How to verify checksums when you download an app for your Mac

Some Mac users received a nasty surprise last week when it was discovered that a recent version of the open source Transmission BitTorrent client infected their computer with malware — a situation that may have been avoided with proper precautions.

Most savvy computer users know that it's important to be vigilant about where they download software from, but few stop to verify that the file they received is the file they were supposed to receive. This can be a critical final step in preventing malware infections of the sort we saw with Transmission.

Developers often post checksums or hashes alongside the download links for their projects to facilitate this kind of verification. Broadly, a checksum is the result of a mathematical calculation run on a particular file — if the file hasn't been altered, the checksum you calculate will match the checksum provided by the developer.

It's still not clear exactly how the infected download made it onto Transmission's website, but those who received it early in the process have reported that the bad file's checksum didn't match the checksum provided by the Transmission team. If they had verified the checksum before installing, they would've known something was amiss.

It's worth mentioning that this is not an infallible process: if a website is compromised, the attacker could've easily changed the checksum as well. Still, it's a useful — and very quick — precaution to take.

Important note: For most people, files will be automatically placed in their downloads folder. To access this folder in Terminal, use ~/Downloads.

Verifying an SHA-1 checksum

SHA-1 is the checksum format used by Apple, among many others. To find the SHA1 checksum of a file, open a Terminal window and enter the following:

openssl sha1 /full/path/to/file

If your file is called Paint.dmg and it's in the Downloads folder, it would look like this:

openssl sha1 ~/Downloads/Paint.dmg

The result should look like this:

SHA1(/Users/username/Downloads/Paint.dmg) =07272d863ab77113e38e6ce3878c2162feb4893e

The series of letters and numbers in the result is the checksum: just compare it to the checksum provided by the developer.

Verifying an SHA256 checksum

Another popular checksum is SHA256, the kind used by Transmission's team. To verify it on a Mac, use:

openssl dgst -sha256 /full/path/to/file

Verifying an MD5 checksum

MD5 is no longer recommended as a checksum hash for security reasons, but some legacy programs may still use it. To verify:

openssl md5 /full/path/to/file

Follow AppleInsider on Google News

4 Comments

razorpit

said about 8 years ago

Is there a terminal command that returns what checksum method is used for a file? It would be nice to have an Automator script that would look at the file and return a checksum for the less than tech savy users. AI could start a whole series of these scripts...

Marvin

said about 8 years ago

razorpit said:

Is there a terminal command that returns what checksum method is used for a file? It would be nice to have an Automator script that would look at the file and return a checksum for the less than tech savy users. AI could start a whole series of these scripts...

You can use any checksum for a file. What they do is convert the data stored in the file into a short code using an algorithm. If there are small changes to the file then the result should change a lot.

Say that your binary data was 011100 and you wanted to check it was accurate, you could do something like add all the positions of the 1s so 2+3+4 = 9 and that would be the verification. If the data got corrupted to 011110, it would be 2+3+4+5 = 14 so one bit changes but you get a larger change in the checksum.

The different algorithms are just selected based on probabilities of duplicate checksums and performance. Because they have to check the whole file, some checksums can take a while to run. Whatever company that put the file up will say which checksum method they are using and then they write what the result would be. You would then use the same method and check if you get the same result.

You can make a shell alias to do all the checksums in one go e.g open your bash profile with: open ~/.bash_profile, paste in:
function checksumfunc(){
openssl sha1 "$1"; openssl dgst -sha256 "$1"; openssl md5 "$1";
}
alias checksum='checksumfunc'
Then you just type checksum and drag a file in to get the results and that saves remembering the command for each but you'd only ever be checking a single value and it's not likely something you'll ever do anyway. The system should really handle this for you. Maybe this is something Apple can setup where developers can enter a checksum online against a product version and when the OS tries to run a binary, it checks the product and version to see if the checksum matches the one the developer put in Apple's database.
Really this goes back to the problem of executables having write permissions to all user-account files on a system by default when they shouldn't. Applications should only have read and create permissions for files not created by them until the user explicitly allows them to overwrite or delete files. Even when apps have permissions (possibly via social engineering), the system should warn about mass changes to files e.g a task is run that does deletion or encryption and the system checks what the target size is, it can just warn that a lot of files will be impacted and what will happen to them and ask if the user wants to proceed.