How to verify checksums when you download an app for your Mac
Some Mac users received a nasty surprise last week when it was discovered that a recent version of the open source Transmission BitTorrent client infected their computer with malware -- a situation that may have been avoided with proper precautions.
Most savvy computer users know that it's important to be vigilant about where they download software from, but few stop to verify that the file they received is the file they were supposed to receive. This can be a critical final step in preventing malware infections of the sort we saw with Transmission.
Developers often post checksums or hashes alongside the download links for their projects to facilitate this kind of verification. Broadly, a checksum is the result of a mathematical calculation run on a particular file -- if the file hasn't been altered, the checksum you calculate will match the checksum provided by the developer.
It's still not clear exactly how the infected download made it onto Transmission's website, but those who received it early in the process have reported that the bad file's checksum didn't match the checksum provided by the Transmission team. If they had verified the checksum before installing, they would've known something was amiss.
It's worth mentioning that this is not an infallible process: if a website is compromised, the attacker could've easily changed the checksum as well. Still, it's a useful -- and very quick -- precaution to take.
Important note: For most people, files will be automatically placed in their downloads folder. To access this folder in Terminal, use
SHA-1 is the checksum format used by Apple, among many others. To find the SHA1 checksum of a file, open a Terminal window and enter the following:
If your file is called Paint.dmg and it's in the Downloads folder, it would look like this:
The result should look like this:
The series of letters and numbers in the result is the checksum: just compare it to the checksum provided by the developer.
Another popular checksum is SHA256, the kind used by Transmission's team. To verify it on a Mac, use:
MD5 is no longer recommended as a checksum hash for security reasons, but some legacy programs may still use it. To verify:
Most savvy computer users know that it's important to be vigilant about where they download software from, but few stop to verify that the file they received is the file they were supposed to receive. This can be a critical final step in preventing malware infections of the sort we saw with Transmission.
Developers often post checksums or hashes alongside the download links for their projects to facilitate this kind of verification. Broadly, a checksum is the result of a mathematical calculation run on a particular file -- if the file hasn't been altered, the checksum you calculate will match the checksum provided by the developer.
It's still not clear exactly how the infected download made it onto Transmission's website, but those who received it early in the process have reported that the bad file's checksum didn't match the checksum provided by the Transmission team. If they had verified the checksum before installing, they would've known something was amiss.
It's worth mentioning that this is not an infallible process: if a website is compromised, the attacker could've easily changed the checksum as well. Still, it's a useful -- and very quick -- precaution to take.
Important note: For most people, files will be automatically placed in their downloads folder. To access this folder in Terminal, use
~/Downloads
. Verifying an SHA-1 checksum
SHA-1 is the checksum format used by Apple, among many others. To find the SHA1 checksum of a file, open a Terminal window and enter the following:
openssl sha1 /full/path/to/file
If your file is called Paint.dmg and it's in the Downloads folder, it would look like this:
openssl sha1 ~/Downloads/Paint.dmg
The result should look like this:
SHA1(/Users/username/Downloads/Paint.dmg) =07272d863ab77113e38e6ce3878c2162feb4893e
The series of letters and numbers in the result is the checksum: just compare it to the checksum provided by the developer.
Verifying an SHA256 checksum
Another popular checksum is SHA256, the kind used by Transmission's team. To verify it on a Mac, use:
openssl dgst -sha256 /full/path/to/file
Verifying an MD5 checksum
MD5 is no longer recommended as a checksum hash for security reasons, but some legacy programs may still use it. To verify:
openssl md5 /full/path/to/file
Comments
Say that your binary data was 011100 and you wanted to check it was accurate, you could do something like add all the positions of the 1s so 2+3+4 = 9 and that would be the verification. If the data got corrupted to 011110, it would be 2+3+4+5 = 14 so one bit changes but you get a larger change in the checksum.
The different algorithms are just selected based on probabilities of duplicate checksums and performance. Because they have to check the whole file, some checksums can take a while to run. Whatever company that put the file up will say which checksum method they are using and then they write what the result would be. You would then use the same method and check if you get the same result.
You can make a shell alias to do all the checksums in one go e.g open your bash profile with: open ~/.bash_profile, paste in:
Then you just type checksum and drag a file in to get the results and that saves remembering the command for each but you'd only ever be checking a single value and it's not likely something you'll ever do anyway. The system should really handle this for you. Maybe this is something Apple can setup where developers can enter a checksum online against a product version and when the OS tries to run a binary, it checks the product and version to see if the checksum matches the one the developer put in Apple's database.
Really this goes back to the problem of executables having write permissions to all user-account files on a system by default when they shouldn't. Applications should only have read and create permissions for files not created by them until the user explicitly allows them to overwrite or delete files. Even when apps have permissions (possibly via social engineering), the system should warn about mass changes to files e.g a task is run that does deletion or encryption and the system checks what the target size is, it can just warn that a lot of files will be impacted and what will happen to them and ask if the user wants to proceed.