It’s pretty important to check the digests of software you download. When a downloaded file is accompanied by a signature file, for example a gnupg .asc file, you can verify the signature with various tools. Often though, a download site will include the MD5 or SHA1 digest hash of the file, which allows a quick check on the file’s integrity. OS X has an /sbin/md5 command, and includes the openssl distribution. Within openssl, the digest subcommand allows for the generation of digests for an array of digest algorithms, including MD5 and SHA1. So it’s simple enough to generate the appropriate digest for that file you just downloaded.
Comparing them is a bit tedious, though. If you’re like me, you skim across the two digests – the one you generated and the one that the authors published – and look for eye-catching patterns near the beginning, middle and end. That works pretty well in practice, but its hardly rigorous.
So I wrote myself a little script that generates a hash, and checks it against a hash value given as an argument. Here’s the help output.
$ sha1 --help Usage: sha1 <filename> [test-value] where <filename> is required and test-value is an optional hex digest value to test against. Exits with 1 if the number of arguments is wrong; 2 if the digest comparison fails; 3 if an unsupported algorithm is requested. or: sha1 --digests which will echo the supported algorithms. or: sha1 --setup which tries to ensure that hard links are set up for all digest algorithms. Exits with 4 if NOT all links are available after execution. Note that the user running this option must have write permission in the directory containing the invoked program. Soft links are followed to determine the actual directory containing the program. Alternatively, you may manually set up your own softlinks in any directory. or: sha1 -<anything> Print this help text. Some of the executables may already exist on your system. On OS X, for example, the executable /sbin/md5 is present. Which one is found depends on your PATH. $
Installing the script
Download the script from here. The SHA1 digest of the script is
This assumes that your downloader is happy with UTF-8 or ASCII and the existing Unix line endings (LF). If it changes them, all bets are off.
Select a location on your PATH. I installed in ~/bin, but you may want to put it in /usr/local/bin or some such system directory. To do that you will have to use sudo or some equivalent. Make sure the file is executable. In my case, I would do this:
$ mv ~/Downloads/sha1 ~/bin/sha1 $ chmod +x ~/bin/sha1
Set up links
The –setup option will try to set up hard links for each of the supported digest algorithms (a subset of the algorithms supported in openssl digest). If you required sudo to install the script initially, you will also have to run the –setup as sudo. Your output will look something like this.
$ sha1 --setup Executable /Users/pbw/bin/sha1 already exists. Executable /Users/pbw/bin/md5 created. Executable /Users/pbw/bin/sha256 created. Executable /Users/pbw/bin/sha384 created. Executable /Users/pbw/bin/sha512 created. Executable /Users/pbw/bin/dss1 created. $
Now that it’s installed you can check a digest like so. I’ll go to the Downloads folder and check (too late now, of course) the initial download.
$ sha1 sha1 59254e751d0ce827770a73aae573f5294a1e1ac9 sha1 OK 59254e751d0ce827770a73aae573f5294a1e1ac9 EQUALS 59254e751d0ce827770a73aae573f5294a1e1ac9 $
Let’s see what happens if you change the comparison text.
$ sha1 sha1 59254e751d0ce827770a73aae573f5294a1e1acA sha1 FAIL 59254e751d0ce827770a73aae573f5294a1e1ac9 NOT EQUAL TO 59254e751d0ce827770a73aae573f5294a1e1aca $
The script returns true (0) for a successful comparison and false (in this case, 2) for a failure.
That’s it folks!