Skip to content
shellmap

shasumHash a file with shasum in bash, zsh, fish, PowerShell, and cmd (BSD/macOS default) across all 5 shells

Equivalents in every shell

Bashunix
shasum -a 256 file.bin

Perl wrapper bundled with macOS by default. `-a` selects the algorithm: `1` (default — SHA-1, broken), `224`, `256`, `384`, `512`, `512224`, `512256`. Output format `<hash>␣␣<filename>` (TWO spaces) — bit-compatible with GNU `sha256sum -t` text mode. `-c` checks a manifest. Most Linux distros also ship `shasum` (via Perl) for macOS-script portability.

Zshunix
shasum -a 256 file.bin

Same Perl-based wrapper. On macOS, `shasum` IS the canonical tool — there's no `sha256sum` / `sha512sum` in the base OS. macOS's `shasum` is `/usr/bin/shasum` (Perl); Homebrew's coreutils adds `g` prefixes (`gsha256sum`). For shared bash/zsh scripts targeting both Linux and macOS, `shasum -a 256` is the most portable single command.

Fishunix
shasum -a 256 file.bin

Same external. Set-and-extract: `set -l h (shasum -a 256 file.bin | cut -d' ' -f1)` puts just the hash into `$h`. Fish on macOS often ships with a newer Perl than the system-`shasum` requires — verify with `shasum --help` if you hit `Can't locate Digest/SHA.pm` errors (workaround: `brew install perl`).

PowerShellwindows
Get-FileHash file.bin -Algorithm SHA256

No `shasum` cmdlet — pwsh uses one cmdlet (`Get-FileHash`) with `-Algorithm` MD5 / SHA1 / SHA256 / SHA384 / SHA512. Conceptually a 1:1 mapping: `shasum -a 256` → `Get-FileHash -Algorithm SHA256`. UPPERCASE output, `.ToLower()` to match `shasum`.

cmd.exewindows
certutil -hashfile file.bin SHA256

No native `shasum`. `certutil -hashfile X SHA256` is the closest — same algorithm choices via uppercase string. Git for Windows ships a Perl `shasum` under `C:\Program Files\Git\usr\bin\shasum` — invokable directly if Git CLI is installed. Always specify the algorithm: bare `certutil -hashfile X` defaults to SHA-1.

Worked examples

Hash a file with SHA-256, print only the hash

Bash
shasum -a 256 file.bin | cut -d' ' -f1
PowerShell
(Get-FileHash file.bin -Algorithm SHA256).Hash.ToLower()

Hash with SHA-512 (more bits, slower; preferred for long-term archival)

Bash
shasum -a 512 file.bin
PowerShell
Get-FileHash file.bin -Algorithm SHA512

Verify a SHASUMS manifest (lines of `<hash> <name>`)

Bash
shasum -a 256 -c SHASUMS256.txt
PowerShell
Get-Content SHASUMS256.txt | ForEach-Object { $hash, $name = $_ -split "\s+", 2; if ((Get-FileHash $name.TrimStart("*") -Algorithm SHA256).Hash.ToLower() -eq $hash) { "$name: OK" } else { "$name: FAIL" } }

Gotchas

  • `shasum` with NO `-a` flag computes **SHA-1** by default — same legacy-default trap as `certutil` and BSD `md5`. SHA-1 is cryptographically broken; for new manifests always pass `-a 256` (or higher). Vendor verification pages older than 2017 frequently rely on the bare-`shasum` default.
  • macOS bundles `/usr/bin/shasum` as the canonical hashing tool — there's no `sha256sum` to fall back to. Linux distros DO ship `shasum` (as a Perl script) — the portable answer for "hash a file with SHA-256 in a script that runs on both Linux and macOS" is `shasum -a 256`, NOT `sha256sum` (which fails on macOS) and NOT `openssl dgst -sha256` (different output format).
  • Output is **lowercase** hex with TWO spaces before the filename. Identical wire-format to `sha256sum -t` (text mode) — manifests are inter-verifiable across Linux `sha256sum` and macOS `shasum -a 256`. (Note the mode marker differs: `sha256sum -b` uses `*<file>` for binary; `shasum -b` does the same. The text-mode default uses ` <file>` for both.)
  • `shasum` is a Perl script — slow on multi-GB files compared to C-implemented `sha256sum` or pwsh `Get-FileHash` (which use hardware-accelerated SHA-NI / ARM crypto extensions). On a 10GB file, `shasum -a 256` can take 20–30 seconds vs 4–8 seconds for `sha256sum` vs 3–5 seconds for `Get-FileHash`. For bulk hashing, prefer the C tool.
  • `shasum -a 512256` selects SHA-512/256 (truncated SHA-512 to 256 bits — RFC 6234) — a niche algorithm with the speed of SHA-512 (faster than SHA-256 on 64-bit CPUs without SHA-NI) and 256-bit output. Useful for hot-path hashing on legacy 64-bit ARM / x86_64 without crypto extensions. Mostly not what users want — flag clearly if you see this in a manifest.

WSL & PowerShell Core notes

pwshpwsh doesn't ship `shasum`. Map `shasum -a 256` → `Get-FileHash -Algorithm SHA256` (same algorithm, different output case + format). For verifying a `shasum`-style manifest in pwsh: see Example 3 above; `Get-Content | ForEach-Object` parses the `<hash> <name>` pairs.
WSLWSL ships Perl by default, so `shasum -a 256 /mnt/c/path/file` works. On the Windows side, install Git for Windows to get `shasum` in `C:\Program Files\Git\usr\bin\shasum.exe` and add it to PATH. Cross-compat: a manifest written by `shasum -a 256` on macOS verifies cleanly on WSL Linux and Git-Bash on Windows.

Related commands