Skip to content
Latchkey

sha256sum Command Reference for CI Scripts

sha256sum prints or verifies the SHA-256 checksum of a file.

Checksum verification is how a pipeline confirms a downloaded binary is exactly what was published, before trusting and running it. It is a cheap supply-chain safeguard.

Common flags/usage

  • sha256sum FILE: print the hash and filename
  • -c FILE: verify files against a checksum list, exit non-zero on mismatch
  • --status: no output, just the exit code (for scripts)
  • --ignore-missing: skip files listed but absent
  • macOS uses shasum -a 256 instead

Example

shell
curl -fsSL -o tool "https://example.com/${VERSION}/tool"
echo "${EXPECTED_SHA}  tool" | sha256sum -c --status \
  || { echo "Checksum mismatch"; exit 1; }

In CI

Pipe the expected hash and filename into sha256sum -c so the step fails on a tampered or truncated download before you execute it; --status keeps logs clean and relies on the exit code. The two-space separator between hash and filename matters. macOS runners need shasum -a 256 instead of sha256sum.

Key takeaways

  • sha256sum -c verifies a download against a known hash and fails on mismatch.
  • Verify checksums before executing any downloaded binary.
  • macOS runners use shasum -a 256 rather than sha256sum.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →