How to quickly check a file's checksum in OS X
When you download application installers and other files from the Internet, you may see a verification checksum associated with it. Here is how to use that number.
When you download a file in OS X, often the site issuing it may have a SHA (Secure Hash Algorithm) checksum listed, which you can use to verify the file. Checksums are a quick algorithm that takes select parts of a file and performs a quick computation on them (summing, multiplying, and otherwise combining them) that results in a number or code that should be unique to that file's contents. Since the sums are computed using data from all parts of the file, the sum is an indicator of file integrity, and can be used to verify the version of a file received is the same as that made available at the source (i.e., there's been no tampering).
If you see a SHA checksum listed with a file, you may wonder how to use it. For instance, the popular VideoLAN Client media player was recently updated to version 2.1, and if you download the disk image file containing the software, you will see a SHA checksum listed next to the download link. Apple also often includes a SHA checksum with its downloads, as you can see listed on its recently issued iTunes 11.1 update page. Without knowing what to do, this number means nothing.
To verify the checksum, first proceed with the download and wait for it to complete. Then open the Terminal application in OS X and type the command "shasum" followed by a single space. After you do this, locate the downloaded disk image file, and drag it to the Terminal window to complete the full path to the image file.
Then press Enter to execute the command, and a SHA checksum will be computed for the file. Now compare this locally computed checksum to the one listed on the download Web site, and if they match, the file has been verified. If the file you have does not match the one on the Web site, it could be that the file on the site has been updated or otherwise changed and the developer forgot to update the checksum, or it could be from corruption in the file during the transfer, or from unsolicited tampering with the file. Either way, if the checksums do not match, contact the developer before opening it.
Another common checksum routine is the md5 checksum, which can be checked similarly by running the command "md5" in the Terminal in a similar way as the "shasum" command mentioned above.