It is incredibly easy to add a malicious components (malware) to DMG files, uploading them to file sharing websites like sourceforge.net, & infecting computers on a mass scale. SHA checksum is added to DMG files like TransmissionBT1, & Handbrake.fr2 to detect file tampering.
How to check SHA checksums:
In terminal, find the file(s) you’d like to check. “
cd” command is to change directories, “
ls” is to list files in a folder.
Use the following syntax:
shamus file.dmg (Illustrated below)
The default for the shasum command is to use SHA1, the most common hash type, but this can be changed with the -a flag if necessary to 224, 256, 384, or 512.
Finally you can check the hexadecimal string on the main downloading website:
Always remember to download the files from a reputable source.