Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Using SHA-512 Checksum

doubledee

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
I am trying to install FileZilla on my MBP, and came across this article: FileZilla warns of large malware campaign

Like I'm not already nervous enough... :rolleyes:


After going back and looking at the filezilla-project.org download page again, I see they offer a SHA-512 hash

I have used check sums in the past for MD5 and SHA1, but I can't figure out how to do it for the FileZilla file/packet I just downloaded.

In my downloads folder I now have this...

FileZilla_3.10.1.1_macosx-x86.app.tar.bz2

Is that like a .zip file or something?


How can I check to make sure that this downlaoded file/packet/zip matches the check sum provided on Mozilla's page??


I found this page in the Mac Developer Library: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/shasum.1.html


And after looking at it, I did this...

1.) Open Terminal
2.) Type shasum -a 512 -c
3.) Dragged the .bz2 file thingy into Terminal
4.) Hit Enter


When I do this I get a page of errors... :(


How can I check the FileZilla download to be sure it isn't infected with malware???

Thanks,


Debbie
 
doubledee

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
chown33 said:
1. When you get a page of errors, post at least one of them, so we can see what you're getting.

2. You're using the -c option incorrectly.
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/shasum.1.html
Please be sure to read the entire man page.
Click to expand...

So how am I supposed to do it then?

Drag both the downloaded file and the checksum file into Terminal?

(I tied that and it failed.)

Code: 
??z@ý??;ԉؘ/e?뱺DUBG?????Z??d??<??%:?W??l???o?Y??J?I??^*?????8???GtǸA???:?`_q|??~?
                                 ??e|f???9 ?????1?S?B?m\??m?C{Ԡ???: No such file or directory
??z@ý??;ԉؘ/e?뱺DUBG?????Z??d??<??%:?W??l???o?Y??J?I??^*	????8???GtǸA???:?`_q|??~?
                                 ??e|f???9 ?????1?S?B?m\??m?C{Ԡ???: FAILED open or read
shasum:


Debbie
 
chown33

chown33

Moderator
Staff member
Aug 9, 2009
10,310
7,609
A sea of green
doubledee said:
So how am I supposed to do it then?
Click to expand...

First, post the exact command line you're using. Copy and paste it exactly as it appears in the Terminal window. Paste it into a post here.


Second, post the exact URL of the SHA-512 hash file. I looked on the filezilla website and didn't immediately see anything obvious. I'm not going to start guessing what you saw or what you downloaded.

If it's simply published on a page, then the post the URL of that page. By "published on a page", I mean that there is a web page where the hash is shown. This would be distinct from having a separately downloadable file containing the hash.


Third, this is from the shasum man page:
When verifying SHA-512/224 or SHA-512/256 checksums, indicate the
algorithm explicitly using the -a option, e.g.

shasum -a 512224 -c checksumfile

The sums are computed as described in FIPS-180-4. When checking, the
input should be a former output of this program. The default mode is to
print a line with checksum, a character indicating type (`*' for binary,
` ' for text, `?' for portable, `^' for BITS), and name for each FILE.
The part I've hilited in red is an example that shows the correct use of the -c option. In short, the checksumfile is given on the command line. This is why it's important for us to see the exact command line you executed. We can't tell what's wrong with your command line unless we can see your actual command line.

The part I've hilited in blue should make it clear what a checksumfile should be. Is the checksumfile you downloaded in that format? If not, it won't be usable by shasum.


I suggest the following command line:
Code: 
shasum -a 512 PATH_TO_YOUR_FILE_GOES_HERE
The output should be the calculated SHA-512 hash for the file. You can then manually compare it (e.g. by lining it up in a TextEdit window) with the expected SHA-512 hash obtained from the Filezilla website.

You can also run a simple test of shasum on any file located on your computer. The purpose of this is for you to learn how shasum works. You can then apply what you learn to determine if the hash is correct for the Filezilla download.
 
doubledee

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
chown33,

First off, didn't mean to be a pain. (I thought I pasted my command above...)


Still had a hard time understanding what you typed, even though you color-coordinated things for me!

Here what I ran in Terminal...
Code: 
shasum -a 512 -c /path/to/FileZilla_3.10.1.1_macosx-x86.app.tar.bz2 /path/to/FileZilla_3.10.1.1.sha512


The first file-path is to the zip I downloaded to my Mac from this page...
https://filezilla-project.org/download.php?show_all=1
Client Download

The latest stable version of FileZilla Client is 3.10.1.1

Please select the file appropriate for your platform below.

FileZilla_3.10.1.1_macosx-x86.app.tar.bz2 Show file details

Requires OS X 10.7 or newer
Click to expand...


