sha256sum Command Reference for CI Scripts
sha256sum prints or verifies the SHA-256 checksum of a file.
Checksum verification is how a pipeline confirms a downloaded binary is exactly what was published, before trusting and running it. It is a cheap supply-chain safeguard.
Common flags/usage
- sha256sum FILE: print the hash and filename
- -c FILE: verify files against a checksum list, exit non-zero on mismatch
- --status: no output, just the exit code (for scripts)
- --ignore-missing: skip files listed but absent
- macOS uses shasum -a 256 instead
Example
shell
curl -fsSL -o tool "https://example.com/${VERSION}/tool"
echo "${EXPECTED_SHA} tool" | sha256sum -c --status \
|| { echo "Checksum mismatch"; exit 1; }In CI
Pipe the expected hash and filename into sha256sum -c so the step fails on a tampered or truncated download before you execute it; --status keeps logs clean and relies on the exit code. The two-space separator between hash and filename matters. macOS runners need shasum -a 256 instead of sha256sum.
Key takeaways
- sha256sum -c verifies a download against a known hash and fails on mismatch.
- Verify checksums before executing any downloaded binary.
- macOS runners use shasum -a 256 rather than sha256sum.
Related guides
curl Command Reference for CI Scriptscurl transfers data over HTTP(S) in CI scripts. Reference for -f, -sS, -L, -o, and --retry so downloads fail…
openssl Command Reference for CI Scriptsopenssl handles certs, hashing, and encryption in CI. Reference for dgst, rand, x509, and s_client, plus comm…
base64 Command Reference for CI Scriptsbase64 encodes and decodes data for transporting secrets in CI. Reference for -d, -w0, and stdin usage, plus…
wget Command Reference for CI Scriptswget is a non-interactive downloader for CI. Reference for -O, -q, --tries, and --timeout, and why it fails o…