How to use checksums on Mac to verify app downloads

How do you know that the app you’ve downloaded is genuine, and not a macOS Trojan? Your Mac comes with a built-in tool that can help. In this guide and walkthrough, we’ll show you how to use Terminal and checksums to verify your macOS app downloads.

What is a checksum?

First, what is a checksum? Here’s the dictionary definition, courtesy of Wikipedia:

A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage.

Let’s break that down a bit. A checksum is the value you get when you run a file’s bits and bytes through a special algorithm designed to produce — you guessed it — checksums. For our purposes, we’re going to simplify things and only talk about checksums generated by cryptographic hashing algorithms. 

These checksum values look like a big string of letters and numbers, for example:

11a0241a5a7accb9e599eeff04e739479049d75669067980401451f3fde72b96

But they’re actually just really huge numbers. The letters are only there because they’re numbers expressed in a non-decimal numeral system (the one above is hexadecimal). 

Here’s the main thing to remember about checksums: They act like a “fingerprint” for a file. If you put a file through a hashing algorithm, you get a unique value. If you change one little thing about that file, and run it through the hashing algorithm again, you get a totally different value. For this reason, if you compare two checksum values, you can tell whether or not they were derived from the same file.

How checksums keep you safe

Checksums let you verify the integrity of downloaded files. If you know what the checksum of the original file is supposed to be, you can run the hashing algorithm on the downloaded file to make sure the two values match. 

If they do match, it’s the same file. But if the two values don’t match, then whatever you’ve downloaded isn’t the same as the original file. Either the data is corrupt, or else someone has deliberately changed the file.

In terms of Mac security, it’s that latter case that you need to worry about, because Trojanized apps are a problem on macOS. You can follow a few basic best practices to avoid most Mac Trojans, such as only downloading apps from known and trusted sources. But even app distribution platforms and developers’ servers can be hacked, and used to distribute malware. For this reason, it’s smart to double-check that what you’re downloading is actually what it’s supposed to be!

When you download an app from a developer’s site, they may provide a checksum for the download so that you can check the file’s integrity for yourself. Even if their download server is compromised, the checksum value on their website will be the one that matches the genuine version of the app download. If you have the option to verify your download with a checksum, you should always do so. It only takes a second — and it could keep you from being infected by malware. Here’s how to do it.

How to verify macOS downloads with checksums in Terminal

Here are the steps to use a checksum to verify a download in Terminal on macOS:

Step 1: Figure out which hashing algorithm to use

Before you do anything else, you need to determine which hashing algorithm was used to generate the file’s checksum. This is easy. The app developer will make it clear on their website.

The algorithms you’re most likely to encounter are MD5, SHA-1, SHA-256, and SHA-512.

Step 2: Launch Terminal

Open the Terminal utility. To do this, type “Terminal” in the Launchpad search field, or in Spotlight, and click on the Terminal icon. Alternatively, use Finder to navigate to /Applications/Utilities and double-click Terminal. 

Step 3: Enter the checksum command followed by a space

In Terminal, type in the appropriate checksum command. What you type will depend on the hashing algorithm used by the developer. Note: Be sure to leave an extra space after the command, and don’t hit Enter just yet, because you’re going to have to add the file path to the download in the next step.

Here are the commands you’ll need for the hashing algorithms you’re most likely to encounter:

For MD5: 

md5

For SHA-1:

shasum -a 1 

For SHA-256:

shasum -a 256 

For SHA-512:

shasum -a 512

Step 4: Add the file path of the downloaded file

Now add in the file path to the downloaded file. If you know how to do this manually, great, but there’s a much easier way: Just drag and drop the file directly into Terminal. Doing this will automatically append the correct file path to your command.

This is why it’s so important to remember to leave a space after entering the checksum command. If you don’t, the file path will run right up against the checksum command, and your Mac won’t understand what you’re trying to tell it to do. You’ll just get an error, as in the case of the confused Mac below!

securemacdemo@MacBook-Air ~ % shasum -a 1/Users/securemacdemo/Downloads/LuLu_2.4.1.dmg
Value "1/Users/securemacdemo/Downloads/LuLu_2.4.1.dmg" invalid for option a (number expected)
Type shasum -h for help

Step 5: Compare the checksum values

If you did Step 4 correctly, you should have something that looks like this:

shasum -a 256 /Users/ExampleUser/Downloads/AppName.dmg

Hit Enter to get the file’s checksum value. You should now be able to see the file’s checksum in your Terminal. Compare that value to the one that the app developers provided on their website.

