5 .Nm md5 , sha1 , sha224 , sha256 , sha384 ,
6 .Nm sha512 , sha512t224 , sha512t256 ,
7 .Nm rmd160 , skein256 , skein512 , skein1024 ,
8 .Nm md5sum , sha1sum , sha224sum , sha256sum , sha384sum ,
9 .Nm sha512sum , sha512t224sum , sha512t256sum ,
10 .Nm rmd160sum , skein256sum , skein512sum , skein1024sum ,
12 .Nd calculate a message-digest fingerprint (checksum) for a file
25 .Op Fl -ignore-missing
36 (All other hashes have the same options and usage.)
41 .Op Fl a | -algorithm Ar alg
45 .Op Fl -ignore-missing
57 .Nm md5 , sha1 , sha224 , sha256 , sha384 , sha512 , sha512t224 , sha512t256 ,
58 .Nm rmd160 , skein256 , skein512 ,
61 utilities take as input a message of arbitrary length and produce as
69 .Nm md5sum , sha1sum , sha224sum , sha256sum , sha384sum , sha512sum ,
70 .Nm sha512t224sum , sha512t256sum , rmd160sum , skein256sum , skein512sum ,
73 utilities do the same, but with command-line options and an output
74 format that match those of their similary named GNU utilities.
78 utility does the same, but with command-line options and an output
79 format that match those of the similarly named utility that ships with
82 It is conjectured that it is computationally infeasible to
83 produce two messages having the same message digest, or to produce any
84 message having a given prespecified target message digest.
85 The SHA-224 , SHA-256 , SHA-384 , SHA-512, RIPEMD-160,
87 algorithms are intended for digital signature applications, where a
90 in a secure manner before being encrypted with a private
92 key under a public-key cryptosystem such as RSA.
94 The MD5 and SHA-1 algorithms have been proven to be vulnerable to practical
95 collision attacks and should not be relied upon to produce unique outputs,
96 .Em nor should they be used as part of a cryptographic signature scheme.
97 As of 2017-03-02, there is no publicly known method to
99 either algorithm, i.e., to find an input that produces a specific
102 SHA-512t256 is a version of SHA-512 truncated to only 256 bits.
103 On 64-bit hardware, this algorithm is approximately 50% faster than SHA-256 but
104 with the same level of security.
105 The hashes are not interchangeable.
107 SHA-512t224 is identical to SHA-512t256, but with the digest truncated
110 It is recommended that all new applications use SHA-512 or SKEIN-512
111 instead of one of the other hash functions.
113 The following options are available in BSD mode, i.e. when the program
114 is invoked with a name that does not end in
116 .Bl -tag -width indent
117 .It Fl c Ar string , Fl -check= Ns Ar string
118 Compare the digest of the file against this string.
123 option, the calculated digest is printed in addition to the exit status being set.
124 .Pq Note that this option is not yet useful if multiple files are specified.
125 .It Fl p , -passthrough
126 Echo stdin to stdout and append the checksum to stdout.
128 Quiet mode \(em only the checksum is printed out.
135 Reverses the format of the output.
136 This helps with visual diffs.
138 when combined with the
141 .It Fl s Ar string , Fl -string= Ns Ar string
142 Print a checksum of the given
144 .It Fl t , Fl -time-trial
145 Run a built-in time trial.
148 versions, this is a nop for compatibility with coreutils.
149 .It Fl x , Fl -self-test
150 Run a built-in test script.
153 The following options are available in GNU mode, i.e. when the program
154 is invoked with a name that ends in
156 .Bl -tag -width indent
157 .It Fl b , Fl -binary
158 Read files in binary mode.
160 The file passed as arguments must contain digest lines generated by the same
161 digest algorithm in either classical BSD format or in GNU coreutils format.
162 A line with the file name followed by a colon
164 and either OK or FAILED is written for each well-formed line in the digest file.
165 If applicable, the number of failed comparisons and the number of lines that were
166 skipped since they were not well-formed are printed at the end.
169 option can be used to quiesce the output unless there are mismatched entries in
172 Print a usage message and exit.
173 .It Fl -ignore-missing
174 When verifying checksums, ignore files for which checksums are given
175 but which aren't found on disk.
177 When verifying checksums, do not print anything unless the
180 When verifying checksums, do not print anything at all.
181 The exit code will reflect whether verification succeeded.
183 When verifying checksums, fail if the input is malformed.
185 Produce BSD-style output.
187 Read files in text mode.
189 Note that this implementation does not differentiate between binary
192 Print version information and exit.
194 When verifying checksums, warn about malformed input.
196 Terminate output lines with NUL rather than with newline.
199 The following options are available in Perl mode, i.e. when the program
200 is invoked with the name
202 .Bl -tag -width indent
204 Read files in bits mode: ASCII
208 characters correspond to 0 and 1 bits, respectively, and all other
209 characters are ignored.
212 .It Fl a Ar alg , Fl -algorithm Ar alg
213 Use the specified algorithm:
231 .It Fl b , Fl -binary
232 Read files in binary mode.
234 The file passed as arguments must contain digest lines generated by the same
235 digest algorithm in either classical BSD format or in GNU coreutils format.
236 A line with the file name followed by a colon
238 and either OK or FAILED is written for each well-formed line in the digest file.
239 If applicable, the number of failed comparisons and the number of lines that were
240 skipped since they were not well-formed are printed at the end.
