Command for Verifying the SHA256 checksum in the Terminal

grant's Avatar

grant

10 Jul, 2021 11:11 PM

Just read How to verify the downloaded GPG Suite? and it rocks.

When I got to the step about verifying the SHA256 checksum

The resulting SHA256 checksum must match the SHA256 checksum on https://gpgtools.org.

I got really lazy because visually comparing sixty-four characters in the checksum character-by-character is difficult!

Instead I just ran a shell one-liner to verify it at the command line by copying in the checksum generated here and the one I copied from the website (for sake of simplicity I cut off the checksum):

if [ "383bd..." = "383bd..." ]; then echo "Checksum is: Correct."; else echo "Checksum is: *Incorrect*."; fi

Since everyone is already using the Terminal to perform the validation we know that it is present, we are already there and we can run it once we copy the value from the site.

Pre Catalina the default shell is Bash; Catalina and following it is zsh so I tried to test both. I'm on Mojave so I tested the one-liner on Bash V3.2.57 (default), Bash v5.1.8 (I installed it), and zsh v5.3 (I installed that too) and it worked correctly on each of them.

That helped me a lot to feel better that I was actually confirming that checksum's matched so I wanted to share it.

Thanks for your great product.

  1. 1 Posted by grant on 10 Jul, 2021 11:31 PM

    grant's Avatar

    Here are the actual steps that I did:

    Need to verify the DMG download is correct.

    Automate the 64 character comparison with this comparison code.

    if [ "Created Sum." = "Downloaded Sum." ]; then echo "Checksum is: Correct.";
    else echo "Checksum is: Not Correct."; fi
    

    Get the created sum.

    shasum --algorithm 256 --binary GPG_Suite-2021.1_105.dmg
    

    It is:

    383bd6ab4791ee51e0f67955ad1ab70bb3a2a1e5c71f6a7f42f53b92684106e0
    *GPG_Suite-2021.1_105.dmg
    

    Replace "Created Sum." in the comparison code with that first part, not that second part, not the space, nor the file name.

    Go to the home page, hover over the SHA256 popup to see the first few digits (currently can't copy and paste from the popup but that is addressed in another report), edit the source, and search for "SHA256", find the first few digits (it will be obvious), copy the entire value, and replace "Downloaded Sum." with it in the comparison code.

    if [ "383bd6ab4791ee51e0f67955ad1ab70bb3a2a1e5c71f6a7f42f53b92684106e0" = "383bd6ab4791ee51e0f67955ad1ab70bb3a2a1e5c71f6a7f42f53b92684106e0" ]; then echo "Checksum is: Correct.";
    else echo "Checksum is: Not Correct."; fi
    

    Run that code in the Terminal.

    Now it should print out

    Checksum is: Correct.
    

    It is good!

    The download is correct.

  2. Support Staff 2 Posted by Steve on 11 Jul, 2021 11:21 AM

    Steve's Avatar

    Hi Grant,

    thanks so much for taking the time to share this feedback. We will see if we can add it to our KB article. Please allow some time for this as we will have to discuss this.

    Obviously copy pasting the checksum from the website should be much easier as well.

    Have a great weekend,
    Steve

  3. 3 Posted by grant on 11 Jul, 2021 03:31 PM

    grant's Avatar

    Thank you Steve.

    What you all do is greatly appreciated.

    Have a pleasant weekend.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac