It is incredibly easy to add malicious components (malware) to DMG files, uploading them to file sharing websites like sourceforge.net, & infecting computers on a mass scale. SHA checksum is added to DMG files like TransmissionBT1, & Handbrake.fr2 to detect file tampering.
How to check SHA checksums:
In terminal, find the file(s) you’d like to check. “cd” command is to change directories, “ls” is to list files in a folder.
Use the following syntax: shasum file.dmg
The default for the shasum command is to use SHA1, the most common hash type, but this can be changed with the -a flag if necessary to 224, 256, 384, or 512.
Finally, you can check the hexadecimal string on the main downloading website:
Always remember to download the files from a reputable source.
1. Popular BitTorrent Client Transmission Gets Infected With Malware Again
2. HandBrake hacked to drop new variant of Proton malware