243 option can be used to quiesce the output unless there are mismatched entries in
246 Print a usage message and exit.
247 .It Fl -ignore-missing
248 When verifying checksums, ignore files for which checksums are given
249 but which aren't found on disk.
251 When verifying checksums, do not print anything unless the
254 When verifying checksums, do not print anything at all.
255 The exit code will reflect whether verification succeeded.
257 When verifying checksums, fail if the input is malformed.
259 Produce BSD-style output.
261 Read files in text mode.
263 Note that this implementation does not differentiate between binary
265 .It Fl U , Fl -UNIVERSAL
266 Read files in universal mode: any CR-LF pair, as well as any CR not
267 followed by LF, is translated to LF before the digest is computed.
269 Print version information and exit.
271 When verifying checksums, warn about malformed input.
275 .Nm md5 , sha1 , sha224 , sha256 , sha384 , sha512 ,
276 .Nm sha512t224 , sha512t256 ,
277 .Nm rmd160 , skein256 , skein512 ,
280 utilities exit 0 on success,
281 1 if at least one of the input files could not be read,
282 and 2 if at least one file does not have the same hash as the
287 .Nm md5sum , sha1sum , sha224sum , sha256sum , sha384sum , sha512sum ,
288 .Nm sha512t224sum , sha512t256sum ,
289 .Nm rmd160 , skein256 , skein512 , skein1024
292 utilities exit 0 on success and 1 if at least one of the input files
293 could not be read or, when verifying checksums, does not have the
296 Calculate the MD5 checksum of the string
298 .Bd -literal -offset indent
300 MD5 ("Hello") = 8b1a9953c4611296a827abf8c47804d7
303 Same as above, but note the absence of the newline character in the input
305 .Bd -literal -offset indent
306 $ echo -n Hello | md5
307 8b1a9953c4611296a827abf8c47804d7
310 Calculate the checksum of multiple files reversing the output:
311 .Bd -literal -offset indent
312 $ md5 -r /boot/loader.conf /etc/rc.conf
313 ada5f60f23af88ff95b8091d6d67bef6 /boot/loader.conf
314 d80bf36c332dc0fdc479366ec3fa44cd /etc/rc.conf
317 This is almost but not quite identical to the output from GNU mode:
318 .Bd -literal -offset indent
319 $ md5sum /boot/loader.conf /etc/rc.conf
320 ada5f60f23af88ff95b8091d6d67bef6 /boot/loader.conf
321 d80bf36c332dc0fdc479366ec3fa44cd /etc/rc.conf
324 Note the two spaces between hash and file name.
325 If binary mode is requested, they are instead separated by a space and
327 .Bd -literal -offset indent
328 $ md5sum -b /boot/loader.conf /etc/rc.conf
329 ada5f60f23af88ff95b8091d6d67bef6 */boot/loader.conf
330 d80bf36c332dc0fdc479366ec3fa44cd */etc/rc.conf
334 .Pa /boot/loader.conf
337 Then calculate the checksum again and validate it against the checksum string
341 .Bd -literal -offset indent
342 $ md5 /boot/loader.conf > digest && md5 -c $(cut -f2 -d= digest) /boot/loader.conf
343 MD5 (/boot/loader.conf) = ada5f60f23af88ff95b8091d6d67bef6
346 Same as above but comparing the digest against an invalid string
347 .Pq Dq randomstring ,
348 which results in a failure.
349 .Bd -literal -offset indent
350 $ md5 -c randomstring /boot/loader.conf
351 MD5 (/boot/loader.conf) = ada5f60f23af88ff95b8091d6d67bef6 [ Failed ]
356 option does not compare against a hash string passed as parameter.
357 Instead, it expects a digest file, as created under the name
360 .Pa /boot/loader.conf
361 in the example above.
362 .Bd -literal -offset indent
363 $ md5 -c digest /boot/loader.conf
364 /boot/loader.conf: OK
367 The digest file may contain any number of lines in the format
368 generated in either BSD or GNU mode.
369 If a hash value does not match the file,
371 is printed instead of
384 .%T The MD5 Message-Digest Algorithm
389 .%T The Secure Hash Standard
393 .%A D. Eastlake and P. Jones
394 .%T US Secure Hash Algorithm 1
398 RIPEMD-160 is part of the ISO draft standard
399 .Qq ISO/IEC DIS 10118-3
400 on dedicated hash functions.
402 Secure Hash Standard (SHS):
403 .Pa https://www.nist.gov/publications/secure-hash-standard-shs
406 .Pa https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
408 In bits mode, the original
410 script is capable of processing inputs of arbitrary length.
411 This implementation is not, and will issue an error if the input
412 length is not a multiple of eight bits.
415 This utility was originally derived from a program which was placed in
416 the public domain for free general use by RSA Data Security.
418 Support for SHA-1 and RIPEMD-160 was added by
419 .An Oliver Eikemeier Aq Mt eik@FreeBSD.org .
421 Support for SHA-2 was added by
422 .An Colin Percival Aq Mt cperciva@FreeBSD.org
424 .An Allan Jude Aq Mt allanjude@FreeBSD.org .
426 Support for SKEIN was added by
427 .An Allan Jude Aq Mt allanjude@FreeBSD.org .
429 Compatibility with GNU coreutils was added by
430 .An Warner Losh Aq Mt imp@FreeBSD.org
432 .An Dag-Erling Sm\(/orgrav Aq Mt des@FreeBSD.org ,
433 who also added Perl compatibility.