Checksums 101: How to make sure your downloads are the real deal

Cybercriminals never rest, always seeking sneaky new ways to wreck your computer for fun and profit. And while the App Store — knock on wood — seems to have built a wall high enough to keep them out, Mac apps sold outside its gates aren't so lucky. Even trusted apps can unwittingly become Trojan horses for various bad actors. Luckily, you can authenticate these apps before you ever install them by learning how to validate their checksums.

Vali-what their check-huhs?

To create a checksum, you run a computer file through a cryptographic algorithm – a series of calculations designed to turn that file into a sequence of letters and numbers. It only works in one direction; you can't run a checksum back through another algorithm and wind up with the original file. But the algorithm is set up so that even tiny changes in the original file lead to big differences in the resulting checksum.

If you run that algorithm on the file you've received, and the code you get matches the one made by the original file, you can feel reasonably confident that the two files are identical.

Checksums were created not to ensure files' security, but to maintain their integrity. If you're copying an app or sending it over a network, you want to make sure that none of its 1s and 0s get mixed up in transit, which might make the app malfunction. (Think Jeff Goldblum's little accident in The Fly, but less … goopy.)

Checksums have used several different cryptographic algorithms over time. As of this writing, I've most often encountered those made with the SHA-256 algorithm. It's more modern and more secure than the SHA-1 algorithm, which you might also run across. There's also the even more complex SHA-512, and the older and less secure MD5. (Fun fact: The SHA algorithms were developed by our friends at the National Security Agency.)

Why should you validate checksums?

In 2016, hackers twice broke into the servers for the popular torrent app Transmission, briefly replacing the real app with variants that either encrypted infected users' files to hold them for ransom, or gave the hackers backdoor access to infected computers. In 2017, the same thing happened to Handbrake, a well-regarded free app for ripping DVDs and compressing video files. And yes, these malicious doppelgängers were aimed specifically at Macs.

To keep their users from falling prey to any similar future attacks, Transmission, Handbrake, and many other apps distributed or sold outside the Mac App Store began to include checksums on their download pages next to the download links. Users can compare the checksum for the file they download to the one listed on the site to make sure that their copy of the file is the real deal.

How can you validate a checksum?

A fairly simple Terminal command can produce a checksum for any file on your Mac, which you can then compare against the checksum provided by the app's creators. Remember, always do this before you open any .dmg you download. Doing so after you've opened the file and installed the app somewhat defeats the purpose.

Open Terminal, and at the prompt, type in:

shasum -a 256

Change 256 to 1 or 512 if you want to create a SHA-1 or SHA-512 checksum. You can also replace everything above with the command md5 if you want to create an MD5 checksum. Remember to include that final space after whichever number or command you specify!

Now, find the file you want to generate a checksum for in the Finder, and drag and drop it into the Terminal window. That will create a path in the Terminal to that file's home on your hard drive. You should now see something like:

shasum -a 256 /Users/your_user_name/Downloads/Your-Downloaded-File-1.0.1.dmg

Now hit the Return key, and Terminal will spit out a very long string of letters and numbers. Compare those results to the checksum provided when you downloaded the file to make sure your app is on the up-and-up.

If you're Terminal-ly lazy like me, despair at having to eyeball every single letter and number in a lengthy string to make sure they all match, or just break out in a cold sweat at the thought of Unix commands, don't worry. A free app called Checksum has you covered. It's available through the Mac App Store, so you don't even have to validate its checksum. (You'll find other apps that do the same there, but most of them cost money. In my tests, Checksum has worked well, so why pay for an alternative?)

Once you open Checksum, start by selecting the algorithm your checksum uses; usually, that'll be SHA 256. Then paste the original checksum provided by the app's creator or distributor into the uppermost box.

Drag the downloaded file to the big "drop a file here" icon and drop it. Checksum will run the requisite calculations and clearly show you whether your file's checksum matches the original.

Not today, cybercrooks!

Validating checksums doesn't guarantee your Mac will avoid malware, and it can't remove malware from an infected Mac. But it will dramatically reduce your risk of installing something you'll regret, even or especially from a site you know and trust.