notpeter / apple-installer-checksums Goto Github PK

Checksum for macOS Monterey 12.6.3's SharedSupport.dmg is 43fd6b9d10021de7ae7430db9fbafa70d3d5c8d1.

As it was mentioned in #65 -- some older macOS installer packages/archives include an expired certificate and no longer extract/install properly. Unfortunately this also affects some of the older Xcode archives.

https://medium.com/@hammen/the-apple-packagepocalypse-2019-edition-6e2d4bc0aa90

When trying to open a previously downloaded Xcode archive with an expired certificate an error is displayed with the message: The archive "Xcode.xip" does not come from Apple.

One workaround that seems to work for some people is to manually change your system time back to September 2019 and then attempt to extract the archive.

https://forums.developer.apple.com/thread/125108
https://stackoverflow.com/questions/59036191/xcode-xip-the-archive-does-not-come-from-apple

Apple started replacing the affected Xcode archives between October-December 2019 but kept the same filename/download URLs as the original (now non-funtioning) versions. So now, pretty much half of the hashes for older Xcode versions do not match when you download the currently hosted file.

I'm planning on updating the hashes for all the affected releases but I'm not entirely sure if I should keep both the old and new hashes for a specific release or just display the new hash for the working version? @notpeter Do you have a preference?

Hey folks, this was a fun little project but I'm shutting it down.

Thanks for everyone who contributed checksums and validated their own dmgs.

Be well!

someone please update SHA1 hash list

/Applications/Install macOS Catalina.app

e00b9998514f8a81ad490086c26ff9fe8b256d74  BaseSystem.dmg
2faf7d456ce292662a058cb571a520acabe81ce7  InstallESD.dmg

Hello,

I had to redownload Mountain Lion from shady websites because Apple doesn't want me to download it, heck, even downloading 10.11 is a pain the ass nowadays already.

And when I checksum the InstallESD from it, I get the following result:
2919b519142e2119197bffd678f15f603e84970f

At first I thought my download was broken, so rechecked but came to the same result. Tried another download from somewhere else, same result.
So I searched Google.de for another source and I found that my InstallESD does seem to have a correct(?) shasum:
https://geekinguncovered.wordpress.com/2015/11/26/mac-os-x-install-image-hashes/
I quote:

Mountain Lion 10.8.5 (12F37) (InstallESD.dmg)
SHA-1: 2919B519142E2119197BFFD678F15F603E84970F
MD5: 2C77151BE45C820B02A9ACE05434693D
CRC-32: A9DCAE18

Mountain Lion 10.8.5 (12F37) (OS X Mountain Lion 10.8.5 Build 12F37.dmg)
SHA-1: ECF68C2119C71825839D2A58E0D619E9CCF7C026
MD5: 5568B4DDE00A64F765EF00858B538078
CRC-32: F4DFCE4D

So where is the sum from we have here? (7bc54f504aa0b769a2d0b8546393a6e0fc24671f).

That is 3 different shasums for one version!?
Which one is correct?

The rest of the sums here always matched mine (10.11.3, 10.11.6 and 10.12.3), can't complain on that end. Thanks!

Greetings,

hipunk

Listing SHA1 values gives visitors a false sense of security since SHA1 is compromised.

https://fossbytes.com/google-broke-sha-1-encryption-hash/
https://medium.com/@computersys11/google-kills-sha-1-with-successful-collision-attack-fa327711cb8c
https://www.computerworld.com/article/3173616/the-sha1-hash-function-is-now-completely-unsafe.html

Looking forward to all references to SHA1 disappearing.

Hi! The .app installation bundle has many files other than the dmgs. Why don't we care about them being legit too? Am I missing something?

Thank you.

