Skip to content
Latchkey

openssl dgst: Hashing and HMAC in CI

openssl dgst hashes a file with a chosen algorithm and can compute keyed HMACs.

For checksums and HMAC verification, dgst is portable across every runner that ships OpenSSL. Watch the output format when comparing against sha256sum.

What it does

openssl dgst computes a cryptographic digest of its input. With -hmac it produces a keyed HMAC instead of a plain hash. Output is "algorithm(file)= hex" unless you ask for raw bytes with -binary.

Common usage

Terminal
openssl dgst -sha256 file.tar.gz
openssl dgst -sha256 -hmac "secretkey" payload.json
# raw bytes, e.g. to base64 an HMAC for a signature header
openssl dgst -sha256 -hmac "key" -binary payload | openssl enc -base64

Options

FlagWhat it does
-sha256 / -sha512 / -md5Select the digest algorithm
-hmac <key>Compute an HMAC with the given key
-binaryOutput raw bytes instead of hex
-hexForce hex output (the default)
-out <file>Write the digest to a file

In CI

openssl dgst prints "SHA256(file)= abc..." while sha256sum prints "abc... file"; comparing the two raw strings fails even when the hash matches. Normalize one side, or use sha256sum consistently for checksum gates.

Common errors in CI

"unknown option" on a digest name means an OpenSSL build where that algorithm moved to the legacy provider (md5 on hardened 3.x builds). A mismatched HMAC almost always comes from trailing newlines in the payload; hash the exact bytes the other side signed.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →