Apple - Need a cli to check the sha256 hash of a file

You can use

openssl dgst -sha256 <file>

Tested on LibreSSL 2.6.4 on macOS 10.14 (Mojave).


Prior to Mojave you can use openssl sha -sha256 <file> or openssl sha256 <file>.

To check command line options for the openssl sha command: openssl sha -help.


OS X ships with a shasum command.

> which shasum
/usr/bin/shasum

You can use:

> shasum -a 256 <file>

More details:

> shasum --help
Usage: shasum [OPTION]... [FILE]...
Print or check SHA checksums.
With no FILE, or when FILE is -, read standard input.

  -a, --algorithm   1 (default), 224, 256, 384, 512, 512224, 512256
  -b, --binary      read in binary mode
  -c, --check       read SHA sums from the FILEs and check them
  -t, --text        read in text mode (default)
  -p, --portable    read in portable mode
                        produces same digest on Windows/Unix/Mac
  -0, --01          read in BITS mode
                        ASCII '0' interpreted as 0-bit,
                        ASCII '1' interpreted as 1-bit,
                        all other characters ignored

The following two options are useful only when verifying checksums:
  -s, --status      don't output anything, status code shows success
  -w, --warn        warn about improperly formatted checksum lines

  -h, --help        display this help and exit
  -v, --version     output version information and exit

When verifying SHA-512/224 or SHA-512/256 checksums, indicate the
algorithm explicitly using the -a option, e.g.

  shasum -a 512224 -c checksumfile

The sums are computed as described in FIPS-180-4.  When checking, the
input should be a former output of this program.  The default mode is to
print a line with checksum, a character indicating type (`*' for binary,
` ' for text, `?' for portable, `^' for BITS), and name for each FILE.

Report shasum bugs to [email protected]

To clarify @John's useful answer - which allows you to compare a given hash with its file in one command:

Enter shasum -a 256 -c <<<,
followed by an optional space,
followed by a single tick ('),
followed by the hash to compare,
followed by a space,
followed by a mode character, based on how the initial hash was generated:

  • nothing, if the hash was created with -t or no option (text mode, which is the default)

  • asterisk (*), if the hash was created with -b (binary mode)

  • question mark (?), if the hash was created with -p (portable mode)

  • caret (^), if the hash was created with -0 (bits mode)

followed by the path to the file,
followed by a closing single tick (').

Like the following breakdown, with delineating parens around the hash and filepath parts, and square brackets around the optional "mode character" part. (Don't include the parens or brackets in real life - they're just here to make the parts easy to see!)

shasum -a 256 -c <<< '(hashToCompare) [mode character](filepath)'

Broken down:

The actual shasum command is shasum -a 256 -c

  • -a 256 tells shasum to use sha256.

  • -c tells shasum to "check" the provided input.

The <<< is a Unix/Linux special character set, called a "redirection" operator. It's for feeding something into a prior command. By using it, we're saying we're going to provide a string of information for the shasum command to use as input.

The string of input information must have opening and closing single ticks, such as 'some string here', or in this case, the hash, mode character, and filepath to be checked.

  • The hash part inside the string doesn't need anything special - but it must be followed by a space.

  • The mode character part can be nothing, an asterisk (*), a question mark (?), or a caret (^). This tells shasum the mode with which the hash was generated. (Note: no character at all, representing text mode, is shasum's default.)

  • The filepath part, is the actual path to the file to be checked.


So, here's a real-life example checking a particular MAMP download file against it's purported SHA-256 value. The * mode character was required for this check to work:

shasum -a 256 -c <<< 'f05ede012b8a5d0e7c9cf17fee0fa1eb5cd8131f3c703ed14ea347f25be11a28 *MAMP_MAMP_PRO_5.2.pkg'

Note: the result of this command (for my example file) is either -

OK:

MAMP_MAMP_PRO_5.2.pkg: OK

or

FAILED:

MAMP_MAMP_PRO_5.2.pkg: FAILED
shasum: WARNING: 1 computed checksum did NOT match