Verifying downloads with a SHA-256 checksum


I recently downloaded an update to VLC, an open-source media player. The VLC download page, displayed it's SHA-256 checksum - here's how to quickly validate your download by comparing the checksum using the built-in macOS tools.

There are various Secure Hash Algorithms which generate a unique number (a "hash") . The computed hash for a downloaded file should be compared with a published hash to make sure the downloaded file has not been tampered with.

The VLC 2.2.5 download page shows the SHA-256 checksum - which you should copy to clipboard (it's the long string starting with "7e31..."):

VideoLAN VLC download page with SHA-256 checksum

After the download completes (vlc- ), open Terminal and cd to your Downloads folder or wherever your file resides. There, enter this command (of course you paste the checksum and not type it in):

shasum -a 256 vlc- | grep 7e31cf16b944ef84d7cbf40b23cafa6f7dc53c2163b2e46bda5e518c46880bdf

If the hash matches you should see the hash highlighted. In my case, since I altered my terminal colors, it displays in red as below:

Terminal shasum and grep output

If the hash does not match (i.e. the download is probably corrupt and should not be trusted), you'll have nothing displayed as in the second case above where I altered the last digit just for testing.

However, if your download page shows a MD5 checksum, a alternative and common hash function, then the command is:

md5 vlc-