sha256sum

Verify file integrity using SHA256 checksums

TLDR

Calculate the SHA256 checksum for one or more files

$ sha256sum [path/to/file1 path/to/file2 ...]

Calculate and save the list of SHA256 checksums to a file

$ sha256sum [path/to/file1 path/to/file2 ...] > [path/to/file.sha256]

Calculate a SHA256 checksum from stdin

$ [command] | sha256sum

Read a file of SHA256 checksums and filenames and verify all files have matching checksums

$ sha256sum [[-c|--check]] [path/to/file.sha256]

Only show a message for missing files or when verification fails

$ sha256sum [[-c|--check]] --quiet [path/to/file.sha256]

Only show a message when verification fails, ignoring missing files

$ sha256sum --ignore-missing [[-c|--check]] --quiet [path/to/file.sha256]

Check a known SHA256 checksum of a file

$ echo [known_sha256_checksum_of_the_file] [path/to/file] | sha256sum [[-c|--check]]

-b
    Read in binary mode

-c, --check
    Read SHA256 sums from FILEs and check them

--tag
    Create a BSD-style checksum

-t, --text
    Read in text mode (default)

--binary
    Read in binary mode

-z, --zero
    End each output line with NUL, not newline, and disable file name escaping

--algorithm ALGO
    Choose digest algorithm. Valid ALGO values are: sha224, sha256, sha384, sha512, sha512256

-w, --warn
    Warn about improperly formatted checksum lines

--strict
    Exit non-zero for improperly formatted checksum lines

--ignore-missing
    Don't fail or report status for missing files

--quiet
    Don't print OK for each successfully verified file

--status
    Don't output anything, status code shows success

--check-algorithm
    Check ALGO. Valid ALGO values are: sha224, sha256, sha384, sha512, sha512256

--help
    Display help and exit

--version
    Output version information and exit

DESCRIPTION

The sha256sum command calculates and verifies SHA256 cryptographic hash values. It's primarily used to confirm the integrity of files after they've been transferred or stored. By comparing the computed SHA256 hash of a file with a known, trusted hash value, you can determine if the file has been altered or corrupted.

The command reads input files, calculates the SHA256 hash for each, and outputs the hash alongside the file name. When invoked with the -c option, sha256sum reads checksums from a file and compares them to the calculated checksums of the corresponding files, reporting any discrepancies. This is crucial for verifying downloads, backups, and ensuring data consistency. The SHA256 algorithm is a widely used cryptographic hash function that produces a 256-bit (32-byte) hash value, making it resistant to collisions and suitable for security-sensitive applications.

CAVEATS

On some systems, particularly Windows, the text mode handling can introduce inconsistencies due to different newline conventions (CRLF vs. LF). Always use binary mode (-b) when verifying binary files to avoid checksum mismatches. Ensure the checksum file used with '-c' adheres to the expected format (hash, space, file name).

INPUT FORMAT FOR '--CHECK'

When using the '-c' option, the input file should contain SHA256 checksums followed by a space and the filename. The format is typically 'SHA256_HASH filename'. Spaces are allowed in filenames, but they should be properly escaped or quoted when creating the checksum file.

EXIT STATUS

The command returns an exit status of 0 if all files are successfully verified. A non-zero exit status indicates an error, such as a checksum mismatch or a missing file (unless '--ignore-missing' is used).

HISTORY

The sha256sum utility is part of the GNU coreutils package and has been available in most Linux distributions for many years. Its adoption grew with the increasing need for stronger cryptographic hash functions than MD5 or SHA1, which were found to have security vulnerabilities. SHA256 provided a more robust and secure alternative. The tool's usage expanded across various domains, from software distribution and integrity checks to data archiving and security applications.