6 .Nm md5 , sha1 , sha224 , sha256 , sha384 ,
7 .Nm sha512 , sha512t224 , sha512t256 ,
8 .Nm rmd160 , skein256 , skein512 , skein1024 ,
9 .Nm md5sum , sha1sum , sha224sum , sha256sum , sha384sum ,
10 .Nm sha512sum , sha512t224sum , sha512t256sum ,
11 .Nm rmd160sum , skein256sum , skein512sum , skein1024sum ,
13 .Nd calculate a message-digest fingerprint (checksum) for a file
26 .Op Fl -ignore-missing
37 (All other hashes have the same options and usage.)
42 .Op Fl a | -algorithm Ar alg
46 .Op Fl -ignore-missing
58 .Nm md5 , sha1 , sha224 , sha256 , sha384 , sha512 , sha512t224 , sha512t256 ,
59 .Nm rmd160 , skein256 , skein512 ,
62 utilities take as input a message of arbitrary length and produce as
70 .Nm md5sum , sha1sum , sha224sum , sha256sum , sha384sum , sha512sum ,
71 .Nm sha512t224sum , sha512t256sum , rmd160sum , skein256sum , skein512sum ,
74 utilities do the same, but with command-line options and an output
75 format that match those of their similary named GNU utilities.
79 utility does the same, but with command-line options and an output
80 format that match those of the similarly named utility that ships with
83 It is conjectured that it is computationally infeasible to
84 produce two messages having the same message digest, or to produce any
85 message having a given prespecified target message digest.
86 The SHA-224 , SHA-256 , SHA-384 , SHA-512, RIPEMD-160,
88 algorithms are intended for digital signature applications, where a
91 in a secure manner before being encrypted with a private
93 key under a public-key cryptosystem such as RSA.
95 The MD5 and SHA-1 algorithms have been proven to be vulnerable to practical
96 collision attacks and should not be relied upon to produce unique outputs,
97 .Em nor should they be used as part of a cryptographic signature scheme.
98 As of 2017-03-02, there is no publicly known method to
100 either algorithm, i.e., to find an input that produces a specific
103 SHA-512t256 is a version of SHA-512 truncated to only 256 bits.
104 On 64-bit hardware, this algorithm is approximately 50% faster than SHA-256 but
105 with the same level of security.
106 The hashes are not interchangeable.
108 SHA-512t224 is identical to SHA-512t256, but with the digest truncated
111 It is recommended that all new applications use SHA-512 or SKEIN-512
112 instead of one of the other hash functions.
114 The following options are available in BSD mode, i.e. when the program
115 is invoked with a name that does not end in
117 .Bl -tag -width indent
118 .It Fl c Ar string , Fl -check= Ns Ar string
119 Compare the digest of the file against this string.
124 option, the calculated digest is printed in addition to the exit status being set.
125 .Pq Note that this option is not yet useful if multiple files are specified.
126 .It Fl p , -passthrough
127 Echo stdin to stdout and append the checksum to stdout.
129 Quiet mode \(em only the checksum is printed out.
136 Reverses the format of the output.
137 This helps with visual diffs.
139 when combined with the
142 .It Fl s Ar string , Fl -string= Ns Ar string
143 Print a checksum of the given
145 .It Fl t , Fl -time-trial
146 Run a built-in time trial.
149 versions, this is a nop for compatibility with coreutils.
150 .It Fl x , Fl -self-test
151 Run a built-in test script.
154 The following options are available in GNU mode, i.e. when the program
155 is invoked with a name that ends in
157 .Bl -tag -width indent
158 .It Fl b , Fl -binary
159 Read files in binary mode.
161 The file passed as arguments must contain digest lines generated by the same
162 digest algorithm in either classical BSD format or in GNU coreutils format.
163 A line with the file name followed by a colon
165 and either OK or FAILED is written for each well-formed line in the digest file.
166 If applicable, the number of failed comparisons and the number of lines that were
167 skipped since they were not well-formed are printed at the end.
170 option can be used to quiesce the output unless there are mismatched entries in
173 Print a usage message and exit.
174 .It Fl -ignore-missing
175 When verifying checksums, ignore files for which checksums are given
176 but which aren't found on disk.
178 When verifying checksums, do not print anything unless the
181 When verifying checksums, do not print anything at all.
182 The exit code will reflect whether verification succeeded.
184 When verifying checksums, fail if the input is malformed.
186 Produce BSD-style output.
188 Read files in text mode.
190 Note that this implementation does not differentiate between binary
193 Print version information and exit.
195 When verifying checksums, warn about malformed input.
197 Terminate output lines with NUL rather than with newline.
200 The following options are available in Perl mode, i.e. when the program
201 is invoked with the name
203 .Bl -tag -width indent
205 Read files in bits mode: ASCII
209 characters correspond to 0 and 1 bits, respectively, and all other
210 characters are ignored.
213 .It Fl a Ar alg , Fl -algorithm Ar alg
214 Use the specified algorithm:
232 .It Fl b , Fl -binary
233 Read files in binary mode.
235 The file passed as arguments must contain digest lines generated by the same
236 digest algorithm in either classical BSD format or in GNU coreutils format.
237 A line with the file name followed by a colon
239 and either OK or FAILED is written for each well-formed line in the digest file.
240 If applicable, the number of failed comparisons and the number of lines that were
241 skipped since they were not well-formed are printed at the end.
