Verify a Downloaded File

Sometimes it’s necessary to download a file to install, update, or upgrade something on your computer. Whenever you download anything from the internet, you should take steps to verify that it is what you expected—and nothing more.

Many software providers give you a way to verify that the file you’re downloading has not been altered. They do this by "signing" the file with a unique code. If the file has been altered in some way (e.g., with the addition of a virus or other malware), then its signature will change.

You can verify the signature by comparing it to the signature posted by the provider. Some will include a separate file to download that contains the verification code. Others will simply post the code on the same page as the file you’re downloading.

But those signatures are really long, so comparing the file’s signature to the one you copied from the site is an error-prone, time-consuming task. It’s a perfect opportunity for automation!

There are many ways to do this, but I like the one proposed by Steven Penny on Stack Overflow.

He suggests the following one-liner on the Linux command line:

shasum FILENAME | awk '$1=="SHASUM"{print"OK"}'

In other words, you use shasum to calculate the signature of the file you downloaded, then awk to compare that signature to the one that you copied from the site. If all is well, you’ll receive an "OK".

For example, I wanted to download MacTex2021. On the download page, I found the .pkg file to download along with the following text: "The SHA512 sum is 05d6e46347feb07bd9fed8ff1bfa855059a8fcf2c452fd832e0db1e15b5c171a2f86b5b911c37166dd19cfaba4f6e7fa4ea9f46c322f87f02f2b411bd1c54852."

See what I mean about the length of a signature? I don’t want to compare that manually to something calculated by my computer! Therefore, I opened a Terminal, navigated to my Downloads directory, and entered:

shasum -a 512 MacTex.pkg | awk '$1=="05d6e46347feb07bd9fed8ff1bfa855059a8fcf2c452fd832e0db1e15b5c171a2f86b5b911c37166dd19cfaba4f6e7fa4ea9f46c322f87f02f2b411bd1c54852"{print"OK"}'

That calculated the signature using the 512 algorithm and compared that ($1) to the signature I found on the website. Since they matched, I received "OK".