If you download development tools you will probably have come across SHA1 or MD5 signatures for downloads in the past.

It's very easy to test the download to make sure that the checksum is valid. For MD5 signatures, you simply type:

md5 name_of_file

And for SHA1 signatures:

openssl sha1 name_of_file

However, both those methods require you to manually verify that the signatures match. Which is a pain.

I was downloading the latest Google App Engine SDK release (version 1.0.2, which was released two days ago apparently) when I decided to whip up a very simple Bash script that verifies SHA1 checksums for you. I'm not sure if there's existing functionality that does this for you but it was simple enough to write.

Save the following script as sha1 and set it as executable to use it (chmod +x sha1)

#! /bin/bash

hash=$(openssl sha1 $1)
if [ "SHA1(${1})= $2" = "${hash}" ]; then echo "Key is valid."; else echo "Key is _not_ valid!!!"; fi

The script is very simple and doesn't do error checking for arguments, etc.

To use it, simply type:

./sha1 name_of_file SHA1_KEY_FROM_WEBSITE

So, for the latest Google App Engine SDK release, you'd type:

./sha1 GoogleAppEngine_1.0.2.dmg 105506c6c75badfaecfe912929ffb724b5d349b1

And it should respond with Key is valid.

The Verifying SHA1 checksums on downloads article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.