Apple - Need a cli to check the sha256 hash of a file
You can use
openssl dgst -sha256 <file>
Tested on LibreSSL 2.6.4 on macOS 10.14 (Mojave).
Prior to Mojave you can use openssl sha -sha256 <file>
or openssl sha256 <file>
.
To check command line options for the openssl sha command: openssl sha -help
.
OS X ships with a shasum command.
> which shasum
/usr/bin/shasum
You can use:
> shasum -a 256 <file>
More details:
> shasum --help
Usage: shasum [OPTION]... [FILE]...
Print or check SHA checksums.
With no FILE, or when FILE is -, read standard input.
-a, --algorithm 1 (default), 224, 256, 384, 512, 512224, 512256
-b, --binary read in binary mode
-c, --check read SHA sums from the FILEs and check them
-t, --text read in text mode (default)
-p, --portable read in portable mode
produces same digest on Windows/Unix/Mac
-0, --01 read in BITS mode
ASCII '0' interpreted as 0-bit,
ASCII '1' interpreted as 1-bit,
all other characters ignored
The following two options are useful only when verifying checksums:
-s, --status don't output anything, status code shows success
-w, --warn warn about improperly formatted checksum lines
-h, --help display this help and exit
-v, --version output version information and exit
When verifying SHA-512/224 or SHA-512/256 checksums, indicate the
algorithm explicitly using the -a option, e.g.
shasum -a 512224 -c checksumfile
The sums are computed as described in FIPS-180-4. When checking, the
input should be a former output of this program. The default mode is to
print a line with checksum, a character indicating type (`*' for binary,
` ' for text, `?' for portable, `^' for BITS), and name for each FILE.
Report shasum bugs to [email protected]
To clarify @John's useful answer - which allows you to compare a given hash with its file in one command:
Enter shasum -a 256 -c <<<
,
followed by an optional space,
followed by a single tick ('
),
followed by the hash to compare,
followed by a space,
followed by a mode character, based on how the initial hash was generated:
nothing, if the hash was created with
-t
or no option (text mode, which is the default)asterisk (
*
), if the hash was created with-b
(binary mode)question mark (
?
), if the hash was created with-p
(portable mode)caret (
^
), if the hash was created with-0
(bits mode)
followed by the path to the file,
followed by a closing single tick ('
).
Like the following breakdown, with delineating parens around the hash and filepath parts, and square brackets around the optional "mode character" part. (Don't include the parens or brackets in real life - they're just here to make the parts easy to see!)
shasum -a 256 -c <<< '(hashToCompare) [mode character](filepath)'
Broken down:
The actual shasum command is shasum -a 256 -c
-a 256
tellsshasum
to use sha256.-c
tellsshasum
to "check" the provided input.
The <<<
is a Unix/Linux special character set, called a "redirection" operator. It's for feeding something into a prior command. By using it, we're saying we're going to provide a string of information for the shasum
command to use as input.
The string of input information must have opening and closing single ticks, such as 'some string here'
, or in this case, the hash, mode character, and filepath to be checked.
The hash part inside the string doesn't need anything special - but it must be followed by a space.
The mode character part can be nothing, an asterisk (
*
), a question mark (?
), or a caret (^
). This tellsshasum
the mode with which the hash was generated. (Note: no character at all, representing text mode, isshasum
's default.)The filepath part, is the actual path to the file to be checked.
So, here's a real-life example checking a particular MAMP download file against it's purported SHA-256 value. The *
mode character was required for this check to work:
shasum -a 256 -c <<< 'f05ede012b8a5d0e7c9cf17fee0fa1eb5cd8131f3c703ed14ea347f25be11a28 *MAMP_MAMP_PRO_5.2.pkg'
Note: the result of this command (for my example file) is either -
OK:
MAMP_MAMP_PRO_5.2.pkg: OK
or
FAILED:
MAMP_MAMP_PRO_5.2.pkg: FAILED
shasum: WARNING: 1 computed checksum did NOT match