hoakley March 23, 2020 Macs, Technology

Checking file integrity with Dintch (first beta)

We all expect our documents and other files to remain intact and uncorrupted. Although some storage media such as hard drives are well-known to develop errors, we’re careful to back those up, I’m sure. But in many cases, all backups will do is save another copy of the corrupt file. So how can you tell whether some random bits in a file have changed, and potentially rendered it unusable?

Not easily.

The standard technique for doing this calculates a checksum or hash for each file, and saves that. By comparing the current checksum against that saved, you can then tell at any time in the future whether that file has changed. If you’re adept with scripting in macOS, this isn’t a particularly tough challenge, but one which few take on. You can use DigLloyd’s IntegrityChecker, which is expensive and doesn’t appear to be notarized. One significant problem with both of those is that there isn’t an easy way to attach a checksum to a file, so whenever you copy or move a file, you have to repeat the process.

Dintch is a new app, currently only compatible with Catalina, which tries to address some of these issues. It has two buttons:

click on # to select a folder (it only handles folders or volumes, not individual files, at present) which you want to tag with checksums;
click on Check to select a folder which you’ve previously tagged, to check the integrity of its files.

To ensure that Dintch can access all the folders you might wish to use it on, add it to the Full Disk Access list in the Privacy pane before use.

When tagging, Dintch traverses all the folders and files within the folder or volume you select. For every file within that, it calculates the SHA256 digest and writes it out to that file as an extended attribute. That overwrites any existing tag on that file. If you don’t have write access to that file, then no such tag can be written, of course.

When checking, Dintch repeats its traversal of all the folders and files within the selected folder or file. For each it looks to see if that file has already been tagged. If it has, it then calculates the SHA256 digest of that file at that moment, and checks to see whether it is the same as that previously saved. If they don’t match, then it reports that.

In this first beta, I have done little to optimise the speed. Using a fast internal SSD, though, this current version takes 85 seconds to tag 5361 files totalling 18.5 GB, and 75 seconds to check them all. Using a USB-C SSD, those times extend a little, suggesting that there’s still performance gain which my code can achieve. Checking the same files stored on a 25 GB BD-R disk extends the time to nearly 24 minutes, which is clearly I/O limited.

Reporting is also fairly basic: there’s a Verbose option which delivers more information, and you can add Debug if you wish.

Although using extended attributes might sound fragile, the custom xattr which I use here is preserved across the following:

Finder duplicate,
Finder copy and move between folders on the same volume,
Finder copy and move between different volumes, including external/removable volumes,
Finder copy and move in/out of iCloud on the same Mac,
Finder copy and move in/out of iCloud between two different Macs,
CCC and ChronoSync backups, and I expect Time Machine too,
HFS+ and APFS file systems, at least.

The one failure that I’ve had so far is, sadly, burning to a Mac-only BD-R using Toast Burn, but I will be looking in more detail at how to preserve the tags when writing to optical media for archives.

There’s a lot more to do with Dintch yet, but I’d appreciate it if you could take a look and find some bugs for me, please. My next goal is to add code which supports the same features on versions of macOS prior to 10.15, and to start tuning its performance as well as increasing the usefulness of its reporting.

Dintch 1.0b1 is available from here: dintch10b1
from Downloads above, and from its new Product Page. This does use my auto-update mechanism, so future versions will be offering directly downloadable updates too.

What’s in its name? It’s a digest-based integrity checker. The word is also, I gather, a slang contraction for dinosaur.

38Comments

Add yours

1

Michael Bach on March 23, 2020 at 8:46 am

Dear Howard:

What an ingenious way to attack bit rot (or at least detect it)! Some thoughts on our early version, most things you’ll undoubtedly plan already:
• the speed as already great (with SSDs)
• it worked w/o bug in my 20 years presentation archive, and detected a change which I introduced
• the “#” button might be labeled a bit more verbose 🙂
• some progress indicator (could be quite simple, a.g. a dot per 100 files) would be nice
• is there an alert when it writes a the checksum xattribute, but there already is a _different_ one?
• possibly add a filter, e.g. ignore the ».DS_Store« files

Thanks, best, Michael

LikeLiked by 1 person
- 2
  
  hoakley on March 23, 2020 at 8:23 pm
  
  Thank you, Michael.
  One of the problems with a progress indicator is that you first have to calculate the number of files to be tagged. As APFS doesn’t cache folder counts, that can take some time, as you’ll know from the Finder. For the moment, I’m concentrating on speed. If it gets to the point where we can afford such luxuries, I’ll consider adding them.
  I thought carefully about whether to report changed digest values when adding them using the # button. I’m not sure what that would help, and again it would slow the process down.
  Hidden files is another speed issue: yes, it would be nice to exclude them, but that would mean comparing every filename against a list. That’s the sort of option which the user might want, if they’re prepared to sacrifice performance. I will add it later.
  Thank you for taking the trouble to both test it and report back.
  Howard.
  
