Learn how to verify a SHA-1 digest (also known as a checksum). Important: Verifying the SHA-1 of a software update is optional; it is provided on Apple software updates for those individuals who want to verify the authenticity of an update.
Mac OS X 10.0, Mac OS X 10.3, Mac OS X 10.2, Mac OS X 10.1, Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5, Product Security
Note: For updates delivered by Automatic Software Update, SHA-1 digest verification is performed automatically for you.
To verify a manually-downloaded software update from Apple Downloads, which contains a SHA-1 digest, perform the following steps:
1. Open Terminal (located in /Applications/Utilities).
2. Type the following at the Terminal prompt:
openssl sha1 [full path to file]
openssl sha1 /Users/myaccount/Documents/1024SecUpd2003-03-03.dmg
The SHA-1 digest is displayed as: SHA1 (full path to the file)= [checksum amount]
SHA-1 is essentially a secure checksum for a data file. The SHA-1 checksum is based on a cryptographic standard. For a given file, SHA-1 produces a 160 bit encrypted output known as a "message digest." It is highly improbable that a modified data set would produce the same message digest. If a file is changed during transit, its message digest also changes.
SHA-1 and Apple Downloads
You can download manually-installable updates from Apple Downloads. Apple uses SHA-1 digests on certain Apple Downloads so you can verify (with a high degree of probability) that the software you downloaded is the same software you intended to download (see Related documents below). When the SHA-1 digest for the file you downloaded matches the digest for the file as displayed on Apple Downloads, you can be sure that the file is authentic.