Amazon sells unopened OS X 10.3 Panther CD-ROM's, if some kind donator would be willing to purchase one and checksum its contents.

https://www.amazon.com/gp/offer-listing/B0000E6NK9/ref=dp_olp_new?ie=UTF8&condition=new

Or, maybe we could reach out to Apple to ask them for checksums for verifying legacy OS X installation media integrity?

f2bfda702dc977a8646de50ed1bd4c754499f55f *Xcode_10.3.xip

This link: https://support.apple.com/en-us/HT211683 contains (as of 2021-08-01) DMG downloads for OSX 10.10 and 10.11, as well as MacOS 10.12. Please add these checksums to the list:

SHA1(10.10-Yosemite/InstallMacOSX.dmg)= c542681961cc7fafb9c15bfd4af152a3a57f07fa
SHA1(10.11-El-Capitan/InstallMacOSX.dmg)= 21e45136e34c6f805e0f1977e38d6ff029a9a1e2
SHA1(10.12-Sierra/InstallOS.dmg)= 9ba989d30e3548341fc8f5847e856709cb5c67c2

Thanks!

Lion: https://support.apple.com/kb/DL2077?locale=en_US
Lion direct download: https://updates.cdn-apple.com/2021/macos/041-7683-20210614-E610947E-C7CE-46EB-8860-D26D71F0D3EA/InstallMacOSX.dmg

Mountain Lion: https://support.apple.com/kb/DL2076?locale=en_US
Mountain Lion Direct: https://updates.cdn-apple.com/2021/macos/031-0627-20210614-90D11F33-1A65-42DD-BBEA-E1D9F43A6B3F/InstallMacOSX.dmg

I also found snow leopard but am unable to download it? http://adcdownload.apple.com/Mac_OS_X/mac_os_x_version_10.6_snow_leopard_build_10a432/mac_os_x_v10.6_build_10a432_user_dvd.dmg

In attempt to support something a little more robust than editing markdown files directly, I've created a fork which uses JSON as the underlying storage method.

So instead of

| Version                      | SHA1 Checksum
| ---------------------        | ------------------------------------------
| 10.12.4 Sierra (16E195)      | `30b9245f7c7608c40bbdf4d4a74f3ab84dbac716`

The the line form apple_checksums.json is:

[
    {
        "build": "16E195",
        "filename": "InstallESD.dmg",
        "product": "MacOS Sierra",
        "sha1": "30b9245f7c7608c40bbdf4d4a74f3ab84dbac716",
        "sha256": "30319aeae18c3277919c59fe678201553f5a11022d6966b67a43422996391181",
        "version": "10.12.4"
    },

I've got it working generating static pages with Jekyll and it looks like so:

The core motivation for this is to tackle the migration from SHA1 to SHA256 as laid out in #10 but it would also allow us to publish a list of checksums in other formats (CSV, etc).

Code is available on the apple-installer-checksums branch.
https://github.com/notpeter/apple-installer-checksums/tree/gh-pages

If one has the courage to update our hash list, we can find our missing builds at https://xcodereleases.com/

With the release of Catalina 19E287 they've also updated the installer, also, please start using sha256 hashes

That can be downloaded from here : https://support.apple.com/kb/DL1937?locale=en_US

Add checksum of macOS 11.1 20C69 to README

SHA-1 = b3a620e7df4b0d8a193f7d85cdd28bac92c907fa BaseSystem.dmg
SHA-1 = 77038bc8ad58139d10a6eed9b09e56bf3eb89642 InstallESD.dmg
SHA-256 = 090c4825b6de79bf92cce70d110cfc12f6b6f90b3c54dc05f6ae5bfa3ce910ae BaseSystem.dmg
SHA-256 = f77b8ecb971b6697e19a04b734124381e20269984c73c4054cdfc9c728f580a0 InstallESD.dmg

There are new builds

Regarding the Mojave 10.14.6 (18G103) installer,
BaseSystem.dmg matched very well,
but InstallESD.dmg not matched.
Does anyone get the following hash?

