openssl dgst: Hashing and HMAC in CI
openssl dgst hashes a file with a chosen algorithm and can compute keyed HMACs.
For checksums and HMAC verification, dgst is portable across every runner that ships OpenSSL. Watch the output format when comparing against sha256sum.
What it does
openssl dgst computes a cryptographic digest of its input. With -hmac it produces a keyed HMAC instead of a plain hash. Output is "algorithm(file)= hex" unless you ask for raw bytes with -binary.
Common usage
openssl dgst -sha256 file.tar.gz
openssl dgst -sha256 -hmac "secretkey" payload.json
# raw bytes, e.g. to base64 an HMAC for a signature header
openssl dgst -sha256 -hmac "key" -binary payload | openssl enc -base64Options
| Flag | What it does |
|---|---|
| -sha256 / -sha512 / -md5 | Select the digest algorithm |
| -hmac <key> | Compute an HMAC with the given key |
| -binary | Output raw bytes instead of hex |
| -hex | Force hex output (the default) |
| -out <file> | Write the digest to a file |
In CI
openssl dgst prints "SHA256(file)= abc..." while sha256sum prints "abc... file"; comparing the two raw strings fails even when the hash matches. Normalize one side, or use sha256sum consistently for checksum gates.
Common errors in CI
"unknown option" on a digest name means an OpenSSL build where that algorithm moved to the legacy provider (md5 on hardened 3.x builds). A mismatched HMAC almost always comes from trailing newlines in the payload; hash the exact bytes the other side signed.