- How to take sha256sum of file and compare to check in one line?
- 9 Answers 9
- All about checksums, including basic info. and usage
- TLDR;
- DETAILS:
- 1. Background info
- 2. Get the checksum of a file:
- 3. Compare the checksum of a file against a previously-stored or already-known checksum:
- 4. To compare the checksum of file1 to file2 :
- DESCRIPTION
- The following five options are useful only when verifying checksums:
- AUTHOR
- REPORTING BUGS
- COPYRIGHT
- SEE ALSO
How to take sha256sum of file and compare to check in one line?
I keep on finding myself wanting to download and check the integrity of the download immediately in a script, but I haven’t been able to find the right incantation of sha256sum .
MY_SHA256=e147f0392686c40cfd7d5e6f332c6ee74c4eab4d24e2694b3b0a0c037bf51dc5 sha256sum some_binary | sha256sum --check $
9 Answers 9
I have downloaded an archive file and an accompanying checksum file. Here is how I verify that the hash of the downloaded archive matches the hash from the downloaded checksum file:
echo "$(cat archive.tar.gz.sha256) archive.tar.gz" | sha256sum --check --status
The —status flag prevents all stdout output (more effective than —quiet ). I then need to rely on the return code to determine if they matched, which is what I want anyway since I’m going to be using this in a script.
Well, in my case, since file sha512 already contains the filename, so what i should do is echo «$(cat filename.sha512)» | sha512sum —check —status and immediately check return value using $?
It’s almost never useful to do echo «$(some-command)» . Just run the command; for example, cat filename.sha512 | sha512sum —check —status . But that’s a UUOC; do sha512sum —check —status < filename.sha512 instead, or even sha512sum --check --status filename.sha512 (without the < ). Which, in fact, is fairly straightforward and obvious from the documentation. … (Cont’d)
P.S. That’s fine if you’re writing a script, although you shouldn’t need to reference $? explicitly. But, if you’re doing this manually, and you’re doing echo $? and looking at the output, you might as well leave off the —status and let sha512sum tell you the result.
You don’t need to do this. A much simpler way to do this is to sha256sum —check CHECKSUM_FILE . See my answer for details.
You can see that sha256sum —check takes the output of a previous (regular) sha256sum run: it takes hashes and filenames via stdin, and compares them against actual files.
So the obvious thing to do is to manually give it the output in the format it wants:
$ echo "da39a3ee5e6b4b0d3255bfef95601890afd80709 motd" | sha1sum --check motd: OK
It seems to be taking the path to the file given in the std input and performing another sha256sum on that.
echo "67574ee0039eaf4043a237e7c4b0eb432ca07ebf9c7b2dd0667e83bc3900b2cf kali-linux-2019.2-amd64.iso" | sha256sum -c
In case you have the sha256sum file, you can directly use it:
sha256sum -c "kali-linux-2019.2-amd64.iso.txt.sha256sum"
Explanation:
In the above example, you have
sha256sum -c option can either read the SHA256 sum from a sha256sum file or from STDIN . In case you don’t have the sha256sum file, then using the echo command you can provide the same details contained in a sha256sum file.
In case you have the sha256sum file, you can directly use it:
Alternatively, you can use shasum -a 256 instead of sha256sum where -a specifies the algorithm to be used.
All about checksums, including basic info. and usage
TLDR;
# 1. Check to see if file "filename" has this expected hash: # `expected_checksum_hash` echo "expected_checksum_hash filename" | sha256sum --check # 2. Check to see if these two files ("path/to/file1" and "path/to/file2") # have the same checksum hash echo "$(sha256sum "path/to/file1" | gawk '< print $1 >') path/to/file2" \ | sha256sum --check # OR (same as #2 just above) file1_hash="$(sha256sum "path/to/file1" | gawk '< print $1 >')" \ && echo "$file1_hash path/to/file2" | sha256sum --check
DETAILS:
1. Background info
Note: you can use sha256sum or sha512sum in any of the examples below. These are the recommended and most-robust cryptographic checksums, with sha512sum , of course, being stronger.
There is also md5sum , but it isn’t as robust, but is still commonly used for data integrity checks. Whenever possible, I recommend you use sha256sum or sha512sum instead. Wikipedia states that md5sum is still good for data integrity checks, but is «no longer deemed secure» and shouldn’t be used for cryptographic purposes. So, just use sha256sum or sha512sum above, instead.
There are even more, however. Here is a list of the various checksum program you can technically use in any of the examples below:
sha1sum sha224sum sha256sum sha384sum sha512sum shasum # general-purpose tool, requires specifying the algorithm md5sum
2. Get the checksum of a file:
$ sha256sum FoxitReader.enu.setup.2.4.4.0911.x64.run.tar.gz 6b579bd4ecdf86f7e70a009886c511da0b5085b831b0d6afc42442cabc249b90 FoxitReader.enu.setup.2.4.4.0911.x64.run.tar.gz
Notice that the output of the sha256sum command is the numerical checksum hash followed by the file name this checksum corresponds to. You can store this checksum into a file named sha256sum.txt like this:
sha256sum path/to/file > sha256sum.txt
3. Compare the checksum of a file against a previously-stored or already-known checksum:
Now, assuming you want to check the integrity of the file against this known checksum in that file, you can test the file again like this:
# This causes the program to re-do the checksum of the file specified inside # sha256sum.txt, and then compare it to the checksum in that same file. If they # (the re-calculated checksum and the previously-stored checksum) match, it will # output the name of the file followed by "OK". sha256sum --check sha256sum.txt
$ sha256sum --check sha256sum.txt FoxitReader.enu.setup.2.4.4.0911.x64.run.tar.gz: OK
You can also manually pipe these things (the expected checksum hash and filename) to the checksum program, like this. This is really useful for when you need to check a downloaded file against a known checksum published online where you downloaded it. This way you can check for data integrity to ensure the downloaded file was downloaded successfully.
