sha256 - Calculate and check SHA-256 cryptographic hashes
sha256 [-rbcT] [file ... file ...]
sha256 prints or checks SHA-256 cryptographic hashes.
If you do not specify any files on the command line, or if
- is specified as the
file name, sha256 reads from standard input (stdin). In this case, the file name
is printed as -.
sha256 supports reading sequential MVS data sets, PDS (partitioned data set), or PDSE (partitioned data set extended) members as input files. Error messages are sent to standard error (stderr).
ICSF (at least FMID HCR77A0) must be installed and running because sha256 uses the ICSF One-Way Hash Generate callable service. If resource CSFOWH has been defined, the user running the command must have READ access to the CSFOWH profile in the RACF CSFSERV general resource class. For more information about setting up profiles in the CSFSERV general resource class, see Setting up profiles in the CSFSERV general resource class in z/OS Cryptographic Services ICSF Administrator's Guide.
- Reverses the output format. If the file operand is not specified, the path name and its leading white space are omitted.
- Prints checksum in binary, no file name.
- Reads a file containing hashes that were produced by a previous run of sha256
and checks them. The file containing the hashes should be the output of a former run of
sha256. That is, each line must contain the name of the file and the check-sum in
hexadecimal. For example:
SHA256 (somefile) = 65d860160bdc9b98abf72407e14ca40b609417de7939897d3b58d55787aaef69
SHA256 (x.dat) = f0456d7aed088e791e4610c3c2ad63afe46e2e777988fdbc9270f15ec9711b42
SHA256 (default/blob) = f3d9bb2a27422532b5264e1e1e22010ef9d71f604ca5de574a42a3ec07c27721If -r was specified, then the file must look like this:
The output contains a line for each file that is being checked and includes OK or FAILED as the status. The last line of the output is a summary line, which will be written to standard error (stderr). Following is a sample output of that output:
somefile: OK x.dat: FAILED default/blob: FAILED sha256: WARNING: 2 checks failed
The longest input line that sha256 can handle is 2048 bytes. Longer lines are truncated or split into multiple lines.
- Enables the automatic conversion of tagged files to be calculated checksums.
- If you specify sequential MVS data sets, PDS or PDSE members as input files to calculate cryptographic hashes, sha256 reads them as binary.
- Data sets with spanned records are not allowed.
- To print the hash in binary:
sha256 -b /data/app/accnt.xml
- To print the hash of an MVS data set:
- To print the hash of a string:
echo 'Hi there' | sha256
- To check all hashes listed in file sums.1st:
sha256 -c sums.lst
- To print the hash of a file that is tagged as ASCII:
sha256 -T /app/account.dat
- Successful completion.
- Failure due any of the following:
- Inability to open a file.
- An error reading the input file.
- Error turning off the automatic conversion of the input file.
- Line too long.
- Bad line format.
- Cryptographic hash check failed.
- Unknown command-line option.
- ICSF is not available.
- ICSF callable service error.
If an ICSF error occurs, an error message that displays the return and reason code from the ICSF service is issued. For more information about return and reason codes, see ICSF and cryptographic coprocessor return and reason codes in z/OS Cryptographic Services ICSF Application Programmer's Guide.
md5, rmd160, sha1, sha224, sha384, sha512