The second file-path is from the CheckSumFile that I downloaded to my Mac at the bottom of the page under Checksums...

https://filezilla-project.org/download.php?show_all=1


What is unclear to me is that if shasum is to compare the file I downloaded and the CheckSumFile, then shouldn't BOTH paths be in the command line?!

(The Manual makes it sound like you just enter in the CheckSumFile when using the -c switch?!)

------
BTW, I got this to work by just doing this...
Code: 
shasum -a 512 /path/to/FileZilla_3.10.1.1_macosx-x86.app.tar.bz2

...and then manually comparing the results from that to the CheckSum listed on the download page. (It works but is a pain on the eyes!!)

Sincerely,


Debbie
 
Last edited:
chown33

chown33

Moderator
Staff member
Aug 9, 2009
10,310
7,609
A sea of green
doubledee said:
chown33,

Still had a hard time understand what you typed, even though color-coordinated things for me!

Here what I did in Terminal...
Code: 
shasum -a 512 -c /path/to/FileZilla_3.10.1.1_macosx-x86.app.tar.bz2 /path/to/FileZilla_3.10.1.1.sha512


The first file and path is from the zip I downloaded here...



The second file and path are from the CheckSumFile I downloaded at the bottom of the page under Checksums...

https://filezilla-project.org/download.php?show_all=1


What is unclear to me is that if shasum is to compare the file I downloaded and the CheckSumFile, then shouldn't both be in the command line command?!


Debbie
Click to expand...

The order of files in your command line is backwards.

The example from the man page showed the -c option needing a checksumfile. That filename should be first, as the example plainly shows.

Any remaining files given on the command line would be the files whose hash is to be checked.


If you still can't get things to work, then open the "FileZilla_3.10.1.1.sha512" file in TextEdit. You can then see what the correct hash should be.

Then do the simple command line I showed before:
Code: 
shasum -a 512 /path/to/FileZilla_3.10.1.1_macosx-x86.app.tar.bz2
The output will be the calculated hash for the bz2 file. Copy it and paste it into a TextEdit window. Line them up so one line is directly above the other. If there are any differences in the hashes, they should be visually apparent in short order.
 
doubledee

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
I tried switching things around, but no luck...
Code: 
user1$ shasum -a 512 -c /Users/user1/Documents/FileZilla_3.10.1.1.sha512 /Users/user1/Documents/FileZilla_3.10.1.1_macosx-x86.app.tar.bz2 
shasum: FileZilla_3.10.1.1_macosx-x86.app.tar.bz2: No such file or directory
FileZilla_3.10.1.1_macosx-x86.app.tar.bz2: FAILED open or read
shasum: FileZilla_3.10.1.1_i586-linux-gnu.tar.bz2: No such file or directory
FileZilla_3.10.1.1_i586-linux-gnu.tar.bz2: FAILED open or read
shasum: FileZilla_3.10.1.1_win32-setup.exe: No such file or directory
FileZilla_3.10.1.1_win32-setup.exe: FAILED open or read
shasum: FileZilla_3.10.1.1_win32.zip: No such file or directory
FileZilla_3.10.1.1_win32.zip: FAILED open or read
shasum: FileZilla_3.10.1.1_x86_64-linux-gnu.tar.bz2: No such file or directory
FileZilla_3.10.1.1_x86_64-linux-gnu.tar.bz2: FAILED open or read
shasum: WARNING: 5 of 5 listed files could not be read

Guess I am stuck with the manual process...


Debbie
 
mfram

mfram

Contributor
Jan 23, 2010
1,278
327
San Diego, CA USA
The '-c' option reads a file that contains checksums. That checksum file contains a several lines. Each line contains a checksum followed by the name of the file with that checksum. The name of file that's going to be checked is given in the checksum file, not on the command line.

In your case, the name of the file you are interested in is 'FileZilla_3.10.1.1_macosx-x86.app.tar.bz2'. The error is that the file with that name is not in your current directory. You need to 'cd Documents' first. Then:

Code: 
shasum -a 512 -c FileZilla_3.10.1.1.sha512

Clearly that checksum file contains other file names. So you will still get errors for the files you didn't download. But you'll get an OK or NOT OK for the file you are interested in.

Keep in mind that all the checksum can tell you is whether the file transferred OK or not. Not whether it contains malware or not. The checksum has no way to know that.
 
doubledee

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
mfram said:
The '-c' option reads a file that contains checksums. That checksum file contains a several lines. Each line contains a checksum followed by the name of the file with that checksum. The name of file that's going to be checked is given in the checksum file, not on the command line.

