How to quickly check a file's checksum in OS X

When you download application installers and other files from the Internet, you may see a verification checksum associated with it. Here is how to use that number.

Topher Kessler MacFixIt Editor

Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

See full bio

Topher Kessler

Sept. 27, 2013 12:05 p.m. PT

2 min read

When you download a file in OS X, often the site issuing it may have a SHA (Secure Hash Algorithm) checksum listed, which you can use to verify the file. Checksums are a quick algorithm that takes select parts of a file and performs a quick computation on them (summing, multiplying, and otherwise combining them) that results in a number or code that should be unique to that file's contents. Since the sums are computed using data from all parts of the file, the sum is an indicator of file integrity, and can be used to verify the version of a file received is the same as that made available at the source (i.e., there's been no tampering).

If you see a SHA checksum listed with a file, you may wonder how to use it. For instance, the popular VideoLAN Client media player was recently updated to version 2.1, and if you download the disk image file containing the software, you will see a SHA checksum listed next to the download link. Apple also often includes a SHA checksum with its downloads, as you can see listed on its recently issued iTunes 11.1 update page. Without knowing what to do, this number means nothing.

Shasum computation in OS X — After running the "shasum" command, you can compare the output number with that provided on the developer's site, to verify the integrity of the downloaded file before opening it (click image for larger view). Screenshot by Topher Kessler/CNET

To verify the checksum, first proceed with the download and wait for it to complete. Then open the Terminal application in OS X and type the command "shasum" followed by a single space. After you do this, locate the downloaded disk image file, and drag it to the Terminal window to complete the full path to the image file.

Then press Enter to execute the command, and a SHA checksum will be computed for the file. Now compare this locally computed checksum to the one listed on the download Web site, and if they match, the file has been verified. If the file you have does not match the one on the Web site, it could be that the file on the site has been updated or otherwise changed and the developer forgot to update the checksum, or it could be from corruption in the file during the transfer, or from unsolicited tampering with the file. Either way, if the checksums do not match, contact the developer before opening it.

Another common checksum routine is the md5 checksum, which can be checked similarly by running the command "md5" in the Terminal in a similar way as the "shasum" command mentioned above.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Computing Guides

Laptops

Desktops & Monitors

Computer Accessories

Photography

Tablets & E-Readers

3D Printers

Computing Coupons