If the two values match, you can be reasonably certain that the file you downloaded is the one you were supposed to get. But if they don’t match, something isn’t right. Don’t use the download just yet.

Step 6: Investigate mismatched checksum values

First, double-check to make sure you didn’t use the wrong hashing algorithm (e.g. SHA-512 instead of SHA-256) to generate your checksum. It’s an easy mistake to make, especially if you’re new to using checksums on Mac. If you did this, you’d basically get a false positive. The checksums wouldn’t match, not because of any issue with file integrity, but rather because you used incompatible hashing algorithms.

However, if you’re fairly sure that you did everything right, and the checksum of the downloaded file still doesn’t match the one given on the developer’s website, then there’s a problem.

At this point, either reach out to the developer directly, or contact a cybersecurity pro for help. Don’t try to use the download, as you can’t be certain that it’s safe.

A simple walkthrough example

To make the process of using checksums on a Mac a little less abstract, we’re going to walk you through it, step by step, using a real-world example. We’ll use Suspicious Package, a package inspection app developed by Mothers Ruin Software, as our example download.

Follow along on your own Mac to learn how to verify a Mac app download using a checksum in Terminal.

Note: If you’re doing this exercise at home, and the developer has updated their .dmg file since the writing of this guide, then you’ll see a different checksum value from the one in our examples. However, the basic procedure is the same: You’re just looking for a match between what you see on their website and what you see in your Terminal. Also, please note that we’re logged to our own Mac as user “securemacdemo” on a computer named “MacBook-Air”. The examples from our Terminal, as well as our file paths, reflect that. If you follow along, you’ll see your own username and your Mac’s name instead.

Downloading the app installer file

First, we need to download the app’s .dmg file. You can do this at mothersruin.com/software/SuspiciousPackage/get.html if you want to follow along.

Determining the algorithm used

If you click on the words Show Download Details on the download page, you can see some additional information about the download. This includes the checksum value.

As you can see, this developer has used SHA-256 to generate a checksum. That means we’ll have to use the SHA-256 command when we get to Terminal. 

Entering the checksum command

Now we’re going to open Terminal. As mentioned above, you can find this utility by searching in Spotlight or Launchpad, or by using Finder to go directly to /Applications/Utilities.  

Since the developer of this app used SHA-256, we’re going to enter shasum -a 256, followed by a space. But we’re not going to hit Enter just yet, since we still need to add in the file path.

Adding in the file path to the download

Now we need to complete the checksum command by adding in the file path to our download. If we wanted to do this manually, we would just type in:

~/Downloads/SuspiciousPackage.dmg

But it’s easier to just drag and drop the file from its current location right into Terminal. Dragging and dropping a file into Terminal adds its file path to the command:

This will produce a full command with the correct file path:

securemacdemo@MacBook-Air ~ % shasum -a 256/Users/securemacdemo/Downloads/SuspiciousPackage.dmg

Comparing the checksum values

Once you have the correct command in Terminal, hit Enter. Your Mac will automatically generate the checksum value for your downloaded file:

securemacdemo@MacBook-Air ~ % shasum -a 256 /Users/securemacdemo/Downloads/SuspiciousPackage.dmg 
64846317b6761bc252d15bf5be0457c54d4b9e9db6a310520ef9ba3cab9b2500  /Users/securemacdemo/Downloads/SuspiciousPackage.dmg

As you can see from the Terminal output above, we got the following checksum value:

64846317b6761bc252d15bf5be0457c54d4b9e9db6a310520ef9ba3cab9b2500

And that’s an exact match for what the developer said we should expect:

This means that the file we downloaded is the same as the original file that the developer used to produce their checksum. As long as we trust this developer, then it’s safe to install the app.

We hope this guide has helped you learn more about how to use checksums on your Mac for better security. If you have any questions, don’t hesitate to write to us and ask!