How to Hash Files on Mac: shasum and md5 in Terminal

Introduction: Built-in Hashing on macOS

If you have ever downloaded a large file and wondered whether it arrived intact, hashing is the answer. A hash is a short fingerprint computed over a file's exact bytes — change one byte and the fingerprint changes completely. The good news for Mac users is that you do not need to install anything: macOS ships with the shasum and md5 commands built straight into the Terminal. This guide shows you, step by step, how to hash files on Mac for SHA-256, SHA-512, SHA-1 and MD5, how to verify a download against a published hash, and how to hash an entire folder at once. To follow along, open Terminal (Applications → Utilities, or press Command-Space and type "Terminal"), then cd into the folder that holds your file.

SHA-256 with shasum -a 256

SHA-256 is the everyday workhorse: fast, collision-resistant and the value most download pages publish. The shasum command picks the algorithm with the -a ("algorithm") flag, so -a 256 gives you a SHA-256 digest. Run:

shasum -a 256 ubuntu.iso

The output is a 64-character hexadecimal string followed by the file name, for example e3b0c442... ubuntu.iso. One important catch: if you omit -a, shasum defaults to SHA-1, not SHA-256 — so always type -a 256 when SHA-256 is what you want.

SHA-512 with shasum -a 512

When you want the strongest mainstream digest — for archival evidence or extra-cautious verification — switch the algorithm flag to 512:

shasum -a 512 report.pdf

SHA-512 produces a longer 128-character hash. It is the same shasum tool, just a wider output. Use it when a source publishes SHA-512 values, or when you simply want the largest safety margin.

SHA-1 with shasum -a 1

Some older projects and git repositories still publish SHA-1 values. To match against those, pass -a 1 (or just run shasum with no flag, since SHA-1 is the default):

shasum -a 1 archive.zip

SHA-1 is now considered weak for security purposes because researchers have demonstrated practical collisions. It is fine for matching legacy records or non-adversarial integrity checks, but prefer SHA-256 or SHA-512 whenever tampering is a concern.

MD5 with the md5 command

macOS has a dedicated md5 command (note: not md5sum as on Linux). Run it directly on a file:

md5 backup.tar.gz

It prints MD5 (backup.tar.gz) = ... with a 32-character hash. A clear warning, though: MD5 is cryptographically broken — an attacker can deliberately craft two different files that share the same MD5 hash, so it must never be used where tampering matters. For non-security checks — confirming a copy completed, spotting accidental corruption, or matching a vendor's legacy MD5 — it remains perfectly useful and very fast.

Verifying a Download Against a Published Hash

This is the most common real-world reason to hash a file. Reputable download pages publish the expected SHA-256 next to the file. After your download finishes, compute the hash yourself and compare:

shasum -a 256 installer.dmg

Compare the printed value, character by character, with the one on the website. If they are identical, the file is intact and untampered. If even a single character differs, the download is corrupted or has been altered — delete it and fetch it again. For a hands-free comparison you can save the published value into a file and let shasum check it for you:

echo "EXPECTED_HASH  installer.dmg" > check.txt
shasum -a 256 -c check.txt

A response of installer.dmg: OK confirms the match. If you prefer a guided, visual walkthrough, our file hash verification guide covers the same idea end to end.

Hashing Multiple Files or an Entire Folder

To fingerprint many files at once, combine find with shasum. This walks the current folder and every sub-folder, printing a SHA-256 line for each file and saving them to a manifest:

find . -type f -exec shasum -a 256 {} \; > hashes.txt

Later, you can confirm that nothing in the folder changed by re-running the check against that manifest:

shasum -a 256 -c hashes.txt

Every file that still matches prints OK; any file that was modified, moved or corrupted is flagged with FAILED. This is a simple, reliable way to baseline a project folder, a photo archive or a batch of evidence files and detect drift over time.

The Windows Equivalent: certutil or e-Dex

Switching between machines? On Windows there is no shasum, but the built-in certutil command does the same job: certutil -hashfile installer.exe SHA256 prints a SHA-256 hash from the Command Prompt. For a friendlier, click-driven workflow — multiple algorithms at once, batch folders and a signed integrity certificate — Windows users can run e-Dex, the free offline Digital Evidence Integrity Suite from Innovativa SoftTech in Pune. e-Dex is a Windows application and the practical equivalent of these macOS Terminal commands when you want a graphical tool. We cover the command-line side in our companion guides to how to hash files on Windows and hashing in Linux with sha256sum and md5sum.

Frequently Asked Questions

How do I hash a file on Mac without installing anything?
macOS ships with the shasum and md5 commands built into Terminal, so you do not need to install anything. Open Terminal, change into the file's folder with cd, and run shasum -a 256 filename to print the SHA-256 hash. For MD5 you can run md5 filename. Both commands are part of the operating system.

What command gives a SHA-256 hash on macOS?
Use shasum -a 256 filename. The -a flag selects the algorithm, so -a 256 produces a SHA-256 digest, -a 512 produces SHA-512, and -a 1 produces SHA-1. If you omit -a, shasum defaults to SHA-1, so always pass -a 256 when you want SHA-256.

Is the md5 command on Mac safe to use?
The md5 command is fine for non-security checks such as confirming a file copied correctly or detecting accidental corruption. It should not be relied on for security, because MD5 is cryptographically broken and an attacker can craft two different files with the same MD5 hash. For anything tamper-sensitive, use SHA-256 or SHA-512 instead.

How do I verify a downloaded file against a published hash on Mac?
Run shasum -a 256 on the downloaded file to compute its SHA-256 hash, then compare that value against the hash published on the download page. If the two strings match exactly the file is intact and unaltered; if even one character differs the file is corrupted or tampered and should not be used.

How do I hash every file in a folder on Mac?
Combine find with shasum, for example: find . -type f -exec shasum -a 256 {} \; which walks the current folder and prints a SHA-256 hash for every file. You can redirect the output to a manifest file with > hashes.txt and later re-run shasum -c hashes.txt to confirm nothing has changed.

Conclusion

Hashing on a Mac needs nothing more than the Terminal already on your machine: shasum -a 256 for SHA-256, shasum -a 512 and shasum -a 1 for the other SHA variants, and md5 for quick non-security checks. With those four commands you can verify any download, baseline a whole folder and catch corruption before it bites. If you also work on Windows and want a graphical, multi-algorithm tool that produces a verifiable integrity certificate, try e-Dex — the free offline Digital Evidence Integrity Suite and start proving your files are exactly what they should be.