Trust, But Verify (Downloads)

amyshackles

Amy Shackles

Posted on July 13, 2020

Trust, But Verify (Downloads)

Have you ever downloaded something from the internet and noticed that the site you're downloading from has a message about verifying the integrity of the downloaded package? Have you ever been curious how to go about doing that, so clicked the link, only to see a jumble of text displayed? Believe me, I know the feeling.

While the task of acquiring the SHA256 value of a downloaded file is easy to figure out (there are plenty of resources online on how to do that), most of the examples out there seem to only go that far, relying on your ability to spot the difference visually between the two outputs.

My friends, there is a better way.

Option 1: Echo!

1) After downloading the package you want to verify, make a note of where that file is. If it makes it easier, cd into the containing folder so that you don't need to specify the path to it.
2) Copy the SHA256 value from the download site that corresponds with the package you downloaded (that's going to be all the letters/numbers before the spaces and the file name)
3) In your terminal shell, type the command:

echo "${Copied 256 Value}  /path/to/downloaded/file" | shasum -a 256 -c
Enter fullscreen mode Exit fullscreen mode

Let's break that down.

The echo command will write the copied value to standard out. The quotation marks ensures that the whitespace is maintained... the two spaces between the SHA256 and the filepath is important. From the man page for shasum, the second space character is for specifying that the type should be text. It should be noted that in lieu of a space character, you could also set the mode to binary and provide the mode character '*'
The | (pipe character) passes the output (stdout) of the previous command to the input (stdin) of the next, so now the shasum command has the values we just passed to stdout
The -a flag is shorthand for -algorithm and tells shasum which type of SHA to calculate. In this example, we're working with SHA256, so we pass 256 to the -a flag.
The -c flag is shorthand for --check

Example:

 echo "ef0ca4924922514b6ad71469998821f2cf7c596b4b8b59736c3699759e0f1df8  Downloads/VirtualBox-6.1.10-138449-OSX.dmg" | shasum -a 256 -c
Enter fullscreen mode Exit fullscreen mode

Option 2: Why Echo When You Can Redirect?

1) After downloading the package you want to verify, make a note of where that file is. If it makes it easier, cd into the containing folder so that you don't need to specify the path to it.
2) Copy the SHA256 value from the download site that corresponds with the package you downloaded (that's going to be all the letters/numbers before the spaces and the file name)
3) In your terminal shell, type the command:

shasum -a 256 -c <<< "${Copied SHA256 value}  /path/toDownload"
Enter fullscreen mode Exit fullscreen mode

Example:

shasum -a 256 -c <<< "ef0ca4924922514b6ad71469998821f2cf7c596b4b8b59736c3699759e0f1df8 *Downloads/VirtualBox-6.1.10-138449-OSX.dmg"
Enter fullscreen mode Exit fullscreen mode

Result

Whichever option you choose, if your SHA256 values match, you should get a response like:

Downloads/VirtualBox-6.1.10-138449-OSX.dmg: OK
Enter fullscreen mode Exit fullscreen mode
💖 💪 🙅 🚩
amyshackles
Amy Shackles

Posted on July 13, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Trust, But Verify (Downloads)
checksum Trust, But Verify (Downloads)

July 13, 2020