  LikeLike
3

Joss on March 23, 2020 at 9:37 am

Jesus H. Christ, that was fast. Bravo! You said that there would be a CLI eventually, which is great, because then I can add it to my CCC start & finish scripts. I can’t test the GUI version yet, because I’m still on Mojave, but I second some of Michael’s notes: the # button could at least be bigger (wider), an “Exclusions” button that brings up a list for stuff like .DS_Store .app or full paths like /Applications/Mail.app etc. (It should have some regex capbility, e.g. ^ $ and \. Conversely, it would be great to have an auto mode, and have to ability to edit & save a fixed list of directories to scan/verify, and then add two button with something like “Manual Check” to scan individual directories not on that list. (The # buttons would then have to be more verbose: “# Manual” and “# Auto”, or something like that.)

As for BluRay backups: the Linux CLI dar can be built to support extended attributes, but I’m not sure if the version for macOS available via Homebrew is such a build. But yes, BluRay backup support is important.

LikeLiked by 1 person
- 4
  
  hoakley on March 23, 2020 at 8:26 pm
  
  Thank you, Joss.
  Yes, once I’ve got the app running properly, a command tool should be straightforward.
  I will add a slower option with an exclusion black list, in due course.
  I’m thinking about how best to add a background service.
  Blu-ray archiving is now solved, as I’ll detail tomorrow morning.
  Howard.
  
  LikeLike
5

Duncan on March 23, 2020 at 2:18 pm

Thank you, again, for your efforts and discussions. I too am impressed with how quickly you wrote that. (Unfortunately I’m not running Catalina myself so I can’t test it.)

Future feature requests:

1) When run it would be helpful to provide a summary upon completion of what happened. Here is what Integrity Checker produces (slightly trimmed for privacy):

ic status /Users/xxx/Pictures (summary)
Monday, March 23, 2020 at 6:54:17 AM
=================================

# Files with stored hash: 34
# Files missing: 0
# Files hashed: 34
# Files without hashes: 618
# Files whose size has changed: 0
# Files whose date changed: 15
# Files whose content changed (same size): 0
# Suspicious files: 0

That’s my Pictures folder (well, on a test machine), and only 34 files have been previously hashed. They all passed the verification check.

Meanwhile, 618 new files were added to the folder since the last time I checked everything, and need to be hashed manually. (This is where an automatic background process would help, although ideally every file would be hashed when it is saved to storage. That’s beyond the scope of any third-party utility, unfortunately.)

Apparently 15 files have had their dates (or more likely, times) changed. I think that is because some of them came from a different computer and the clocks were not synced closely enough.

I’m not quite sure what would qualify as a ‘Suspicious file’. I have only encountered one in my usage, and that turned out to be a known corrupted file from years ago.

2) As I mentioned in a previous comment elsewhere, I would love to see some sort of ‘Verified Copy’ command, primarily for large copy tasks that one might initiate and then walk away from (such as an overnight copy of an entire disk). The goal is to give the user assurance that all their files copied over cleanly, bit-for-bit, from the source to the destination so they can have confidence that there was no data loss during that operation.

(Typical example: moving all of one’s files over from an old computer to a new one. Not necessarily the ‘support’ files that the computer has generated over time and hidden in the folders, but the files that the user created and saved themselves. The Library folder, for example, would be a challenge, but media folders should be fairly straightforward.)

Anyway, that’s the sort of functionality I would look forward to.

LikeLike
- 6
  
  hoakley on March 23, 2020 at 8:29 pm
  
  Thank you, Duncan.
  Yes, I’m in the process of adding more detailed reporting, as well as running on El Capitan and later.
  Dintch does effectively do a verified copy: when you copy a file which is already tagged with its digest, all you have to do is check the copy using Dintch, as the (Finder) copy retains the xattr containing the digest. That even works if you transfer via iCloud.
  Howard.
  
  LikeLike
  - 7
    
    Joss on March 24, 2020 at 10:29 am
    
    I can confirm (with my own test XA) that file copies in Nimble Commander and file copies with the `cp` command (in iTerm) also retain the XA. The latter is strange, however, because `cp` has the specific “-p” argument to preserve XAs and other attributes. (With the `ditto` command, argument “–extattr” to preserve XAs is the default.)
    
    LikeLiked by 1 person
    - 8
      
      hoakley on March 24, 2020 at 11:19 pm
      
      Thank you, Joss.
      Howard.
      
      LikeLike
9

Duncan on March 23, 2020 at 2:34 pm

(I don’t think I can edit comments so this is for my previous comment.)

“1) When run it would be helpful to provide a summary upon completion of what happened.”

I meant to write “…provide a task summary”, in addition to individual file reports.

I realize now what a challenge this all is. Checking a handful of files is fairly straightforward, but scaling this sort of operation up to a folder with a large number of files could prove rather difficult to provide meaningful task results to the user. How can one sift through a report of a thousand entries with mixed file-checking results?

LikeLiked by 1 person
- 10
  
  hoakley on March 23, 2020 at 8:30 pm
  
  That’s where the Verbose and Debug options come in.
  Howard.
  
  LikeLike
11

Javier Gallardo on March 23, 2020 at 4:57 pm

(I really don’t need this security degree… but) it looks nice! In fact, seems to be an easy procedure for integrity confidence on specially sensitive folders (or volumes). Perhaps I start using it.
I wonder if this useful app could work as a “service” by choosing in right-mouse-click menu… Apple should take note. It would be wonderful just to click “add integrity tag”, and “check integrity” as a system normal service.

LikeLiked by 1 person
- 12
  
  Duncan on March 23, 2020 at 6:42 pm
  
  “Apple should take note. It would be wonderful just to click “add integrity tag”, and “check integrity” as a system normal service.”
  
  Better still would be to calculate the current checksum automatically when the file is saved. (Isn’t that what Spotlight already does for creating/updating indexes?)
  
  LikeLiked by 2 people
  - 13
    
    Joss on March 24, 2020 at 10:31 am
    
    When there’s a CLI available, it’ll be fairly easy to turn this into a Finder QuickAction yourself (or into a shell script tool in other file managers).
    
    LikeLiked by 1 person
- 14
  
  hoakley on March 23, 2020 at 8:31 pm
  
  Thank you, Javier.
  Yes, providing it as a service and in other forms is important once I’ve got this working properly.
  Howard.
  
  LikeLiked by 1 person
- 15
  
  Joss on March 24, 2020 at 10:34 am
  
  Wha? Message swallowed? 🙂 So here it goes again: When the CLI version of Dintch is released, it’ll be fairly easy to create a Finder QuickAction yourself… or a shell script tool in other file mangers… or a funky button in the TouchBar with BetterTouchTool.
  
  LikeLiked by 1 person
16

John Gilbert on March 24, 2020 at 5:41 am

I very much like the idea, but writing to xattrs is not very backup friendly. I have only checked Time Machine, but for every dintched file it copies the whole file as a new backup to the TM disk. Less of an issue for products like ChronoSync if only used in synchronise mode, though it will still mean a sync will take longer. I will check Arq, but I am guessing it may not be so serious because it does block level, not file level, backup.

There is a case for storing the checksums in a single file for each folder. I realise that would bring some additional complexity.

For now, a warning: Don’t go Dintching a whole disk (or large folder) before thinking about the backup consequencies.

LikeLiked by 1 person
- 17
  
  hoakley on March 24, 2020 at 7:15 am
  
  Thank you.
  If you think about this carefully, you’ll realise that’s the correct behaviour. If you copy the digests into your backup independently of the files to which they refer, the digest values are meaningless, and of no value to the backup at all. Separate the digests from their files and you may as well discard them altogether. That’s why the digest has to be attached to the file, not a loose file in the folder.
  Yes, it will result in increased backups.
  Howard.
  
  LikeLike
  - 18
    
    Duncan on March 24, 2020 at 1:46 pm
    
    With Integrity Checker, the digests (the hidden “.ic” files in each folder) carry over if the folder itself is copied. This includes Time Machine backups (and CCC clones). The limitation, however, is you have to manage your files at a folder level, not individually as with Dintch.
    
    If a single file gets altered then Integrity Checker’s .ic file still works for all the rest of the files in the folder (it’s not all-or-nothing) and will detect the single changed file when run after the change. However that one file’s checksum will be out of date so to correct that one needs to run the ‘Update’ function in Integrity Checker to re-hash the file, which updates the folder’s .ic file. The Update feature does not need to re-hash all the other files so it’s generally pretty fast.
    