b026794f0989f7b7eeddb9a4bd796f8020c91c26
/Applications/Install macOS Mojave.app/Contents/SharedSupport/InstallESD.dmg

82e147e9858a67336d8687d9cea616c76d50d373
/Applications/Install macOS Mojave.app/Contents/SharedSupport/BaseSystem.dmg

~ % shasum /Applications/Install\ macOS\ Big\ Sur.app/Contents/SharedSupport/SharedSupport.dmg

2e89d67ebb02d1c655dfb875144e2c15bd6fa726 /Applications/Install macOS Big Sur.app/Contents/SharedSupport/SharedSupport.dmg

~ % sw_vers
ProductName: macOS
ProductVersion: 11.6
BuildVersion: 20G165

That's my result
Hope can provide some help :P

Hello :)
I have downloaded High Sierra twice from a same Sierra VM, the InstallESD and BaseSystem checksums look absolutely different but I've checked Info.plist and they are exactly the same.
I also downloaded HS again from my Macbook pro running El Capitan, the Info.plist is the same with above but the dmg files again look different.
I tried downloading using the dosdude1's HS patcher tool, ran it on the Sierra VM, again the dmg files absolute differ from all above.
Anyone knows the reason?

Here's the Info.plist, it's exactly the same for all the downloads I did above, (I compared checksums):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Application-Group</key>
	<string>AirPort</string>
	<key>BuildMachineOSBuild</key>
	<string>16B2657</string>
	<key>CFBundleDevelopmentRegion</key>
	<string>English</string>
	<key>CFBundleDisplayName</key>
	<string>Install macOS High Sierra</string>
	<key>CFBundleExecutable</key>
	<string>InstallAssistant_springboard</string>
	<key>CFBundleGetInfoString</key>
	<string>Install macOS High Sierra, Copyright © 2007-2018 Apple Inc. All rights reserved.</string>
	<key>CFBundleIconFile</key>
	<string>InstallAssistant</string>
	<key>CFBundleIdentifier</key>
	<string>com.apple.InstallAssistant.HighSierra</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>Install mac OS</string>
	<key>CFBundlePackageType</key>
	<string>APPL</string>
	<key>CFBundleShortVersionString</key>
	<string>13.6.02</string>
	<key>CFBundleSignature</key>
	<string>????</string>
	<key>CFBundleSupportedPlatforms</key>
	<array>
		<string>MacOSX</string>
	</array>
	<key>CFBundleURLTypes</key>
	<array>
		<dict>
			<key>CFBundleURLName</key>
			<string>Open Install OS X URL</string>
			<key>CFBundleURLSchemes</key>
			<array>
				<string>x-install-osx-assistant</string>
			</array>
		</dict>
	</array>
	<key>CFBundleVersion</key>
	<string>13602</string>
	<key>DTCompiler</key>
	<string>com.apple.compilers.llvm.clang.1_0</string>
	<key>DTPlatformBuild</key>
	<string>9P107g</string>
	<key>DTPlatformVersion</key>
	<string>GM</string>
	<key>DTSDKBuild</key>
	<string>17G61</string>
	<key>DTSDKName</key>
	<string>macosx10.13internal</string>
	<key>DTXcode</key>
	<string>0930</string>
	<key>DTXcodeBuild</key>
	<string>9P107g</string>
	<key>LSApplicationCategoryType</key>
	<string>public.app-category.utilities</string>
	<key>LSArchitecturePriority</key>
	<array>
		<string>x86_64</string>
		<string>i386</string>
		<string>ppc</string>
	</array>
	<key>LSHasLocalizedDisplayName</key>
	<true/>
	<key>LSMinimumSystemVersion</key>
	<string>10.8</string>
	<key>NSMainNibFile</key>
	<string>MainMenu</string>
	<key>NSPrincipalClass</key>
	<string>NSApplication</string>
	<key>NSSupportsAutomaticGraphicsSwitching</key>
	<true/>
	<key>ProductPageIconFile</key>
	<string>ProductPageIcon.icns</string>
</dict>
</plist>

Note: I am downloading full installers of course, the dmg files are located at root folder: "/macOS Install Data"

I had previously explored various methods for hashing the entire MacOS installer app bundle, but always came up short.

