Mac OS X: How to verify a SHA-1 digest
Learn how to verify a SHA-1 digest (also known as a checksum). Important: Verifying the SHA-1 of a software update is optional; it is provided on Apple software updates for those individuals who want to verify the authenticity of an update.
Mac OS X 10.0, Mac OS X 10.1, Mac OS X 10.2, Mac OS X 10.3, Mac OS X 10.4, Mac OS X 10.5, Mac OS X 10.6, Product Security
Note: For updates delivered by Automatic Software Update, SHA-1 digest verification is performed automatically for you.
To verify a manually-downloaded software update from Apple Downloads, which contains a SHA-1 digest, perform the following steps:
- 1. Open Terminal (located in /Applications/Utilities).
2. Type the following at the Terminal prompt:
openssl sha1 [full path to file]
openssl sha1 /Users/myaccount/Documents/1024SecUpd2003-03-03.dmg
SHA-1 is essentially a secure checksum for a data file. The SHA-1 checksum is based on a cryptographic standard. For a given file, SHA-1 produces a 160 bit encrypted output known as a "message digest." It is highly improbable that a modified data set would produce the same message digest. If a file is changed during transit, its message digest also changes.
SHA-1 and Apple Downloads
You can download manually-installable updates from Apple Downloads. Apple uses SHA-1 digests on certain Apple Downloads so you can verify (with a high degree of probability) that the software you downloaded is the same software you intended to download (see Related documents below). When the SHA-1 digest for the file you downloaded matches the digest for the file as displayed on Apple Downloads, you can be sure that the file is authentic.
For best security, you can use the secure https download page for a manual update. For example, the Mac OS X v10.6.6 Update Combo's manual download URL is:
Change the http to https, then download from: