DEV Community

loading...
Cover image for Trust, But Verify (Downloads)

Trust, But Verify (Downloads)

amyshackles profile image Amy Shackles ・2 min read

Have you ever downloaded something from the internet and noticed that the site you're downloading from has a message about verifying the integrity of the downloaded package? Have you ever been curious how to go about doing that, so clicked the link, only to see a jumble of text displayed? Believe me, I know the feeling.

While the task of acquiring the SHA256 value of a downloaded file is easy to figure out (there are plenty of resources online on how to do that), most of the examples out there seem to only go that far, relying on your ability to spot the difference visually between the two outputs.

My friends, there is a better way.

Option 1: Echo!

1) After downloading the package you want to verify, make a note of where that file is. If it makes it easier, cd into the containing folder so that you don't need to specify the path to it.
2) Copy the SHA256 value from the download site that corresponds with the package you downloaded (that's going to be all the letters/numbers before the spaces and the file name)
3) In your terminal shell, type the command:

echo "${Copied 256 Value}  /path/to/downloaded/file" | shasum -a 256 -c
Enter fullscreen mode Exit fullscreen mode

Let's break that down.

The echo command will write the copied value to standard out. The quotation marks ensures that the whitespace is maintained... the two spaces between the SHA256 and the filepath is important. From the man page for shasum, the second space character is for specifying that the type should be text. It should be noted that in lieu of a space character, you could also set the mode to binary and provide the mode character '*'
The | (pipe character) passes the output (stdout) of the previous command to the input (stdin) of the next, so now the shasum command has the values we just passed to stdout
The -a flag is shorthand for -algorithm and tells shasum which type of SHA to calculate. In this example, we're working with SHA256, so we pass 256 to the -a flag.
The -c flag is shorthand for --check

Example:

 echo "ef0ca4924922514b6ad71469998821f2cf7c596b4b8b59736c3699759e0f1df8  Downloads/VirtualBox-6.1.10-138449-OSX.dmg" | shasum -a 256 -c
Enter fullscreen mode Exit fullscreen mode

Option 2: Why Echo When You Can Redirect?

1) After downloading the package you want to verify, make a note of where that file is. If it makes it easier, cd into the containing folder so that you don't need to specify the path to it.
2) Copy the SHA256 value from the download site that corresponds with the package you downloaded (that's going to be all the letters/numbers before the spaces and the file name)
3) In your terminal shell, type the command:

shasum -a 256 -c <<< "${Copied SHA256 value}  /path/toDownload"
Enter fullscreen mode Exit fullscreen mode

Example:

shasum -a 256 -c <<< "ef0ca4924922514b6ad71469998821f2cf7c596b4b8b59736c3699759e0f1df8 *Downloads/VirtualBox-6.1.10-138449-OSX.dmg"
Enter fullscreen mode Exit fullscreen mode

Result

Whichever option you choose, if your SHA256 values match, you should get a response like:

Downloads/VirtualBox-6.1.10-138449-OSX.dmg: OK
Enter fullscreen mode Exit fullscreen mode

Discussion (1)

pic
Editor guide
Collapse
wulymammoth profile image
David

Awesome post, Amy! Unfortunately I'm not sure the title will garner a lot of reads and I think everyone should read this! I'm no marketing expert (pretty shoddy TBH), but to me, this is more about checking file integrity or checking for tampering by looking at the checksum. We need to confirm that the SHA (also known as a hash or digest) match and the recommended algorithm is at least SHA-2 (256) or SHA-3. I've done this very rarely, because I've run into the scenario you've described maybe thrice over the last decade, but I do know that some people do this frequently and it's important when there's no TLS