6.5 md5sum: Print or check MD5 digests

md5sum computes a 128-bit checksum (or fingerprint or message-digest) for each specified file.

Note: The MD5 digest is more reliable than a simple CRC (provided by the cksum command) for detecting accidental file corruption, as the chances of accidentally having two files with identical MD5 are vanishingly small. However, it should not be considered secure against malicious tampering: although finding a file with a given MD5 fingerprint is considered infeasible at the moment, it is known how to modify certain files, including digital certificates, so that they appear valid when signed with an MD5 digest. For more secure hashes, consider using SHA-2, or the newer b2sum command. See sha2 utilities: Print or check SHA-2 digests. See b2sum: Print or check BLAKE2 digests.

If a file is specified as ‘-’ or if no files are given md5sum computes the checksum for the standard input. md5sum can also determine whether a file and checksum are consistent. Synopsis:

md5sum [option]… [file]…

For each file, ‘md5sum’ outputs by default, the MD5 checksum, a space, a flag indicating binary or text input mode, and the file name. Binary mode is indicated with ‘*’, text mode with ‘ ’ (space). Binary mode is the default on systems where it’s significant, otherwise text mode is the default. The cksum command always uses binary mode and a ‘ ’ (space) flag.

Without --zero, if file contains a backslash, newline, or carriage return, the line is started with a backslash, and each problematic character in the file name is escaped with a backslash, making the output unambiguous even in the presence of arbitrary file names.

If file is omitted or specified as ‘-’, standard input is read.

The program accepts the following options. Also see Common options.

‘-b’ ¶

‘--binary’

Note this option is not supported by the cksum command, as it operates in binary mode exclusively. Treat each input file as binary, by reading it in binary mode and outputting a ‘*’ flag. This is the inverse of --text. On systems like GNU that do not distinguish between binary and text files, this option merely flags each input mode as binary: the MD5 checksum is unaffected. This option is the default on systems like MS-DOS that distinguish between binary and text files, except for reading standard input when standard input is a terminal.

‘-c’

‘--check’

Read file names and checksum information (not data) from each file (or from standard input if no file was specified) and report whether the checksums match the contents of the named files. The input to this mode of md5sum is usually the output of a prior, checksum-generating run of ‘md5sum’.

Three input formats are supported. Either the default output format described above, the --tag output format, or the BSD reversed mode format which is similar to the default mode, but doesn’t use a character to distinguish binary and text modes.

For the cksum command, the --check option supports auto-detecting the digest algorithm to use, when presented with checksum information in the --tag output format.

Also for the cksum command, the --check option auto-detects the digest encoding, accepting both standard hexidecimal checksums and those generated via cksum with its --base64 option.

Output with --zero enabled is not supported by --check.

For each such line, md5sum reads the named file and computes its MD5 checksum. Then, if the computed message digest does not match the one on the line with the file name, the file is noted as having failed the test. Otherwise, the file passes the test. By default, for each valid line, one line is written to standard output indicating whether the named file passed the test. After all checks have been performed, if there were any failures, a warning is issued to standard error. Use the --status option to inhibit that output. If any listed file cannot be opened or read, if any valid line has an MD5 checksum inconsistent with the associated file, or if no valid line is found, md5sum exits with nonzero status. Otherwise, it exits successfully. Note the cksum command doesn’t support --check with the older ‘sysv’, ‘bsd’, or ‘crc’ algorithms.

‘--ignore-missing’ ¶

This option is useful only when verifying checksums. When verifying checksums, don’t fail or report any status for missing files. This is useful when verifying a subset of downloaded files given a larger list of checksums.

‘--quiet’ ¶

This option is useful only when verifying checksums. When verifying checksums, don’t generate an ’OK’ message per successfully checked file. Files that fail the verification are reported in the default one-line-per-file format. If there is any checksum mismatch, print a warning summarizing the failures to standard error.

‘--status’ ¶

This option is useful only when verifying checksums. When verifying checksums, don’t generate the default one-line-per-file diagnostic and don’t output the warning summarizing any failures. Failures to open or read a file still evoke individual diagnostics to standard error. If all listed files are readable and are consistent with the associated MD5 checksums, exit successfully. Otherwise exit with a status code indicating there was a failure.

‘--tag’ ¶

Output BSD style checksums, which indicate the checksum algorithm used. As a GNU extension, if --zero is not used, file names with problematic characters are escaped as described above, with the same escaping indicator of ‘\’ at the start of the line, being used. The --tag option implies binary mode, and is disallowed with --text mode as supporting that would unnecessarily complicate the output format, while providing little benefit. The cksum command, uses --tag as its default output format.

‘-t’ ¶

‘--text’

Note this option is not supported by the cksum command. Treat each input file as text, by reading it in text mode and outputting a ‘ ’ flag. This is the inverse of --binary. This option is the default on systems like GNU that do not distinguish between binary and text files. On other systems, it is the default for reading standard input when standard input is a terminal. This mode is never defaulted to if --tag is used.

‘-w’ ¶

‘--warn’

When verifying checksums, warn about improperly formatted MD5 checksum lines. This option is useful only if all but a few lines in the checked input are valid.

‘--strict’ ¶

When verifying checksums, if one or more input line is invalid, exit nonzero after all warnings have been issued.

‘-z’ ¶

‘--zero’

Output a zero byte (ASCII NUL) at the end of each line, rather than a newline. This option enables other programs to parse the output even when that output would contain data with embedded newlines. Also file name escaping is not used.

An exit status of zero indicates success, and a nonzero value indicates failure.