Mac OS X: How to verify a SHA-1 digest

Learn how to verify a SHA-1 digest (also known as a checksum). Important: Verifying the SHA-1 of a software update is optional; it is provided on Apple software updates for those individuals who want to verify the authenticity of an update.

This article has been archived and is no longer updated by Apple.

Note: For updates delivered by Automatic Software Update, SHA-1 digest verification is performed automatically for you.

To verify a manually-downloaded software update from Apple Downloads, which contains a SHA-1 digest, perform the following steps:

  1. Open Terminal (located in /Applications/Utilities).
  2. Type the following at the Terminal prompt:
    openssl sha1 [full path to file]
  3. Example:

    openssl sha1 /Users/myaccount/Documents/1024SecUpd2003-03-03.dmg

    The SHA-1 digest is displayed as: SHA1 (full path to the file)= [checksum amount]

    SHA1(/Users/myaccount/Documents/1024SecUpd2003-03-03.dmg) =2eb722f340d4e57aa79bb5422b94d556888cbf38

Learn more

About SHA-1

SHA-1 is essentially a secure checksum for a data file. The SHA-1 checksum is based on a cryptographic standard. For a given file, SHA-1 produces a 160 bit encrypted output known as a "message digest." It is highly improbable that a modified data set would produce the same message digest. If a file is changed during transit, its message digest also changes.

SHA-1 and Apple Downloads

You can download manually-installable updates from Apple Downloads. Apple uses SHA-1 digests on certain Apple Downloads so you can verify (with a high degree of probability) that the software you downloaded is the same software you intended to download (see Related documents below). When the SHA-1 digest for the file you downloaded matches the digest for the file as displayed on Apple Downloads, you can be sure that the file is authentic.

For best security, you can use the secure https download page for a manual update. For example, the Mac OS X v10.6.6 Update Combo's manual download URL is:

Change the http to https, then download from:

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: