Start of change

sha256 - Calculate and check SHA-256 cryptographic hashes


sha256 [-rbcT] [file ... file ...]


sha256 prints or checks SHA-256 cryptographic hashes.

If you do not specify any files on the command line, or if - is specified as the file name, sha256 reads from standard input (stdin). In this case, the file name is printed as -.

sha256 supports reading sequential MVS data sets, PDS (partitioned data set), or PDSE (partitioned data set extended) members as input files. Error messages are sent to standard error (stderr).


ICSF (at least FMID HCR77A0) must be installed and running because sha256 uses the ICSF One-Way Hash Generate callable service. If resource CSFOWH has been defined, the user running the command must have READ access to the CSFOWH profile in the RACF CSFSERV general resource class. For more information about setting up profiles in the CSFSERV general resource class, see Setting up profiles in the CSFSERV general resource class in z/OS Cryptographic Services ICSF Administrator's Guide.


Reverses the output format. If the file operand is not specified, the path name and its leading white space are omitted.
Prints checksum in binary, no file name.
Reads a file containing hashes that were produced by a previous run of sha256 and checks them. The file containing the hashes should be the output of a former run of sha256. That is, each line must contain the name of the file and the check-sum in hexadecimal. For example:
SHA256 (somefile) = 65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69 
SHA256 (x.dat) = f0456d7aed088e791e4610c3c2ad63afe46e2e777988fdbc9270f15ec9711b42 
SHA256 (default/blob) = f3d9bb2a27422532b5264e1e1e22010ef9d71f604ca5de574a42a3ec07c27721 
If -r was specified, then the file must look like this:
65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69  somefile 
f0456d7aed088e791e4610c3c2ad63afe46e2e777988fdbc9270f15ec9711b42  x.dat 
f3d9bb2a27422532b5264e1e1e22010ef9d71f604ca5de574a42a3ec07c27721  default/blob 

The output contains a line for each file that is being checked and includes OK or FAILED as the status. The last line of the output is a summary line, which will be written to standard error (stderr). Following is a sample output of that output:

somefile: OK
x.dat: FAILED
default/blob: FAILED
sha256: WARNING: 2 checks failed  

The longest input line that sha256 can handle is 2048 bytes. Longer lines are truncated or split into multiple lines.

Enables the automatic conversion of tagged files to be calculated checksums.

Usage notes

  1. If you specify sequential MVS data sets, PDS or PDSE members as input files to calculate cryptographic hashes, sha256 reads them as binary.
  2. Data sets with spanned records are not allowed.


sha256 uses the following localization environment variables:
  • LANG
  • LC_ALL


  1. To print the hash in binary:
    sha256 -b /data/app/accnt.xml 
  2. To print the hash of an MVS data set:
    sha256 "//'SYS2.LOADLIB(XYZMOD)" 
  3. To print the hash of a string:
    echo 'Hi there' | sha256
  4. To check all hashes listed in file sums.1st:
    sha256 -c sums.lst 
  5. To print the hash of a file that is tagged as ASCII:
    sha256 -T /app/account.dat 

Exit values

Successful completion.
Failure due any of the following:
  • Inability to open a file.
  • An error reading the input file.
  • Error turning off the automatic conversion of the input file.
  • Line too long.
  • Bad line format.
  • Cryptographic hash check failed.
Unknown command-line option.
ICSF is not available.
ICSF callable service error.

If an ICSF error occurs, an error message that displays the return and reason code from the ICSF service is issued. For more information about return and reason codes, see ICSF and cryptographic coprocessor return and reason codes in z/OS Cryptographic Services ICSF Application Programmer's Guide.

Related information

md5, rmd160, sha1, sha224, sha384, sha512

End of change