In your case, the name of the file you are interested in is 'FileZilla_3.10.1.1_macosx-x86.app.tar.bz2'. The error is that the file with that name is not in your current directory. You need to 'cd Documents' first. Then:

Code: 
shasum -a 512 -c FileZilla_3.10.1.1.sha512

Clearly that checksum file contains other file names. So you will still get errors for the files you didn't download. But you'll get an OK or NOT OK for the file you are interested in.

Keep in mind that all the checksum can tell you is whether the file transferred OK or not. Not whether it contains malware or not. The checksum has no way to know that.
Click to expand...

I still don't see how your command can work when we haven't given the checksum command the name of the file we want to check?!

Does it just assume we want to check a file where...

File Name = *FileZilla_3.10.1.1_macosx-x86.app.tar.bz2

and

CheckSum = 74b915e42e2fc2bb712e7a90ab815ac036ed7ce3f882e6ec6d7a3849195a65dd4375e784cf2657775aa7347f419b7b5844f533a173d78f1ce251ba426e8fe6a6

in the current directory??

Sincerely,


Debbie

P.S. I decided to not use FileZilla since the creator likes to store login credentials in PLAIN-TEXT!!!

Regardless, I am always open to learning more command-line tricks! :)
 
mfram

mfram

Contributor
Jan 23, 2010
1,278
327
San Diego, CA USA
The checksum file contains the name of the file to check.

Simplified the checksum file contains lines like this:

Code: 
a1b2c3d4 file1.txt
e5f67890 file2.txt

The first column is the checksum, the second column is the filename. So when you say 'shasum -c checksum_file.txt', the shasum reads the checksum file, uses the filename in the checcksum file, computes the checksum and compares to the first column. It will say yes or no.

So the name of the file to check is in the checksum file. In your example, the file to check wasn't in your current directory so the shasum program couldn't find it to compute the checksum. You have to check your current directory so that the file can be read by the program. Or you could modify the checksum file to put the absolute path of the filename to check.
 
DoFoT9

DoFoT9

macrumors P6
Jun 11, 2007
17,586
96
London, United Kingdom
mfram said:
The checksum file contains the name of the file to check.

Simplified the checksum file contains lines like this:

Code: 
a1b2c3d4 file1.txt
e5f67890 file2.txt

The first column is the checksum, the second column is the filename. So when you say 'shasum -c checksum_file.txt', the shasum reads the checksum file, uses the filename in the checcksum file, computes the checksum and compares to the first column. It will say yes or no.

So the name of the file to check is in the checksum file. In your example, the file to check wasn't in your current directory so the shasum program couldn't find it to compute the checksum. You have to check your current directory so that the file can be read by the program. Or you could modify the checksum file to put the absolute path of the filename to check.
Click to expand...

Good explanation.

In all honesty, I'm surprised that there isn't an OS X based (GUI) application that can do this already.. (AppleScript say what).
 
doubledee

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
mfram said:
So the name of the file to check is in the checksum file. In your example, the file to check wasn't in your current directory so the shasum program couldn't find it to compute the checksum. You have to check your current directory so that the file can be read by the program. Or you could modify the checksum file to put the absolute path of the filename to check.
Click to expand...

Okay, I finally understand now how this command-line stuff works!!

This time I opened Terminal, typed in cd and then dragged the folder where the Checksum and FileZilla download where located in order to point Terminal to the correct subfolder.

Then I ran...
Code: 
shasum -a 512 -c /Users/user1/Documents/FileZilla_3.10.1.1.sha512

...and got these results...
Code: 
FileZilla_3.10.1.1_macosx-x86.app.tar.bz2: OK

shasum: FileZilla_3.10.1.1_i586-linux-gnu.tar.bz2: No such file or directory
FileZilla_3.10.1.1_i586-linux-gnu.tar.bz2: FAILED open or read

shasum: FileZilla_3.10.1.1_win32-setup.exe: No such file or directory
FileZilla_3.10.1.1_win32-setup.exe: FAILED open or read

shasum: FileZilla_3.10.1.1_win32.zip: No such file or directory
FileZilla_3.10.1.1_win32.zip: FAILED open or read

shasum: FileZilla_3.10.1.1_x86_64-linux-gnu.tar.bz2: No such file or directory
FileZilla_3.10.1.1_x86_64-linux-gnu.tar.bz2: FAILED open or read

shasum: WARNING: 4 of 5 listed files could not be read

user1$


Thanks for helping to make me more command-line literate!!! :apple:

Sincerely,


Debbie
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom