6 .Nm md5 , sha1 , sha224 , sha256 , sha384 ,
7 .Nm sha512 , sha512t224 , sha512t256 ,
8 .Nm rmd160 , skein256 , skein512 , skein1024 ,
9 .Nm md5sum , sha1sum , sha224sum , sha256sum , sha384sum ,
10 .Nm sha512sum , sha512t224sum , sha512t256sum ,
11 .Nm rmd160sum , skein256sum , skein512sum , skein1024sum ,
13 .Nd calculate a message-digest fingerprint (checksum) for a file
26 .Op Fl -ignore-missing
37 (All other hashes have the same options and usage.)
42 .Op Fl a | -algorithm Ar alg
46 .Op Fl -ignore-missing
58 .Nm md5 , sha1 , sha224 , sha256 , sha384 , sha512 , sha512t224 , sha512t256 ,
59 .Nm rmd160 , skein256 , skein512 ,
62 utilities take as input a message of arbitrary length and produce as
70 .Nm md5sum , sha1sum , sha224sum , sha256sum , sha384sum , sha512sum ,
71 .Nm sha512t224sum , sha512t256sum , rmd160sum , skein256sum , skein512sum ,
74 utilities do the same, but with command-line options and an output
75 format that match those of their similary named GNU utilities.
79 utility does the same, but with command-line options and an output
80 format that match those of the similarly named utility that ships with
83 It is conjectured that it is computationally infeasible to
84 produce two messages having the same message digest, or to produce any
85 message having a given prespecified target message digest.
86 The SHA-224 , SHA-256 , SHA-384 , SHA-512, RIPEMD-160,
88 algorithms are intended for digital signature applications, where a
91 in a secure manner before being encrypted with a private
93 key under a public-key cryptosystem such as RSA.
95 The MD5 and SHA-1 algorithms have been proven to be vulnerable to practical
96 collision attacks and should not be relied upon to produce unique outputs,
97 .Em nor should they be used as part of a cryptographic signature scheme.
98 As of 2017-03-02, there is no publicly known method to
100 either algorithm, i.e., to find an input that produces a specific
103 SHA-512t256 is a version of SHA-512 truncated to only 256 bits.
104 On 64-bit hardware, this algorithm is approximately 50% faster than SHA-256 but
105 with the same level of security.
106 The hashes are not interchangeable.
108 SHA-512t224 is identical to SHA-512t256, but with the digest truncated
111 It is recommended that all new applications use SHA-512 or SKEIN-512
112 instead of one of the other hash functions.
114 The following options are available in BSD mode, i.e. when the program
115 is invoked with a name that does not end in
117 .Bl -tag -width indent
118 .It Fl c Ar string , Fl -check= Ns Ar string
119 Compare the digest of the file against this string.
124 option, the calculated digest is printed in addition to the exit status being set.
125 .Pq Note that this option is not yet useful if multiple files are specified.
126 .It Fl p , -passthrough
127 Echo stdin to stdout and append the checksum to stdout.
129 Quiet mode \(em only the checksum is printed out.
136 Reverses the format of the output.
137 This helps with visual diffs.
139 when combined with the
142 .It Fl s Ar string , Fl -string= Ns Ar string
143 Print a checksum of the given
145 .It Fl t , Fl -time-trial
146 Run a built-in time trial.
149 versions, this is a nop for compatibility with coreutils.
150 .It Fl x , Fl -self-test
151 Run a built-in test script.
154 The following options are available in GNU mode, i.e. when the program
155 is invoked with a name that ends in
157 .Bl -tag -width indent
158 .It Fl b , Fl -binary
159 Read files in binary mode.
161 The file passed as arguments must contain digest lines generated by the same
162 digest algorithm in either classical BSD format or in GNU coreutils format.
163 A line with the file name followed by a colon
165 and either OK or FAILED is written for each well-formed line in the digest file.
166 If applicable, the number of failed comparisons and the number of lines that were
167 skipped since they were not well-formed are printed at the end.
170 option can be used to quiesce the output unless there are mismatched entries in
173 Print a usage message and exit.
174 .It Fl -ignore-missing
175 When verifying checksums, ignore files for which checksums are given
176 but which aren't found on disk.
178 When verifying checksums, do not print anything unless the
181 When verifying checksums, do not print anything at all.
182 The exit code will reflect whether verification succeeded.
184 When verifying checksums, fail if the input is malformed.
186 Produce BSD-style output.
188 Read files in text mode.
190 Note that this implementation does not differentiate between binary
193 Print version information and exit.
195 When verifying checksums, warn about malformed input.
197 Terminate output lines with NUL rather than with newline.
200 The following options are available in Perl mode, i.e. when the program
201 is invoked with the name
203 .Bl -tag -width indent
205 Read files in bits mode: ASCII
209 characters correspond to 0 and 1 bits, respectively, and all other
210 characters are ignored.
213 .It Fl a Ar alg , Fl -algorithm Ar alg
214 Use the specified algorithm:
232 .It Fl b , Fl -binary
233 Read files in binary mode.
235 The file passed as arguments must contain digest lines generated by the same
236 digest algorithm in either classical BSD format or in GNU coreutils format.
237 A line with the file name followed by a colon
239 and either OK or FAILED is written for each well-formed line in the digest file.
240 If applicable, the number of failed comparisons and the number of lines that were
241 skipped since they were not well-formed are printed at the end.
