 file2.txt
    The first column is the checksum, the second column is the filename. So when you say 'shasum -c checksum_file.txt', the shasum reads the checksum file, uses the filename in the checcksum file, computes the checksum and compares to the first column. It will say yes or no.

    So the name of the file to check is in the checksum file. In your example, the file to check wasn't in your current directory so the shasum program couldn't find it to compute the checksum. You have to check your current directory so that the file can be read by the program. Or you could modify the checksum file to put the absolute path of the filename to check.
     
  11. DoFoT9 macrumors P6

    DoFoT9

    Joined:
    Jun 11, 2007
    Location:
    Singapore
    #11
    Good explanation.

    In all honesty, I'm surprised that there isn't an OS X based (GUI) application that can do this already.. (AppleScript say what).
     
  12. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #12
    Okay, I finally understand now how this command-line stuff works!!

    This time I opened Terminal, typed in cd and then dragged the folder where the Checksum and FileZilla download where located in order to point Terminal to the correct subfolder.

    Then I ran...
    Code:
    shasum -a 512 -c /Users/user1/Documents/FileZilla_3.10.1.1.sha512
    
    ...and got these results...
    Code:
    FileZilla_3.10.1.1_macosx-x86.app.tar.bz2: OK
    
    shasum: FileZilla_3.10.1.1_i586-linux-gnu.tar.bz2: No such file or directory
    FileZilla_3.10.1.1_i586-linux-gnu.tar.bz2: FAILED open or read
    
    shasum: FileZilla_3.10.1.1_win32-setup.exe: No such file or directory
    FileZilla_3.10.1.1_win32-setup.exe: FAILED open or read
    
    shasum: FileZilla_3.10.1.1_win32.zip: No such file or directory
    FileZilla_3.10.1.1_win32.zip: FAILED open or read
    
    shasum: FileZilla_3.10.1.1_x86_64-linux-gnu.tar.bz2: No such file or directory
    FileZilla_3.10.1.1_x86_64-linux-gnu.tar.bz2: FAILED open or read
    
    shasum: WARNING: 4 of 5 listed files could not be read
    
    user1$ 
    

    Thanks for helping to make me more command-line literate!!! :apple:

    Sincerely,


    Debbie
     
  13. doynton macrumors 6502

    Joined:
    Oct 19, 2014
    #13

Share This Page