I recently downloaded an update to VLC, an open-source media player. The VLC download page, displayed it's SHA-256 checksum - here's how to quickly validate your download by comparing the checksum using the built-in macOS tools.
There are various Secure Hash Algorithms which generate a unique number (a "hash") . The computed hash for a downloaded file should be compared with a published hash to make sure the downloaded file has not been tampered with.
The VLC 2.2.5 download page shows the SHA-256 checksum - which you should copy to clipboard (it's the long string starting with "7e31..."):
After the download completes (vlc-18.104.22.168.dmg ), open Terminal and
cd to your
Downloads folder or wherever your file resides. There, enter this command (of course you paste the checksum and not type it in):
shasum -a 256 vlc-22.214.171.124.dmg | grep 7e31cf16b944ef84d7cbf40b23cafa6f7dc53c2163b2e46bda5e518c46880bdf
If the hash matches you should see the hash highlighted. In my case, since I altered my terminal colors, it displays in red as below:
If the hash does not match (i.e. the download is probably corrupt and should not be trusted), you'll have nothing displayed as in the second case above where I altered the last digit just for testing.
However, if your download page shows a MD5 checksum, a alternative and common hash function, then the command is: