When we download or exchange a file, we need to be sure of the integrity of the file we have downloaded or exchanged.
By integrity, we mean checking if the file was corrupted or tampered with during download.
To ensure that the iso or any other file we downloaded is the same file as the one at the source, we do a Checksum verification.
Think of Checksum as a digital signature (comprising of a long string of numbers) used to verify the integrity of a downloaded file.
Here’s how to do a Checksum verification when you download a file to the Mac.
Major sites in the open source universe provide the md5 or shasum as a string of numbers when you download an OS like Ubuntu or an application. Copy the md5 or shasum number to a notepad so that you can compare it with the Checksum you generate.
Load up the terminal and run the md5 or shasum commands to verify the Checksums of your download.
If your md5 or shasum output matches the one listed on the download site, then your file integrity is good. You can assume that the file has not been corrupted or tampered during download.
Some security experts consider the shasum256 algorithm to be stronger compared to md5 but that’s a subject for a different discussion.
Let’s now find out how to generate a Checksum for our downloads and verify their integrity.
Generate MD5 Checksum
If you’re verifying the md5 of an iso file, go with the below command on the terminal of your Mac.
If your file is in a different folder, run the below command.
So if your dmg file is in the Documents folder,the command would be as follows:
Let’s look at an example of a md5 verification.
I recently downloaded Ubuntu 14.04 to my Mac so that I could use it with the VirtualBox 5.0 virtualization software.
After downloading Ubuntu 14.04 to the Mac, I checked its md5 sum and compared it to the md5 provided on the Ubuntu web site.
Here’s the command I ran on the terminal to check the md5 of the Ubuntu download.
thomas@thomasmac~$md5 /Users/thomas/Downloads/ubuntu-14.04.2-desktop-amd64.iso MD5 (/Users/thomas/Downloads/ubuntu-14.04.2-desktop-amd64.iso) = 1b305d585b1918f297164add46784116 thomas@thomasmac~$
When I compared the md5 I generated above with the md5 number on the Ubuntu web site, they matched suggesting that the integrity of my download was good.
Here’s another way to check the md5 Checksum:
openssl md5 file.iso
Let’s now conside how to check the shasum of a file via the terminal.
Generate SHA-1 Checksum
shasum -a 1 file.iso
If your downloaded file is in a different folder, use the below command.
shasum -a 1 /path/to/file
Alternatively, type the first part of the command (shasum -a 1) and then drag and drop the file into the terminal window. This will type the full path and generate the sha 1 checksum.
Generate SHA-256 Checksum
shasum -a 256 file.dmg
If the file you downloaded happens to be in a different folder, use the below command.
shasum -a 256 /path/to/file
In the below example, I’m checking the shasum256 of the VirtualBox 5.0 virtualization software I downloaded recently to the Mac:
$ shasum -a 256 /Users/thomasmac/Downloads/VirtualBox-5.0.0-101573-OSX.dmg 4e27a30af6e4b0f6b1ea69485237d52fc57e6b5608cc234c9480ac0538b31402 /Users/thomasmac/Downloads/VirtualBox-5.0.0-101573-OSX.dmg
As with md5, compare the shasum output from the terminal commands to the source and see if they match.
If the two numbers match, then the integrity of your file download is good.
In the above example, I’m happy to report that the shasum256 number I generated matched the shasum256 provided on the VirtualBox web site.