.Dd September 27, 2020
.Dt CHECKSUM 1
.Os
.Sh NAME
.Nm checksum
.Nm sha224sum
.Nm sha256sum
.Nm sha384sum
.Nm sha512sum
.Nd compute and check cryptographic hashes
.Sh SYNOPSIS
.Nm checksum
.Op Fl ciqs
.Fl a Ar algorithm
.Op Fl C Ar checklist
.Op Ar
.Nm sha224sum
.Op Fl ciqs
.Op Fl C Ar checklist
.Op Fl \-cache Ar cache
.Op Fl \-cache Ar cache
.Op Ar
.Nm sha256sum
.Op Fl ciqs
.Op Fl C Ar checklist
.Op Fl \-cache Ar cache
.Op Ar
.Nm sha384sum
.Op Fl ciqs
.Op Fl C Ar checklist
.Op Fl \-cache Ar cache
.Op Ar
.Nm sha512sum
.Op Fl ciqs
.Op Fl C Ar checklist
.Op Fl \-cache Ar cache
.Op Ar
.Sh DESCRIPTION
.Nm
is used to check the cryptographic integrity of files by calculating their
cryptographic hashes and later check the files retain the same hash, thus
guaranteeing it would be vanishingly unlikely the files have been modified
unless the cryptographic hash algorithm has been broken.
.Pp
.Nm
uses the requested cryptographic hash
.Ar algorithm
to calculate the hashes of the input files, or the standard input if no files
are specified.
The standard input can be specified using the
.Sq -
path.
.Pp
.Nm
writes a checklist of the inputs' hashes that can later be checked using the
.Fl c
or
.Fl C
options.
Checklists have a line for each file consisting of its checksum (the
cryptographic hash) in lowercase hexadecimal followed by two spaces and the
file's path
.Sq ( -
in case of the standard input).
.Pp
If the
.Fl c
or
.Fl C
options are set,
.Nm
instead checks the files.
It writes a line for each file containing its path followed by a colon and a
space, and
.Sq OK
if the file's hash matched the checksum or
.Sq FAILED
if it did not.
After each checklist has been processed, a diagnostic is written to the standard
error with how many files couldn't be read (if any couldn't be read), and a
diagnostic is written to the standard error with how many checksums didn't match
(if any didn't match).
.Pp
The options are as follows:
.Bl -tag -width "12345678"
.It Fl a , Fl \-algorithm Ns "=" Ns Ar algorithm
Use the case-insensitive cryptographic hash
.Ar algorithm :
.Bl -bullet -compact
.It
SHA224
.It
SHA256
.It
SHA384
.It
SHA512/256
.It
SHA512
.El
.Pp
The algorithm is set by default if
.Nm
is invoked by the
.Nm sha224sum ,
.Nm sha256sum ,
.Nm sha384sum ,
or
.Nm sha512sum
names.
.It Fl \-cache Ar cache
Cache the checksums in the
.Ar cache
file for fast answers on subsequent invocations, unless the input file is newer
than the
.Ar cache
file.
If
.Fl c
or
.Fl C ,
only use the cached checksums if they are the desired answer, otherwise recheck
the input file to be safe.
.It Fl c , Fl \-check
Each input is interpreted as a checklist of files to be checked.
.It Fl C , Fl \-checklist Ns "=" Ns Ar checklist
Check the inputs using the
.Ar checklist
file
.Sq ( -
for the standard input).
This option is useful for checking a subset of files in a checklist.
.It Fl i , Fl \-ignore-missing
Ignore non-existent files when checking.
.It Fl q , Fl \-quiet
Only mention files with the wrong hash when checking.
.It Fl s , Fl \-status
Don't mention any files when checking and only provide the exit status.
.El
.Sh EXIT STATUS
If
.Fl c
or
.Fl C
are set,
.Nm
will exit 1 if any error occurred or the checklist was malformed; and otherwise
exit 2 if any files had the wrong hash, and exit 0 if all files passed the
check.
.Pp
Otherwise
.Nm
will exit 0 if all files were hashed, or exit 1 if an error occurred.
.Sh EXAMPLES
Compute the SHA256 hash of a file:
.Bd -literal
$ sha256sum foo
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  foo
.Ed
.Pp
Check the SHA256 hash of a file:
.Bd -literal
$ sha256sum foo > foo.sha256sum
$ sha256sum -c foo.sha256sum
foo: OK
.Ed
.Pp
Check every file in a checklist and only mention failures:
.Bd -literal
$ echo foo > foo
$ echo bar > bar
$ sha256sum foo bar > checklist
$ sha256sum -cq checklist
$ echo foo > bar
$ sha256sum -cq checklist
bar: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
.Ed
.Pp
Check the hash of only some files in a checklist:
.Bd -literal
$ sha256sum foo bar qux > checklist
$ sha256sum -C checklist foo qux
foo: OK
qux: OK
.Ed
.Pp
Check the standard input is expected:
.Bd -literal
$ sha256sum < reference > checklist
$ sha256sum -C checklist < input
-: OK
.Ed
.Sh SEE ALSO
.Xr cmp 1 ,
.Xr sha2 3
.Sh HISTORY
.Nm
originally appeared in Sortix 1.1.
.Pp
.Nm
is similar to a subset of GNU
.Nm sha256sum ,
mixed with the BSD
.Fl a
and
.Fl C
extensions to POSIX
.Nm cksum .
The
.Fl iqs
short options are extensions to GNU
.Nm sha256sum ,
which only provides these features through the long options.
.Nm
is always strict and errors on malformed checklists unlike GNU
.Nm sha256sum.
.Sh CAVEATS
Insecure cryptographic hash algorithms such as MD5 and SHA1 are not
implemented.
.Pp
.Nm
does not have the
.Fl b
and
.Fl t
options from GNU sha256sum to select binary/text mode.
The text mode being default is poor design but only matters on some
implementations for Windows.
This implementation removes that complexity and always operates in binary mode.
The double space checklist delimiter is used for simplicity and compatibility as
all sensible implementations are always in binary mode by default.
The space asterisk checklist delimiter to explicitly request binary mode is not
supported for simplicity.