It's very easy to test the download to make sure that the checksum is valid. For MD5 signatures, you simply type:
md5 name_of_file
And for SHA1 signatures:
openssl sha1 name_of_file
However, both those methods require you to manually verify that the signatures match. Which is a pain.
I was downloading the latest Google App Engine SDK release (version 1.0.2, which was released two days ago apparently) when I decided to whip up a very simple Bash script that verifies SHA1 checksums for you. I'm not sure if there's existing functionality that does this for you but it was simple enough to write.
Save the following script as sha1 and set it as executable to use it (chmod +x sha1)
#! /bin/bash
hash=$(openssl sha1 $1)
if [ "SHA1(${1})= $2" = "${hash}" ]; then echo "Key is valid."; else echo "Key is _not_ valid!!!"; fi
The script is very simple and doesn't do error checking for arguments, etc.
To use it, simply type:
./sha1 name_of_file SHA1_KEY_FROM_WEBSITE
So, for the latest Google App Engine SDK release, you'd type:
./sha1 GoogleAppEngine_1.0.2.dmg 105506c6c75badfaecfe912929ffb724b5d349b1
And it should respond with Key is valid.
The Verifying SHA1 checksums on downloads article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.
You could tie it in with pbpaste, the OS X command that returns the content of the pasteboard (or clipboard for recovering Windows users). If you substitute the $2 for $(pbpaste) then it’ll just use the contents of your pastebin instead - even less work.
You could also modify the script (perhaps using a more full-featured scripting language like Ruby or Perl) to check both the second shell argument and the pasteboard and order their use. One could also do some AppleScript or cron jobbing to check one’s Downloads folder for newly downloaded files, check them against the pasteboard and do something like send a growl notification with the result of the SHA-1 check.
Great tips, Tom, thanks!