Is possible to know the Checksums of any Install MacOS X?

Hello jedikeeper,

That GitHub page has instructions for running the shasum command. You would just change the starting path from "/Applications" to wherever your files are installed.

However, that GitHub page is also completely invalid. I don't know what it is trying to claim. It is only running the checksum against one file in the installer package. It would be trivially easy to re-package that into a malware installer that passes the checksum test in flying colours. Strong cryptography is important, but so is knowing your domain and asking the right questions.

jedikeeper wrote:

So in few words, I only have to move the file "Install MacOS Sierra" TO "/Applications" and follow the instructions of GitHub page for running the shasum command? just to check if I understood

Thanks

I wouldn't recommend that. I suggest running the following command in the Terminal:

shasum "/Volumes/Install macOS Sierra/Install*OS*.app/Contents/SharedSupport/InstallESD.dmg"

(That should all be on one line.)

(And it is conveniently broken on a space character which is not optional.)

Why do you even want to do this in the first place?

dialabrain is correct that macOS installers, and your currently running macOS version have built-in security checks for these kinds of things. But those security checks are meant for files downloaded over the internet. I am not sure if they would apply to something you copied from an SD card. Furthermore, my point above was that there is no guarantee this file is a macOS installer. You could run the above command and it would probably print out a valid checksum. But that doesn't mean anything. It doesn't mean this is a valid installer.

The whole circumstances of some random file on an SD card and someone trying to perform a fatally flawed manual security check on said file is highly suspicious. Again, why are you doing this? Where did this file and the SD card come from? The only valid way to get Sierra is by downloading it. If you didn't download this file, do NOT copy it to your machine.

jedikeeper wrote:

I want to do this in first place and why I am doing this? is because every time I read at MacRumors a new build was released and ready to download from the Apple Store I created a bootable medias and save them in a SD Cards, the SD cards are the only storage media my old work always gave us as storage media, So I have a lot of previous versions I don't need anymore and I want to delete

Can you please elaborate "I am not sure if they would apply to something you copied from an SD card" I didn't get what do you mean

Hello again jedikeeper,

I was concerned that maybe someone had given or sold these SD cards to you so that you could avoid the massive download. I thought maybe you were trying to use this checksum as a means to validate the integrity and security of the installer.

If these are SD cards you made yourself and downloads that you made yourself, then obviously you don't have to worry about that.

I took a quick look at my archived files and I can't find any better way to see what the underlying download version is.

However, I would take this one step further. I suggest every year you just download a new copy of every installer in your purchase history. Take care to jump through the new hoops that Apple has added with Sierra (How to download macOS High Sierra - Apple Support) and probably High Sierra later. This way, you will always have the latest version of old installers. Plus, you will get a new installer with potentially a longer-lasting certificate. Sometimes those things expire. If you have installers form 2+ years ago, they may not even work anymore. Maybe test them with the wonderful Parallels Desktop Lite on the Mac App Store.

Assuming the values are correct, yes.

I checked the installer for 10.12.4 Sierra (16E195) and it was correct.

etresoft is correct. However, as far as I know, the macOS installers are self-verifying and will give an error if damaged or tampered with. I don't know if there is a way to bypass the check. Perhaps etresoft can elaborate.

I can verify what etresoft had to say about installers expiring. I had a couple that seemed to fail to work after an extended period of time and had to re-download them. Of course you could always just keep the ones you have and if you have need to install one of them, you can always download the latest combo update to bring the installation current.

You're welcome.