Jul 202015

How to Verify Checksum on MacWhen we download or exchange a file, we need to be sure of the integrity of the file we have downloaded or exchanged.

By integrity, we mean checking if the file was corrupted or tampered with during download.

To ensure that the iso or any other file we downloaded is the same file as the one at the source, we do a Checksum verification.

Think of Checksum as a digital signature (comprising of a long string of numbers) used to verify the integrity of a downloaded file.

Checksum Verification

Here’s how to do a Checksum verification when you download a file to the Mac.

Major sites in the open source universe provide the md5 or shasum as a string of numbers when you download an OS like Ubuntu or an application. Copy the md5 or shasum number to a notepad so that you can compare it with the Checksum you generate.

Load up the terminal and run the md5 or shasum commands to verify the Checksums of your download.

If your md5 or shasum output matches the one listed on the download site, then your file integrity is good. You can assume that the file has not been corrupted or tampered during download.

Some security experts consider the shasum256 algorithm to be stronger compared to md5 but that’s a subject for a different discussion.

Let’s now find out how to generate a Checksum for our downloads and verify their integrity.

Generate MD5 Checksum

If you’re verifying the md5 of an iso file, go with the below command on the terminal of your Mac.

md5 file.iso

If your file is in a different folder, run the below command.

md5 /path/to/file

So if your dmg file is in the Documents folder,the command would be as follows:

md5 /Documents/mydownload.dmg

Let’s look at an example of a md5 verification.

I recently downloaded Ubuntu 14.04 to my Mac so that I could use it with the VirtualBox 5.0 virtualization software.

After downloading Ubuntu 14.04 to the Mac, I checked its md5 sum and compared it to the md5 provided on the Ubuntu web site.

Here’s the command I ran on the terminal to check the md5 of the Ubuntu download.

thomas@thomasmac~$md5 /Users/thomas/Downloads/ubuntu-14.04.2-desktop-amd64.iso
MD5 (/Users/thomas/Downloads/ubuntu-14.04.2-desktop-amd64.iso) = 1b305d585b1918f297164add46784116

When I compared the md5 I generated above with the md5 number on the Ubuntu web site, they matched suggesting that the integrity of my download was good.

Here’s another way to check the md5 Checksum:

openssl md5 file.iso

Let’s now conside how to check the shasum of a file via the terminal.

Generate SHA-1 Checksum

shasum -a 1 file.iso

If your downloaded file is in a different folder, use the below command.

shasum -a 1 /path/to/file

Alternatively, type the first part of the command (shasum -a 1) and then drag and drop the file into the terminal window. This will type the full path and generate the sha 1 checksum.

Generate SHA-256 Checksum

shasum -a 256 file.dmg

If the file you downloaded happens to be in a different folder, use the below command.

shasum -a 256 /path/to/file

In the below example, I’m checking the shasum256 of the VirtualBox 5.0 virtualization software I downloaded recently to the Mac:

$ shasum -a 256 /Users/thomasmac/Downloads/VirtualBox-5.0.0-101573-OSX.dmg
4e27a30af6e4b0f6b1ea69485237d52fc57e6b5608cc234c9480ac0538b31402  /Users/thomasmac/Downloads/VirtualBox-5.0.0-101573-OSX.dmg

As with md5, compare the shasum output from the terminal commands to the source and see if they match.

If the two numbers match, then the integrity of your file download is good.

In the above example, I’m happy to report that the shasum256 number I generated matched the shasum256 provided on the VirtualBox web site.

 Posted by at 11:40 am

Sorry, the comment form is closed at this time.