Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

tennisproha

macrumors 68000
Original poster
Jun 24, 2011
1,724
1,239
Texas
I'm downloading past OS X Installers from the Mac App Store for safekeeping and I keep ending up with different sizes for identical versions. They are all off by a few bytes. This is the first time I've noticed but I do have a fast connection and not a lot of traffic late at night. Why is this?

Also, Is there a way to checksum with Apple to check the integrity of the file? I don't see a hash posted anywhere. (I'm fairly new to this stuff though so please throughly explain any procedures.) ;)

I've attached a screenshot of El Capitan and Yosemite Installers for comparison. 'Version' shows the identical versions and 'Size' shows the size differences:

Screen Shot 2016-09-07 at 4.26.03 AM.png
 
Last edited:
  • Like
Reactions: grahamperrin

Isamilis

macrumors 68020
Apr 3, 2012
2,196
1,079
It happen also for me. I just ignored it and use the latest download though. I think it because of the downloaded file is in application format instead of disk image (DMG).
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
34,489
16,217
California
Also, Is there a way to checksum with Apple to check the integrity of the file?

That .app file is generated dynamically every time you download it since it has your AppleID information in the file, so it is no surprise it is a bit different each time. The checksum would be different each time also for this same reason. Similarly, mine will be different than yours for the same reason.

What is the same for everybody though is the InstallESD.dmg file inside that application. Apple does not publish the checksum for that, but you can usually find others who have posted it (like here)

But the installer verifies the file anyway when you run it, so there is no need for concern.

https://support.apple.com/en-us/HT202369

If you use the Mac App Store (or Software Update in earlier versions of OS X) to download and install an Apple software update, Apple's digital signature is automatically verified before installation.
 
  • Like
Reactions: tennisproha

tennisproha

macrumors 68000
Original poster
Jun 24, 2011
1,724
1,239
Texas
That .app file is generated dynamically every time you download it since it has your AppleID information in the file, so it is no surprise it is a bit different each time. The checksum would be different each time also for this same reason. Similarly, mine will be different than yours for the same reason.

What is the same for everybody though is the InstallESD.dmg file inside that application. Apple does not publish the checksum for that, but you can usually find others who have posted it (like here)

But the installer verifies the file anyway when you run it, so there is no need for concern.

https://support.apple.com/en-us/HT202369
Thank you. That was very comprehensive and literally answered any follow-up questions I might have had. I really appreciate it!

On a related note, besides the different types of checksums, why are there different commands for verifying the same checksum? For instance, with SHA-1, you have:
Code:
openssl sha1
Code:
sha1
Code:
shasum
Code:
shasum -a 1
Code:
sha1sum
etc... What's the difference?
 
Last edited:

grahamperrin

macrumors 601
Jun 8, 2007
4,942
648
… What is the same for everybody though is the InstallESD.dmg file inside that application. …

I thought the same thing, but then discovered that for at least one installer: it's no longer true.

Alternative shasum 0e063fd87d5b0a4f68dbd35da95b2018748f88eb for InstallESD.dmg for OS X 10.10.5

… installer verifies the file … https://support.apple.com/en-us/HT202369

With apologies for casting doubt (I'll never find the resources to investigate this for myself) … that page is about single updates. I guess, typically a single .pkg file (or .mpkg metapackage file, although I don't expect Apple to use that phrase in a how-to).

Within an Apple-provided InstallESD.dmg is each and every package/metapackage signed? And if so, is every signed item automatically verified during Apple's OS installation routine?

Further: could someone create a variation of Apple's .dmg that includes a simple unsigned script to run an unsigned .pkg or .mpkg? If the answer to this question is yes, then attention to the checksum of the containing .dmg becomes important.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.