$ Linux One Liners
Back to lessons

Hosting Operations

Compare Artifact Checksums

You need to confirm whether a built artifact and deployed artifact are identical.

Command

sha256sum artifacts/app.tar.gz releases/current/app.tar.gz

What changed

Nothing changes. Checksums are calculated and printed.

Danger

safe

When to use it

Use when checking whether a deployed artifact matches the built artifact.

When not to use it

Do not run it on huge files if hashing would compete with production I/O during an incident.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Two SHA-256 hashes and filenames; matching hashes mean matching file contents.

demo script

Disposable terminal steps

  1. ls -lh artifacts/app.tar.gz releases/current/app.tar.gz
  2. sha256sum artifacts/app.tar.gz releases/current/app.tar.gz
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ ls -lh artifacts/app.tar.gz releases/current/app.tar.gz
-rw-r--r-- 1 root root 13 Jun 25 13:19 artifacts/app.tar.gz
-rw-r--r-- 1 root root 13 Jun 25 13:19 releases/current/app.tar.gz
::exit-code::0
$ sha256sum artifacts/app.tar.gz releases/current/app.tar.gz
020de28e3ded8ea3aa27c978e387b7604413181b1ce846f057bcbd8b36054244  artifacts/app.tar.gz
020de28e3ded8ea3aa27c978e387b7604413181b1ce846f057bcbd8b36054244  releases/current/app.tar.gz
::exit-code::0

YouTube Short

Do these artifacts match?

When a deploy looks wrong, hash the built artifact and the deployed artifact. Same hash, same bytes.

LinkedIn hook

Verify two artifact copies match before blaming deployment code.

Question: Do you verify artifact identity during deployment incidents?

experiments

A/B tests to run

Metric: save_rate

A: Same hash, same bytes.

B: Check the artifact before the app.