SHA1 is a broken and proven vulnerable algorithm. The article may be rewritten with SHA256 (unbroken, as of Jan 2022), or some other safer alternative as the title and the main focus.
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (July 2021) (Learn how and when to remove this template message)This article provides insufficient context for those unfamiliar with the subject. Please help improve the article by providing more context for the reader. (July 2021) (Learn how and when to remove this template message) (Learn how and when to remove this template message)

sha1sum is a computer program that calculates and verifies SHA-1 hashes. It is commonly used to verify the integrity of files. It (or a variant) is installed by default on most Linux distributions. Typically distributed alongside sha1sum are sha224sum, sha256sum, sha384sum and sha512sum, which use a specific SHA-2 hash function and b2sum,[1] which uses the BLAKE2 cryptographic hash function.

The SHA-1 variants are proven vulnerable to collision attacks, and users should instead use, for example, a SHA-2 variant such as sha256sum or the BLAKE2 variant b2sum to prevent tampering by an adversary.[2][3]

It is included in GNU Core Utilities,[4] Busybox (excluding b2sum),[5] and Toybox (excluding b2sum).[6] Ports to a wide variety of systems are available, including Microsoft Windows.

Examples

To create a file with a SHA-1 hash in it, if one is not provided:

$ sha1sum filename [filename2] ... > SHA1SUM

If distributing one file, the .sha1 file extension may be appended to the filename e.g.:

$ sha1sum --binary my-zip.tar.gz > my-zip.tar.gz.sha1

The output contains one line per file of the form "{hash} SPACE (ASTERISK|SPACE) [{directory} SLASH] {filename}". (Note well, if the hash digest creation is performed in text mode instead of binary mode, then there will be two space characters instead of a single space character and an asterisk.) For example:

$ sha1sum -b my-zip.tar.gz
d5db29cd03a2ed055086cef9c31c252b4587d6d0 *my-zip.tar.gz
$ sha1sum -b subdir/filename2
55086cef9c87d6d031cd5db29cd03a2ed0252b45 *subdir/filename2

To verify that a file was downloaded correctly or that it has not been tampered with:

$ sha1sum -c SHA1SUM
filename: OK
filename2: OK
$ sha1sum -c my-zip.tar.gz.sha1
my-zip.tar.gz: OK

Hash file trees

sha1sum can only create checksums of one or multiple files inside a directory, but not of a directory tree, i.e. of subdirectories, sub-subdirectories, etc. and the files they contain. This is possible by using sha1sum in combination with the find command with the -exec option, or by piping the output from find into xargs. sha1deep can create checksums of a directory tree.

To use sha1sum with find:

$ find s_* -type f -exec sha1sum '{}' \;
65c23f142ff6bcfdddeccebc0e5e63c41c9c1721  s_1/file_s11
d3d59905cf5fc930cd4bf5b709d5ffdbaa9443b2  s_2/file_s21
5590e00ea904568199b86aee4b770fb1b5645ab8  s_a/file_02

Likewise, piping the output from find into xargs yields the same output:

$ find s_* -type f | xargs sha1sum
65c23f142ff6bcfdddeccebc0e5e63c41c9c1721  s_1/file_s11
d3d59905cf5fc930cd4bf5b709d5ffdbaa9443b2  s_2/file_s21
5590e00ea904568199b86aee4b770fb1b5645ab8  s_a/file_02

Related programs

See also

References

  1. ^ "b2sum source code in GNU coreutils". GNU coreutils mirror at GitHub. Retrieved 29 Jan 2022.((cite web)): CS1 maint: url-status (link)
  2. ^ Bruce Schneier. "Cryptanalysis of SHA-1". Schneier on Security.
  3. ^ "Announcing the first SHA1 collision".
  4. ^ "Sha1sum invocation (GNU Coreutils 9.0)".
  5. ^ "Mirror/Busybox". 26 October 2021.
  6. ^ "Landley/Toybox". 26 October 2021.
  7. ^ shasum(1) – Linux General Commands Manual
  8. ^ sha3sum(1) – Linux General Commands Manual
  9. ^ md5(1) – FreeBSD General Commands Manual