Verify your downloads
Check that software from places beyond the Mac App Store is legit
REQUIRES
Terminal, and a SHA-1 or SHA‑256 checksum for your downloaded file
you will learn
How to take a “fingerprint” of a downloaded file, and verify the file hasn’t been tampered with
IT WILL TAKE
5 minutes
It recently came to light that one of the servers that delivers the HandBrake video encoding app contained a compromised version of the software that included Mac-specific malware. So this is the perfect opportunity to brush up on some simple protective steps – or learn about them for the first time – that you can take when downloading files from places other than the Mac App Store – including some from Apple’s site.
Don’t assume that software from an official source, such as an app’s website, has not been altered by someone with malicious intent. HandBrake’s situation is a perfect example of this trap.
Alongside the file you download, some publishers post a checksum, which is a kind of fingerprint that should be unique and can be used to verify that a file hasn’t been tampered with since its publication. You only need to enter a command in Terminal to generate a checksum for your copy of a file, and then compare it against the publisher’s own – the walkthrough below includes an easy way to compare the long strings of letters and numbers.
Checksums aren’t infallible, though. The idea is that, given a particular file as input, a hash algorithm will produce a unique checksum value. More than a decade ago, it was shown to be fairly trivial to produce the same checksum for two different inputs to the old MD5 algorithm – and that it could be done in just seconds. That method thus fell out of favor because it can’t say with much certainty that malware hasn’t been cleverly inserted into a file in a way that you wouldn’t notice till it’s too late. Many publishers now use an SHA-1 or SHA-256 algorithm for their checksums.
HandBrake’s checksums are published at bit.ly/2q2KGYe; check for something similar wherever you download files, and follow the steps below to check your download against the published value.
Apple lists steps at bit.ly/2qsGUYg on how to check that software downloaded manually from its website hasn’t been altered.