Recently I've come across a methodology which might be simple/elegant enough for our usage: Golang's DirHash

Specifically the h1 hash algorithm used by go mod module checksums and similarly in terraform. Checksums are of the format:

h1:44chars/base64enc/h1/prefixed/sha256sum=

From the documentation:

Hash1 is the "h1:" directory hash function, using SHA-256.

Hash1 is "h1:" followed by the base64-encoded SHA-256 hash of a summary prepared as if by the Unix command:

find . -type f | sort | sha256sum
More precisely, the hashed summary contains a single line for each file in the list, ordered by sort.Strings applied to the file names, where each line consists of the hexadecimal SHA-256 hash of the file content, two spaces (U+0020), the file name, and a newline (U+000A).

File names with newlines (U+000A) are disallowed.

But it turns out sha256sum $(find . -type f | sort | sha256sum) isn't quite right, because sha256sum considers stdin in as data to hash, rather than a list of filenames to hash. Additionally my version of sha256sum can't output as base64 sha256 checksums only hex-encoded sha256 checksums.

Otherwise I think the premise is good:
Step #1 Create a sorted plaintext inventory of all files and their sha256 checksums (in the form of sha256sum output):

sha256sum $(find . -type f | sort) > /tmp/hashlist.txt
head /tmp/hashlist.txt

1b0fd914537b3e29cebe21263bf94e79178ecfc2b2ccb3e97d69703f47e248d5  ./Contents/CodeResources
7ed0683ff4b8dc60a85649c8b77bf7b80f9812ca47e15d747919dac848d3f4c5  ./Contents/Frameworks/OSInstallerSetup.framework/Versions/A/Frameworks/IAESD.framework/Versions/A/Frameworks/IABridgeOSInstall.framework/Versions/A/IABridgeOSInstall
dbcc3847e26177acc22cb85739862a18c5b9184a3718d44a4e8c36dbd0a253f3  ./Contents/Frameworks/OSInstallerSetup.framework/Versions/A/Frameworks/IAESD.framework/Versions/A/Frameworks/IABridgeOSInstall.framework/Versions/A/Resources/BOSError.strings
e280fcb43363215079821a10f646eb1a67caaf6b4cf77e96b304767afebe3eeb  ./Contents/Frameworks/OSInstallerSetup.framework/Versions/A/Frameworks/IAESD.framework/Versions/A/Frameworks/IABridgeOSInstall.framework/Versions/A/Resources/Info.plist

Step #2 Take a sha256 checksum of that inventory of filenames and hashes. While I'd prefer hex encoding (3char prefix + 64 chars) there's an argument to be made for the more compact base64 encoding of the binary (3char prefix + 41 chars). There may be an easier way, but openssl is up for the job:

cat /tmp/hashlist.txt | openssl dgst -sha256 -binary |openssl enc -base64
1Gs9W0zvI2p8XnYsPTMKzRkjowxgHYVooz6kUeRbRYY=

Or as a single combined command

cd "/Applications/Install macOS Big Sur.app/" 
echo "h1:$(sha256sum $(find . -type f | sort) | openssl dgst -sha256 -binary |openssl enc -base64)"

h1:1Gs9W0zvI2p8XnYsPTMKzRkjowxgHYVooz6kUeRbRYY=

I haven't confirmed this output matches the specification of the h1 hash produced by go mod's dirhash, but I think it's algorithm is close. Assuming we can build a unix pipeline version which matches its output exactly it might be worthwhile to publish h1 hashes of the entire app file bundle and not just hashes of the dmg. Some potential issues:

• Not sure how best to handle directory prefixes (e.g. leading ./ or /Applications/Install MacOS Big Sur.app). Output of find . -type f includes leading ./ dirhash.
• empty directories are ignored. Go mod gets away with it because you can't checkout empty directories from git.
• symlinks are ignored. At first glance of the golang code I think it treats symlinks like regular files and reads/ hashes their content as if it were a file which is feels reasonable sane.

