sha1sum — Hash a file with SHA-1 in bash, zsh, fish, PowerShell, and cmd (integrity-only — not for security) across all 5 shells
Equivalents in every shell
sha1sum file.binGNU coreutils. 40-hex output, lowercase, same `<hash>␣␣<filename>` layout as `sha256sum`. `--check` / `-c` for manifest verification. **SHA-1 is cryptographically broken** — practical collision attacks since 2017 (Google `SHAttered`). Acceptable only for legacy compatibility (git's object IDs, older TLS chains, OpenPGP keys created pre-2017) and never for new security-critical applications.
sha1sum file.binExternal GNU binary on Linux. macOS ships BSD `shasum -a 1 file.bin` (default algorithm — `shasum file.bin` alone gives SHA-1) instead of `sha1sum`. The output format differs (single space, no mode marker) — for cross-OS GNU-style output, `shasum -a 1 file.bin | sed 's/ / /'`.
sha1sum file.binSame external binary. Fish lacks bash's `<()` process-substitution; for inline-verification `sha1sum -c (echo "<hash> file.bin" | psub)`. Useful when piping a download through `tee` for simultaneous save + hash.
Get-FileHash file.bin -Algorithm SHA1`Get-FileHash -Algorithm SHA1` returns the standard `FileHashInfo` (40-char UPPERCASE hex). Same .ToLower() normalization rule. pwsh prints no deprecation warning despite SHA-1's broken status — be deliberate about why you're using it (most likely: legacy compatibility, git interaction, or matching a vendor-provided hash on a tarball older than 2017).
certutil -hashfile file.bin SHA13-line verbose output as with MD5 / SHA-256. SHA-1 is also `certutil`'s default if you OMIT the algorithm — `certutil -hashfile file.bin` (no algorithm arg) computes SHA-1. This is a footgun: scripts that copy/paste `certutil -hashfile X` without an algorithm get SHA-1 silently. Always specify: `certutil -hashfile X SHA256`.
Worked examples
Hash a file and print only the hash
sha1sum file.bin | cut -d' ' -f1(Get-FileHash file.bin -Algorithm SHA1).Hash.ToLower()for /f "skip=1 tokens=1" %i in ('certutil -hashfile file.bin SHA1 ^| findstr /v ":"') do @echo %iVerify a downloaded tarball against a vendor-provided SHA-1
echo "da39a3ee5e6b4b0d3255bfef95601890afd80709 release.tar.gz" | sha1sum -c(Get-FileHash release.tar.gz -Algorithm SHA1).Hash.ToUpper() -eq "DA39A3EE5E6B4B0D3255BFEF95601890AFD80709"Compute the SHA-1 of a git blob (matches what `git hash-object` reports)
{ printf "blob %d\0" "$(wc -c < file)"; cat file; } | sha1sum | cut -d' ' -f1git hash-object file # the simplest way; pure pwsh requires manually prepending the "blob <size>\0" header before hashingGotchas
- **SHA-1 is cryptographically broken.** The Google `SHAttered` attack (Feb 2017) produced two distinct PDFs with the same SHA-1 hash. NEVER use SHA-1 for digital signatures, TLS chain pinning, or password storage. Acceptable only for legacy interop (git, older OpenPGP / SSL chains, pre-2017 vendor checksum pages). SHA-2 family (SHA-256, SHA-384, SHA-512) is the modern replacement; SHA-3 is also broadly available.
- Default-algorithm trap: cmd `certutil -hashfile X` (no algorithm specified) computes **SHA-1**, not SHA-256. Always pass the algorithm explicitly. BSD `shasum` (macOS) also defaults to SHA-1 when called with no `-a`. By contrast, pwsh `Get-FileHash` defaults to SHA-256 (since pwsh 4) — three different defaults across three tools is a recipe for accidentally weak hashes.
- Git uses SHA-1 for object IDs and refs — the broken-ness of SHA-1 affects git in theory but not in practice (the SHAttered attack requires equal-size colliding inputs; git fights collisions by also hashing the blob header `blob <size>\0` prefix, which an attacker cannot freely manipulate while preserving size). Git is migrating to SHA-256 (`git init --object-format=sha256`) but it's not the default in 2026.
- pwsh SHA-1 hashes are UPPERCASE; bash `sha1sum` is lowercase — same normalization rule as MD5 / SHA-256.
- For TLS certificate fingerprints, SHA-1 is still presented by browsers / `openssl x509 -fingerprint` for compatibility, but you should prefer SHA-256 for pinning. Cert pin code that compares SHA-1 fingerprints today should be flagged as a security gap, not as a "works fine" choice.