Identical OS X Installers have different sizes. Why? Checksum?

[tennisproha]

I'm downloading past OS X Installers from the Mac App Store for safekeeping and I keep ending up with different sizes for identical versions. They are all off by a few bytes. This is the first time I've noticed but I do have a fast connection and not a lot of traffic late at night. Why is this?

Also, Is there a way to checksum with Apple to check the integrity of the file? I don't see a hash posted anywhere. (I'm fairly new to this stuff though so please throughly explain any procedures.)

I've attached a screenshot of El Capitan and Yosemite Installers for comparison. 'Version' shows the identical versions and 'Size' shows the size differences:

 

[Isamilis]

It happen also for me. I just ignored it and use the latest download though. I think it because of the downloaded file is in application format instead of disk image (DMG).

 

[Floris]

Try this

Store one in one directory
And the other in another directory

And then compare?

 

[Weaselboy]

Also, Is there a way to checksum with Apple to check the integrity of the file?

That .app file is generated dynamically every time you download it since it has your AppleID information in the file, so it is no surprise it is a bit different each time. The checksum would be different each time also for this same reason. Similarly, mine will be different than yours for the same reason.

What is the same for everybody though is the InstallESD.dmg file inside that application. Apple does not publish the checksum for that, but you can usually find others who have posted it (like here)

But the installer verifies the file anyway when you run it, so there is no need for concern.

https://support.apple.com/en-us/HT202369

If you use the Mac App Store (or Software Update in earlier versions of OS X) to download and install an Apple software update, Apple's digital signature is automatically verified before installation.

 

[tennisproha]

That .app file is generated dynamically every time you download it since it has your AppleID information in the file, so it is no surprise it is a bit different each time. The checksum would be different each time also for this same reason. Similarly, mine will be different than yours for the same reason.

What is the same for everybody though is the InstallESD.dmg file inside that application. Apple does not publish the checksum for that, but you can usually find others who have posted it (like here)

But the installer verifies the file anyway when you run it, so there is no need for concern.

https://support.apple.com/en-us/HT202369

Thank you. That was very comprehensive and literally answered any follow-up questions I might have had. I really appreciate it!

On a related note, besides the different types of checksums, why are there different commands for verifying the same checksum? For instance, with SHA-1, you have:

openssl sha1

sha1

shasum

shasum -a 1

sha1sum

etc... What's the difference?

 

[grahamperrin]

… What is the same for everybody though is the InstallESD.dmg file inside that application. …

I thought the same thing, but then discovered that for at least one installer: it's no longer true.

Alternative shasum 0e063fd87d5b0a4f68dbd35da95b2018748f88eb for InstallESD.dmg for OS X 10.10.5

… installer verifies the file … https://support.apple.com/en-us/HT202369

With apologies for casting doubt (I'll never find the resources to investigate this for myself) … that page is about single updates. I guess, typically a single .pkg file (or .mpkg metapackage file, although I don't expect Apple to use that phrase in a how-to).

Within an Apple-provided InstallESD.dmg is each and every package/metapackage signed? And if so, is every signed item automatically verified during Apple's OS installation routine?

Further: could someone create a variation of Apple's .dmg that includes a simple unsigned script to run an unsigned .pkg or .mpkg? If the answer to this question is yes, then attention to the checksum of the containing .dmg becomes important.