Can anyone confirm that they get the same h1:1Gs9W0zvI2p8XnYsPTMKzRkjowxgHYVooz6kUeRbRYY= output for the Install macOS Big Sur.app directory for 11.1 with the SharedSupport.dmg 2e2b0e06a4e592b8eca31e6e4eaeccee8442cc166daf36020a4496b838869283

Can anyone confirm the checksum of the High Sierra 10.13.5 (17F73)?

High Sierra 10.13.5 (17F73)

BaseSystem.dmg

shasum /Applications/Install\ macOS\ High\ Sierra.app/Contents/SharedSupport/BaseSystem.dmg
a97aeffdbeda4d68e1053f69b55d9d56df4259d6

md5 /Applications/Install\ macOS\ High\ Sierra.app/Contents/SharedSupport/BaseSystem.dmg
MD5 = 4057b8623b13f60654bb344a73b43358

InstallESD.dmg

shasum /Applications/Install\ macOS\ High\ Sierra.app/Contents/SharedSupport/InstallESD.dmg
216b38acfb234b4e29c2dba41fd76814550b59e2

md5 /Applications/Install\ macOS\ High\ Sierra.app/Contents/SharedSupport/InstallESD.dmg
MD5 = 2e49889433d173a6aa22eb9318e514aa

cat /Applications/Install\ macOS\ High\ Sierra.app/Contents/SharedSupport/InstallInfo.plist | grep -i -A 1 version
version
10.13.5

cat /Applications/Install\ macOS\ High\ Sierra.app/Contents/Info.plist | grep -A 1 DTSDKBuild
DTSDKBuild
17F73

I guess this should be confirmed by someone else

aa2d3266804105da228bc15dd53820d721c82edf  Install macOS Catalina.app/Contents/SharedSupport/BaseSystem.dmg
8556475a4c3b00298370c977bb3395a653308333  Install macOS Catalina.app/Contents/SharedSupport/InstallESD.dmg

In cases where there's only one build for a given version number we could backfill using Apple's published list of builds numbers:

https://support.apple.com/en-us/HT201260

Same as Xcode 11 GM 2

Version 11.0 (11A420a)

https://download.developer.apple.com/Developer_Tools/Xcode_11/Xcode_11.xip

$ shasum Xcode_11.xip 
56d3480bb706429c4c15e422d65804ad039338bc  Xcode_11.xip

Amazon sells unopened OS X 10.4 Tiger DVD's, if some kind donator would be willing to purchase one and checksum its contents.

https://www.amazon.com/gp/offer-listing/B000BWZZLG/ref=dp_olp_new?ie=UTF8&condition=new

https://www.amazon.com/gp/offer-listing/B0007LW1MW/ref=dp_olp_new?ie=UTF8&condition=new

Or, maybe we could reach out to Apple to ask them for checksums for verifying legacy OS X installation media integrity?

In the "Verify Checksums" for OS X the given Terminal command "shasum /Applications/Install\ OS\ X\ *.app/Contents/SharedSupport/InstallESD.dmg" does not work for Sierra installers because the installer name changed from "OS X" to "macOS" so the new command for Sierra should be "shasum /Applications/Install\ macOS\ Sierra.app/Contents/SharedSupport/InstallESD.dmg".

SHA1 is broken, try update to 256 or 512. If you want to check integrity, make sure to check the integrity of your hashing algorithm first.