244 option can be used to quiesce the output unless there are mismatched entries in
247 Print a usage message and exit.
248 .It Fl -ignore-missing
249 When verifying checksums, ignore files for which checksums are given
250 but which aren't found on disk.
252 When verifying checksums, do not print anything unless the
255 When verifying checksums, do not print anything at all.
256 The exit code will reflect whether verification succeeded.
258 When verifying checksums, fail if the input is malformed.
260 Produce BSD-style output.
262 Read files in text mode.
264 Note that this implementation does not differentiate between binary
266 .It Fl U , Fl -UNIVERSAL
267 Read files in universal mode: any CR-LF pair, as well as any CR not
268 followed by LF, is translated to LF before the digest is computed.
270 Print version information and exit.
272 When verifying checksums, warn about malformed input.
276 .Nm md5 , sha1 , sha224 , sha256 , sha512 , sha512t224 , sha512t256 ,
277 .Nm rmd160 , skein256 , skein512 ,
280 utilities exit 0 on success,
281 1 if at least one of the input files could not be read,
282 and 2 if at least one file does not have the same hash as the
287 .Nm md5sum , sha1sum , sha224sum , sha256sum , sha512sum ,
288 .Nm sha512t224sum , sha512t256sum ,
289 .Nm rmd160 , skein256 , skein512 , skein1024
292 utilities exit 0 on success and 1 if at least one of the input files
293 could not be read or, when verifying checksums, does not have the
296 Calculate the MD5 checksum of the string
298 .Bd -literal -offset indent
300 MD5 ("Hello") = 8b1a9953c4611296a827abf8c47804d7
303 Same as above, but note the absence of the newline character in the input
305 .Bd -literal -offset indent
306 $ echo -n Hello | md5
307 8b1a9953c4611296a827abf8c47804d7
310 Calculate the checksum of multiple files reversing the output:
311 .Bd -literal -offset indent
312 $ md5 -r /boot/loader.conf /etc/rc.conf
313 ada5f60f23af88ff95b8091d6d67bef6 /boot/loader.conf
314 d80bf36c332dc0fdc479366ec3fa44cd /etc/rc.conf
317 This is almost but not quite identical to the output from GNU mode:
318 .Bd -literal -offset indent
319 $ md5sum /boot/loader.conf /etc/rc.conf
320 ada5f60f23af88ff95b8091d6d67bef6 /boot/loader.conf
321 d80bf36c332dc0fdc479366ec3fa44cd /etc/rc.conf
324 Note the two spaces between hash and file name.
325 If binary mode is requested, they are instead separated by a space and
327 .Bd -literal -offset indent
328 $ md5sum -b /boot/loader.conf /etc/rc.conf
329 ada5f60f23af88ff95b8091d6d67bef6 */boot/loader.conf
330 d80bf36c332dc0fdc479366ec3fa44cd */etc/rc.conf
334 .Pa /boot/loader.conf
337 Then calculate the checksum again and validate it against the checksum string
341 .Bd -literal -offset indent
342 $ md5 /boot/loader.conf > digest && md5 -c $(cut -f2 -d= digest) /boot/loader.conf
343 MD5 (/boot/loader.conf) = ada5f60f23af88ff95b8091d6d67bef6
346 Same as above but comparing the digest against an invalid string
347 .Pq Dq randomstring ,
348 which results in a failure.
349 .Bd -literal -offset indent
350 $ md5 -c randomstring /boot/loader.conf
351 MD5 (/boot/loader.conf) = ada5f60f23af88ff95b8091d6d67bef6 [ Failed ]
356 option does not compare against a hash string passed as parameter.
357 Instead, it expects a digest file, as created under the name
360 .Pa /boot/loader.conf
361 in the example above.
362 .Bd -literal -offset indent
363 $ md5 -c digest /boot/loader.conf
364 /boot/loader.conf: OK
367 The digest file may contain any number of lines in the format
368 generated in either BSD or GNU mode.
369 If a hash value does not match the file,
371 is printed instead of
384 .%T The MD5 Message-Digest Algorithm
389 .%T The Secure Hash Standard
393 .%A D. Eastlake and P. Jones
394 .%T US Secure Hash Algorithm 1
398 RIPEMD-160 is part of the ISO draft standard
399 .Qq ISO/IEC DIS 10118-3
400 on dedicated hash functions.
402 Secure Hash Standard (SHS):
403 .Pa https://www.nist.gov/publications/secure-hash-standard-shs
406 .Pa https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
408 In bits mode, the original
410 script is capable of processing inputs of arbitrary length.
411 This implementation is not, and will issue an error if the input
412 length is not a multiple of eight bits.
415 This utility was originally derived from a program which was placed in
416 the public domain for free general use by RSA Data Security.
418 Support for SHA-1 and RIPEMD-160 was added by
419 .An Oliver Eikemeier Aq Mt eik@FreeBSD.org .
421 Support for SHA-2 was added by
422 .An Colin Percival Aq Mt cperciva@FreeBSD.org
424 .An Allan Jude Aq Mt allanjude@FreeBSD.org .
426 Support for SKEIN was added by
427 .An Allan Jude Aq Mt allanjude@FreeBSD.org .
429 Compatibility with GNU coreutils was added by
430 .An Warner Losh Aq Mt imp@FreeBSD.org
432 .An Dag-Erling Sm\(/orgrav Aq Mt des@FreeBSD.org ,
433 who also added Perl compatibility.