NAME

checksum, sha224sum, sha256sum, sha384sum, sha512sum — compute and check cryptographic hashes

SYNOPSIS

DESCRIPTION

checksum is used to check the cryptographic integrity of files by calculating their cryptographic hashes and later check the files retain the same hash, thus guaranteeing it would be vanishingly unlikely the files have been modified unless the cryptographic hash algorithm has been broken.

checksum uses the requested cryptographic hash algorithm to calculate the hashes of the input files, or the standard input if no files are specified. The standard input can be specified using the ‘-’ path.

checksum writes a checklist of the inputs' hashes that can later be checked using the -c or -C options. Checklists have a line for each file consisting of its checksum (the cryptographic hash) in lowercase hexadecimal followed by two spaces and the file's path (‘-’ in case of the standard input).

If the -c or -C options are set, checksum instead checks the files. It writes a line for each file containing its path followed by a colon and a space, and ‘OK’ if the file's hash matched the checksum or ‘FAILED’ if it did not. After each checklist has been processed, a diagnostic is written to the standard error with how many files couldn't be read (if any couldn't be read), and a diagnostic is written to the standard error with how many checksums didn't match (if any didn't match).

The options are as follows:

-a, --algorithm=algorithm

Use the case-insensitive cryptographic hash algorithm:

• SHA224
• SHA256
• SHA384
• SHA512/256
• SHA512

The algorithm is set by default if checksum is invoked by the sha224sum, sha256sum, sha384sum, or sha512sum names.

--cache cache

Cache the checksums in the cache file for fast answers on subsequent invocations, unless the input file is newer than the cache file. If -c or -C, only use the cached checksums if they are the desired answer, otherwise recheck the input file to be safe.

-c, --check

Each input is interpreted as a checklist of files to be checked.

-C, --checklist=checklist

Check the inputs using the checklist file (‘-’ for the standard input). This option is useful for checking a subset of files in a checklist.

-i, --ignore-missing

Ignore non-existent files when checking.

-q, --quiet

Only mention files with the wrong hash when checking.

-s, --status

Don't mention any files when checking and only provide the exit status.

EXIT STATUS

If -c or -C are set, checksum will exit 1 if any error occurred or the checklist was malformed; and otherwise exit 2 if any files had the wrong hash, and exit 0 if all files passed the check.

Otherwise checksum will exit 0 if all files were hashed, or exit 1 if an error occurred.

EXAMPLES

Compute the SHA256 hash of a file:

$ sha256sum foo
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  foo

Check the SHA256 hash of a file:

$ sha256sum foo > foo.sha256sum
$ sha256sum -c foo.sha256sum
foo: OK

Check every file in a checklist and only mention failures:

$ echo foo > foo
$ echo bar > bar
$ sha256sum foo bar > checklist
$ sha256sum -cq checklist
$ echo foo > bar
$ sha256sum -cq checklist
bar: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match

Check the hash of only some files in a checklist:

$ sha256sum foo bar qux > checklist
$ sha256sum -C checklist foo qux
foo: OK
qux: OK

Check the standard input is expected:

$ sha256sum < reference > checklist
$ sha256sum -C checklist < input
-: OK

SEE ALSO

cmp(1), sha2(3)

HISTORY

checksum originally appeared in Sortix 1.1.

checksum is similar to a subset of GNU sha256sum, mixed with the BSD -a and -C extensions to POSIX cksum. The -iqs short options are extensions to GNU sha256sum, which only provides these features through the long options. checksum is always strict and errors on malformed checklists unlike GNU sha256sum.

CAVEATS

Insecure cryptographic hash algorithms such as MD5 and SHA1 are not implemented.

checksum does not have the -b and -t options from GNU sha256sum to select binary/text mode. The text mode being default is poor design but only matters on some implementations for Windows. This implementation removes that complexity and always operates in binary mode. The double space checklist delimiter is used for simplicity and compatibility as all sensible implementations are always in binary mode by default. The space asterisk checklist delimiter to explicitly request binary mode is not supported for simplicity.