Skip to content
Latchkey

How to Verify Checksums for Downloaded Tools in CI

Pin the expected SHA-256 and check it with sha256sum -c so a swapped or corrupted download aborts the job.

When you curl a tool into a build, record its known-good SHA-256 and verify it with sha256sum -c before running it. A mismatch exits non-zero, so a compromised mirror cannot slip a modified binary into your pipeline.

Steps

  • Obtain the official SHA-256 for the version you pin.
  • Download the file, then verify with sha256sum -c.
  • Only chmod and run the binary after verification passes.

Terminal

Terminal
EXPECTED=9f2c...c1a  # official sha256 for the pinned version
curl -fsSL -o tool.tar.gz https://example.com/tool-v1.2.3.tar.gz
echo "${EXPECTED}  tool.tar.gz" | sha256sum -c -
tar xzf tool.tar.gz

Gotchas

  • Pin both the version and the checksum; a floating "latest" URL defeats verification.
  • Use -fsSL on curl so an HTTP error does not produce a "valid" but empty file.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →