How to check the SHA checksum using shell script

Check the SHA checksum using shell script.

The issue

Many times the SHA checksum is provided as is, checksum file contains only a checksum.

$ ls -l

total 2728
-rw-rw-r-- 1 milosz milosz 2788190 Feb  7 16:15 starship-x86_64-unknown-linux-gnu.tar.gz
-rw-rw-r-- 1 milosz milosz      65 Feb 23 01:34 starship-x86_64-unknown-linux-gnu.tar.gz.sha256

$ cat starship-x86_64-unknown-linux-gnu.tar.gz.sha256 

d99fda409e1be96b07a8687bdbb1162e75c4a3c4301e7bf853dfd01dcb34a33

This creates a problem for standard utilities.

$ shasum --check starship-x86_64-unknown-linux-gnu.tar.gz.sha256 

shasum: starship-x86_64-unknown-linux-gnu.tar.gz.sha256: no properly formatted SHA checksum lines found

As these expect a filename associated with given checksum using GNU or BSD format.

$ shasum --algorithm 1 starship-x86_64-unknown-linux-gnu.tar.gz | tee starship-x86_64-unknown-linux-gnu.tar.gz.sha1

3abb968ef9afc057cd51af32f38fe398701421e1  starship-x86_64-unknown-linux-gnu.tar.gz

$ shasum --tag --algorithm 1 starship-x86_64-unknown-linux-gnu.tar.gz | tee starship-x86_64-unknown-linux-gnu.tar.gz.sha1

SHA1 (starship-x86_64-unknown-linux-gnu.tar.gz) = 3abb968ef9afc057cd51af32f38fe398701421e1

Such checksum can be verified without any issues.

$ shasum --check starship-x86_64-unknown-linux-gnu.tar.gz.sha1

starship-x86_64-unknown-linux-gnu.tar.gz: OK

The solution

The solution is to create a simple shell script that will perform additional steps to verify SHA checksum.

#!/bin/bash
# verify file checksum from a file

# checksum algorithms
algorithms=( 1 224 256 384 512 512224 512256 )

# file to check
file="$1"

# execute when there is one parameter
if [ "$#" -eq "1" ]; then
  # check if file exist
  if [ -f "${file}" ]; then
    # find checksum file
    for algorithm in "${algorithms[@]}"; do
      if [ -f "${file}.sha${algorithm}" ]; then
        echo "Found SHA${algorithm} checksum"
        words="$(wc -w < ${file}.sha${algorithm})"
        # verify checksum and pass the exit code
        if [ "$words" == "1" ]; then
          shasum --algorithm $algorithm --check <(echo $(cat ${file}.sha${algorithm})\ \ $file)
          exit $?
        elif [ "$words" == "2" ] || [ "$words" == "4" ]; then
          shasum --algorithm $algorithm --check ${file}.sha${algorithm}
          exit $?
        fi
      fi
    done
  fi
fi

This will automatically check SHA checksum (GNU or BSD style).

$ chkfile starship-x86_64-unknown-linux-gnu.tar.gz

Found SHA1 checksum
starship-x86_64-unknown-linux-gnu.tar.gz: OK

It will also work with a file that contains only checksum.

$ chkfile starship-x86_64-unknown-linux-gnu.tar.gz

Found SHA256 checksum
starship-x86_64-unknown-linux-gnu.tar.gz: OK

You will be informed in case of trouble.

$ chkfile starship-x86_64-unknown-linux-gnu.tar.gz

Found SHA256 checksum
starship-x86_64-unknown-linux-gnu.tar.gz: FAILED
shasum: WARNING: 1 computed checksum did NOT match

You can extend it a bit to return different exit code when a file or its checksum is not found. I leave it to you.