Xcode 11 GM Seed 2 (11A420a)
https://download.developer.apple.com/Developer_Tools/Xcode_11_GM_Seed_2/Xcode_11_GM_Seed_2.xip

$ shasum Xcode_11_GM_Seed_2.xip
56d3480bb706429c4c15e422d65804ad039338bc  Xcode_11_GM_Seed_2.xip

Here is my run output.

baccf2a5e8c07ec0f07866415c029f64ed77bb19  /Applications/Install macOS Mojave.app/Contents/SharedSupport/BaseSystem.dmg
892c930f496ceeb88708fa7507f27dc5a6f036d9  /Applications/Install macOS Mojave.app/Contents/SharedSupport/InstallESD.dmg

as you said in your comment in #65 that's indeed correct but it also applies for Yosemite-high sierra not just mojave.

Hello,

First of all, thanks for your work. My question is, how can I verify the checksums you provide? How can I know they do not come from corrupted dmg?

Many thanks,
nyg

Hello,
I have hash ba6e42ad05fd002c368f2e37f026b2781c87439e for OS X Mavericks 10.9.5 (13F34)
I can confirm it exists as I was able to find it on an old Japanese website.

Hi,

I am committing the checksums for macOS High Sierra 10.13.6. I downloaded it twice with different macOS/OSX versions, I checked it four times and compared it two times.

AppleDiagnostics.dmg
CRC-32: 5B2E2C41
MD5: 4B3C79C514E3AD6A642DA3A483011012
RIPEMD-160: C59B4A0C4509052EF6762DF7DBAB82366368026F
SHA-1: 451E2255A4144B7FF8E2D21F2D0C54A85B7AF3C8
SHA-224: 7315F628A6DB432BC4D56268337FBAA6A0DEAD7E160BAE6573073024
SHA-256: 6C71FCD341ABDDCF645D1588A35A033F3FA1D903E18F5DD649396267AA50BD7A
SHA-384: A09373DE22388E9C950F4AF9C6261E414639ABA07AE74C8AD9A1B2EC96E11FE116E5B84A77C4F6E54EC10768CD862BAE
SHA-512: 3EE136E85115D210BFAE9C731DCC73D9765810FA8E36AAD7C663F48D5003325DC8A8AB339237F413370C245B967938AB729BAB9D538A5BAFF5576F06E4E8E623
SHA-512/224: 596D398B664300E6BD8275E20641AC1C0EFC404C4F4281E8D92FA6F2
SHA-512/256: 760777208285C0D6F3FAD9ED223788725A7EBBC53BBE29F0F7B1F92C085C1FFC

BaseSystem.dmg
CRC-32: E528D323
MD5: 0017939030DD85F4247D6F8CF307FCDF
RIPEMD-160: 582ABAF051260274449D863FA29CF35F48A02EBA
SHA-1: 6B7522D7F78B93441ECD7DEE73430AF9B07B3744
SHA-224: 766EABB66CC39402C6DFCCB6EDA79F82B2DA8CB122F940BF905D0C2E
SHA-256: 34C21AF3049424AE1270DD78A620A8B210BEF3E636E99B5DC2924E02195A665D
SHA-384: 42C99FCB170BD58FDC2C93E9780B570E46B7FE2F95928DED7C3558085436FA19CF3EF1ABAB307D5B1947660C3A16AB88
SHA-512: 89D0C0A9987815446852B0636EF334569962BC8F9F4BD396E8FA3F001BDA7BC74F1179E2D13AC0E4544704C47A5CFD3FC1AB9150D4CDD56BA06D28F690FAB5C3
SHA-512/224: 756AE5630918435BAD1F714D89DC4EC3818EEC07947864B382ADD315
SHA-512/256: B825688BD5BD993BD4936F9FA015D9517E255946B7603681D6924BA79ABF29B9

