Check SHA1 Checksum in Mac OS X
SHA hashing is frequently used with distribution control systems to determine revisions and to check data integrity by detecting file corruption or tampering. For common usage, a SHA checksum provides a string that can be used to verify a file been transferred as intended. If SHA checksums match, the files integrity has been maintained.
Checking SHA1 Hash in Mac OS X
Launch the Terminal, found within the Applications and Utilities folder, and use the following syntax:
To verify a file named “DownloadedFile.dmg” on the desktop, it would be:
This will output something like this:
$ shasum ~/Desktop/CheckMe.zip
That long hexadecimal string is the SHA1 hash.
An easy way to check SHA1 files buried deep in the file system without typing out the full path, is to type the first part of the command then drag and drop the file into the Terminal window. This automatically types the path for you:
shasum (drag and drop file here)
Remember to put a space after “shasum” for this to work properly.
The default for the shasum command is to use SHA1, the most common hash type, but this can be changed with the -a flag if necessary to 224, 256, 384, or 512. Also, though SHA1 is becoming more common than MD5, you can still easily check md5 hash in Mac OS X as well with the md5 command.
Examples of Using SHA1 to Verify Files
A practical use that Mac users may encounter is when downloading software updates directly from Apple, who lists the SHA1 hash of each file offered through their servers at the end of each downloads page. You can see such a string highlighted in the screenshot below. This string allows users to easily verify the integrity of their downloads either from Apple or when the file has been hosted on a third party mirror site.
This is also how it was discovered that OS X 10.7.3 had been quietly updated, and several questions about this spawned this post.
Using SHA1 hash strings are also an easy way to verify file transfers from peer to peer networks and to make sure a download has finished, or that a file was not tampered with somewhere along the line. By knowing the origin SHA1 checksum, you can verify your version of the file(s) in question matches, and determine if the file is indeed valid and has arrived as intended.