244 option can be used to quiesce the output unless there are mismatched entries in
247 Print a usage message and exit.
248 .It Fl -ignore-missing
249 When verifying checksums, ignore files for which checksums are given
250 but which aren't found on disk.
252 When verifying checksums, do not print anything unless the
255 When verifying checksums, do not print anything at all.
256 The exit code will reflect whether verification succeeded.
258 When verifying checksums, fail if the input is malformed.
260 Produce BSD-style output.
262 Read files in text mode.
264 Note that this implementation does not differentiate between binary
266 .It Fl U , Fl -UNIVERSAL
267 Read files in universal mode: any CR-LF pair, as well as any CR not
268 followed by LF, is translated to LF before the digest is computed.
270 Print version information and exit.
272 When verifying checksums, warn about malformed input.
276 .Nm md5 , sha1 , sha224 , sha256 , sha384 , sha512 ,
277 .Nm sha512t224 , sha512t256 ,
278 .Nm rmd160 , skein256 , skein512 ,
281 utilities exit 0 on success,
282 1 if at least one of the input files could not be read,
283 and 2 if at least one file does not have the same hash as the
288 .Nm md5sum , sha1sum , sha224sum , sha256sum , sha384sum , sha512sum ,
289 .Nm sha512t224sum , sha512t256sum ,
290 .Nm rmd160 , skein256 , skein512 , skein1024
293 utilities exit 0 on success and 1 if at least one of the input files
294 could not be read or, when verifying checksums, does not have the
297 Calculate the MD5 checksum of the string
299 .Bd -literal -offset indent
301 MD5 ("Hello") = 8b1a9953c4611296a827abf8c47804d7
304 Same as above, but note the absence of the newline character in the input
306 .Bd -literal -offset indent
307 $ echo -n Hello | md5
308 8b1a9953c4611296a827abf8c47804d7
311 Calculate the checksum of multiple files reversing the output:
312 .Bd -literal -offset indent
313 $ md5 -r /boot/loader.conf /etc/rc.conf
314 ada5f60f23af88ff95b8091d6d67bef6 /boot/loader.conf
315 d80bf36c332dc0fdc479366ec3fa44cd /etc/rc.conf
318 This is almost but not quite identical to the output from GNU mode:
319 .Bd -literal -offset indent
320 $ md5sum /boot/loader.conf /etc/rc.conf
321 ada5f60f23af88ff95b8091d6d67bef6 /boot/loader.conf
322 d80bf36c332dc0fdc479366ec3fa44cd /etc/rc.conf
325 Note the two spaces between hash and file name.
326 If binary mode is requested, they are instead separated by a space and
328 .Bd -literal -offset indent
329 $ md5sum -b /boot/loader.conf /etc/rc.conf
330 ada5f60f23af88ff95b8091d6d67bef6 */boot/loader.conf
331 d80bf36c332dc0fdc479366ec3fa44cd */etc/rc.conf
335 .Pa /boot/loader.conf
338 Then calculate the checksum again and validate it against the checksum string
342 .Bd -literal -offset indent
343 $ md5 /boot/loader.conf > digest && md5 -c $(cut -f2 -d= digest) /boot/loader.conf
344 MD5 (/boot/loader.conf) = ada5f60f23af88ff95b8091d6d67bef6
347 Same as above but comparing the digest against an invalid string
348 .Pq Dq randomstring ,
349 which results in a failure.
350 .Bd -literal -offset indent
351 $ md5 -c randomstring /boot/loader.conf
352 MD5 (/boot/loader.conf) = ada5f60f23af88ff95b8091d6d67bef6 [ Failed ]
357 option does not compare against a hash string passed as parameter.
358 Instead, it expects a digest file, as created under the name
361 .Pa /boot/loader.conf
362 in the example above.
363 .Bd -literal -offset indent
364 $ md5 -c digest /boot/loader.conf
365 /boot/loader.conf: OK
368 The digest file may contain any number of lines in the format
369 generated in either BSD or GNU mode.
370 If a hash value does not match the file,
372 is printed instead of
385 .%T The MD5 Message-Digest Algorithm
390 .%T The Secure Hash Standard
394 .%A D. Eastlake and P. Jones
395 .%T US Secure Hash Algorithm 1
399 RIPEMD-160 is part of the ISO draft standard
400 .Qq ISO/IEC DIS 10118-3
401 on dedicated hash functions.
403 Secure Hash Standard (SHS):
404 .Pa https://www.nist.gov/publications/secure-hash-standard-shs
407 .Pa https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
409 In bits mode, the original
411 script is capable of processing inputs of arbitrary length.
412 This implementation is not, and will issue an error if the input
413 length is not a multiple of eight bits.
416 This utility was originally derived from a program which was placed in
417 the public domain for free general use by RSA Data Security.
419 Support for SHA-1 and RIPEMD-160 was added by
420 .An Oliver Eikemeier Aq Mt eik@FreeBSD.org .
422 Support for SHA-2 was added by
423 .An Colin Percival Aq Mt cperciva@FreeBSD.org
425 .An Allan Jude Aq Mt allanjude@FreeBSD.org .
427 Support for SKEIN was added by
428 .An Allan Jude Aq Mt allanjude@FreeBSD.org .
430 Compatibility with GNU coreutils was added by
431 .An Warner Losh Aq Mt imp@FreeBSD.org
433 .An Dag-Erling Sm\(/orgrav Aq Mt des@FreeBSD.org ,
434 who also added Perl compatibility.