# 1. pipe to the checksum program directly echo "expected_checksum_hash filename" | sha256sum --check # 2. OR, manually create the checksum file, and *then* run it on that file # as done above echo "expected_checksum_hash filename" > sha256sum.txt sha256sum --check sha256sum.txt # same as previously done above
Example of option 1 just above:
$ echo "6b579bd4ecdf86f7e70a009886c511da0b5085b831b0d6afc42442cabc249b90 \ > FoxitReader.enu.setup.2.4.4.0911.x64.run.tar.gz" | sha256sum --check FoxitReader.enu.setup.2.4.4.0911.x64.run.tar.gz: OK
4. To compare the checksum of file1 to file2 :
Sometimes you have two downloaded files, or two copies of what you think are the same file, and you just want to ensure they are in fact the same (or different). Building on the information above, there are a few ways to do this.
- Manually check the checksum of each file, manually looking at the hashes to ensure they match:
sha256sum 'path/to/file1' sha256sum 'path/to/file2' # now visually inspect both hashes
# Do some trickery to compare the hash of file1 agains the hash of file2. # Effectively, what we have done is this: # `echo "checksum_hash_from_file1 path/to/file2" | sha256sum --check` # This therefore is checking to see if the hash from file1 matches the hash # from file2. echo "$(sha256sum "path/to/file1" | gawk '< print $1 >') path/to/file2" \ | sha256sum --check # OR (same as just above) file1_hash="$(sha256sum "path/to/file1" | gawk '< print $1 >')" \ && echo "$file1_hash path/to/file2" | sha256sum --check
The way this works is that first it checks the checksum of file1, piping the output (hash and filename) to gawk , which is the GNU version of awk , which is a pattern-matching and text processing language. The gawk ‘< print $1 >‘ command simply says to strip the first space-separated text field (indicated by $1 ), and retain it only. That’s the checksum hash from file1. Then, we append the path/to/file2 and pipe this whole thing to be checked, as done previously above. In effect, we are tricking the checksum program into thinking we have a previously-obtained hash from file2, and we’d like to check it against a newly-calculated hash from file2. Since we used the hash from file1, however, but the filename of file2, we know that if it passes it is really saying file1 and file2 have the same hash, and are therefore identical files. Example:
# technique 1 $ echo "$(sha256sum "FoxitReader.enu.setup.2.4.4.0911.x64.run.tar.gz" \ | gawk '< print $1 >') FoxitReader.enu.setup.2.4.4.0911_NEW.x64.run.tar.gz" \ | sha256sum --check FoxitReader.enu.setup.2.4.4.0911_NEW.x64.run.tar.gz: OK # technique 2 $ file1_hash="$(sha256sum "FoxitReader.enu.setup.2.4.4.0911.x64.run.tar.gz" \ | gawk '< print $1 >')" \ && echo "$file1_hash FoxitReader.enu.setup.2.4.4.0911_NEW.x64.run.tar.gz" \ | sha256sum --check FoxitReader.enu.setup.2.4.4.0911_NEW.x64.run.tar.gz: OK
DESCRIPTION
With no FILE, or when FILE is -, read standard input.
-b, —binary read in binary mode -c, —check read checksums from the FILEs and check them —tag create a BSD-style checksum -t, —text read in text mode (default) -z, —zero end each output line with NUL, not newline, and disable file name escaping
The following five options are useful only when verifying checksums:
—ignore-missing don’t fail or report status for missing files —quiet don’t print OK for each successfully verified file —status don’t output anything, status code shows success —strict exit non-zero for improperly formatted checksum lines -w, —warn warn about improperly formatted checksum lines —help display this help and exit —version output version information and exit
The sums are computed as described in FIPS-180-2. When checking, the input should be a former output of this program. The default mode is to print a line with: checksum, a space, a character indicating input mode (‘*’ for binary, ‘ ‘ for text or where binary is insignificant), and name for each FILE.
Note: There is no difference between binary mode and text mode on GNU systems.
AUTHOR
Written by Ulrich Drepper, Scott Miller, and David Madore.
REPORTING BUGS
COPYRIGHT
Copyright © 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html.
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
SEE ALSO
Full documentation https://www.gnu.org/software/coreutils/sha256sum
or available locally via: info ‘(coreutils) sha2 utilities’
Powered by archmanweb, using mandoc for the conversion of manual pages.
The website is available under the terms of the GPL-3.0 license, except for the contents of the manual pages, which have their own license specified in the corresponding Arch Linux package.