InstallESD.dmg
CRC-32: 1B5476CB
MD5: 71CF662A72161F9E812AEFD54C94E69D
RIPEMD-160: 14877BD1EE3A8379ED626522089C46179F9DBFBA
SHA-1: 69159CAF25666EA1C5D466E158E075D947F6A9EE
SHA-224: FCABA040A7CF5879ED68EB189EE3ED60C5F7522C1D6A1ECF7DC31932
SHA-256: E3DE527616E5A0BC6C2120960B55B458D49822900B09FD8D4884479EFDCE1C65
SHA-384: D267D100DD4C1B5A90C79C3AFAEC3CCB7144219E21AE2EE1AB705EFAA7D4811E64DF01907A4A476B9439ED754FD62EE0
SHA-512: B7D64D1B255B632A13BF4E2B2FE38DDA47579A18632F89EAA2BC519E6D338711DE1BC2452EE3DAC338960B1B421E39A4C7E10D4CC99EBD114365EC9A31F1BFD3
SHA-512/224: E41F5E3E0640E9112573F6C00AB97ECD6F8E2265FED618A10EBC90B6
SHA-512/256: 16918CDE7D616AE61273811E9BFB1A397336846A289DC9A522735E121107453E

Thank you for your assistance in this matter,
MrTSXV

EDIT: osx system software overview info: macOS 10.13.6 (17G65)

my favorite version of mac is not there and I want to download it then have a valid file but, I can't without a checksum. everyone sees mac and remembers that version.

I have downloaded latest MacOS Mojave 10.14.6 several times from Appstore and SHA1sums are not matching.
Please check:
SHA1:
7a500c36b1825c6d7e73932bf9109fd561334606 /Applications/Install macOS Mojave.app/Contents/SharedSupport/BaseSystem.dmg
6979e80dfeb28d5e7c9805afebbf3a730a94429c /Applications/Install macOS Mojave.app/Contents/SharedSupport/InstallESD.dmg
SHA256:
ee3ff99ca59b027a6778311dc12f868b08f16c9aae948ab1e7f85a4745d39815 /Applications/Install macOS Mojave.app/Contents/SharedSupport/BaseSystem.dmg
346277cd83f7447f0e04e0d4bd9476401886d0d04132b6100455b5a8ab20f385 /Applications/Install macOS Mojave.app/Contents/SharedSupport/InstallESD.dmg

It looks like BaseSystem.dmg is signed by Apple, so either the installer updated after the release or there is another problem.

macOS 13.3.1 from SharedSupport.dmg has checksum 7957e30493810163db205f4ba55fe64b20e695c3.

My understanding is that SHA1 is pretty safe, but a determined (and extremely well funded) group could probably compromise it. Why not preemptively move to SHA2 for important things like OS verification? The web already seems to be moving towards it, so I think it would be a good time to start. No one else seems to be talking about changing to it for file checking yet.

Hi!

Why my SHA1 checksum of SharedSupport.dmg differs?

• my sha1 checksum of SharedSupport.dmg: 32466290087a23da7d1e08042e49ce55a3b50e5d
• my sha256 checksum of InstallAssistant.pkg: 8a14293807d4868c5ce945291df8755e336bc411da28200b2e071ba95e203f0b
• my source of InstallAssistant.pkg: http://swcdn.apple.com/content/downloads/06/34/002-42435-A_MA7OBDUK86/6xzypeod1xebasc92qkw2iv44e1j9pv09f/InstallAssistant.pkg (Link from Mr. Macintosh)

I extracted the pkg-file with pkgutil on macOS Catalina and with 7z on Linux. Same results.

Thanks!

macOS 12.6.5 is SharedSupport.dmg is be965248f8e1b6c2c110aa1445ae4db912f676cd.

still need 12.6.4

Is there A Full Installer of MacOS Big Sur 11.2.1 ?

I think it'd actually be helpful to verify the checksums too, so I'd recommend adding a phrase saying that verifying them is also good.

Reasoning: Somebody may troll or change checksums with malicious intent, if you don't have the original file, there is no way for you to be sure they're not lying.

Thanks for this project though, it's really nice to know I got the correct file.