    But this brings up the manual nature of all this, where the user has to be diligent to keep updating the checksums if the user’s files are modified. For non-changing archives (such as large groups of files in fixed folders such as batches of photos, completed projects, etc.) this isn’t so much of a problem. But for files that undergo a lot of modification and for folders with constantly-changing contents (such as a mail directory) it’s a burden for the user. That’s why, ultimately, a file-checking utility should be a continual or periodic background task similar to Time Machine. (Or, best implementation, performed every time the file is saved and then verified at each backup interval.)
    
    LikeLiked by 1 person
  - 19
    
    Joss on March 24, 2020 at 3:20 pm
    
    That’s what LaunchAgents are for, where you can use the WatchPaths key. If there’s a file change in the directory (or to the directory itself), then the LaunchAgent can execute either the IntegrityChecker or Dintch CLI to update the folder contents. (Or both.) Afaik, if a file has the same size and the same modification date, then IntegrityChecker will skip that file.
    
    Another option for a LaunchAgent would be a full scan for changes + rehashing upon changes for e.g. specific directories.
    
    You could also use both LaunchAgents together, whereas some directories (those with lots of changes) are only handled by LA1, and the more static directories are handled by LA2.
    
    Question: does Dintch have a sort of quick check whether rehashing is necessary? Or does it verify every time, no matter what? Because if the file size hasn’t changed, and if the modification date hasn’t changed, then it shouldn’t really be necessary to rescan such a file. (Unless, for example, there’s a “–force” or “-f” option. That possibly wouldn’t detect bit rot, of course, until the user specifically looks for it, which would entail a full verification incl. hashing of all files for comparison.)
    
    LikeLiked by 1 person
    - 20
      
      hoakley on March 24, 2020 at 11:22 pm
      
      No. Dintch checks digests. Relying on file modification dates is a fool’s errand – the only way to check that a file hasn’t become corrupted or changed is to calculate its checksum and compare that with a previous checksum.
      There’s a great deal that can happen to the contents of a file without its modification date being changed.
      Howard.
      
      LikeLike
21

Duncan on March 24, 2020 at 3:55 pm

“That’s what LaunchAgents are for, where you can use the WatchPaths key. If there’s a file change in the directory (or to the directory itself), then the LaunchAgent can execute either the IntegrityChecker or Dintch CLI to update the folder contents.”

That brings up an interesting possibility – if Dintch attaches a checksum to a file does that then trigger LaunchAgent, which then triggers Dintch again, etc., etc.?

(I would hope there are some sort of self-limiting conditions built in, but I have never used or studied LaunchAgent myself.)

A more complex problem with just about any checksum utility is the handoff of a known verified state to any future update. Let’s say you have a file with an attached checksum and it was last verified yesterday. Between then and now you had an event which might have compromised your storage integrity. Without performing a full verification pass you presently don’t know the status of that file; it might be corrupted or it might be fine.

Now let’s say you open and modify the file (without previously verifying it), and then the checksum gets updated after saving the changes. If the file were previously corrupted that information will be lost when the new checksum overwrites the old one.

Yes, these are marginal edge-cases with a low probability of happening, but not entirely impossible. A proper end-to-end data integrity routine would address this sort of thing, similar to how copy-on-write preserves the old version in the event of a glitch happening during that brief period between versions.

It seems to me the best possible routine is to create/update a checksum upon save and to verify the checksum upon open. Some might argue that that’s too much computing overhead for such a remote possibility of file corruption, but that doesn’t prevent people from going out and spending money on RAID setups, which is another form of data protection.

LikeLiked by 1 person
- 22
  
  Joss on March 24, 2020 at 4:12 pm
  
  I just tested: writing an XA to a file changes the modification date, so that might send launchd into a loop.
  
  As for saving changes to a file: this actually creates a totally new file (atomic writes). Create a test txt file with “123”, save & close it, check the inode with `stat -x foo`, then reopen and add “456”, save & close. It will have a different inode. (That’s why GUI apps will tell you that a file with the append-only or no-unlink Unix flag is “locked”, even though from a Unix standpoint it isn’t; only the uchg and schg flags actually *lock* a file.)
  
  So the inode would be an alternate way to determine if a file has changed.
  
  But this only works for files changed with GUI applications. If you execute `echo -n “789” > foo`, then the inode will remain the same.
  
  It seems it’s pretty complicated, and a lot has to be taken into account.
  
  LikeLiked by 1 person
  - 23
    
    Duncan on March 24, 2020 at 5:06 pm
    
    Thanks for investigating this – it’s certainly not a trivial problem to solve. It might also explain why Lloyd Chambers chose to have Integrity Checker save the checksums as a separate file (the .ic files) in the containing folder. He touts one benefit as leaving the original files intact (it only reads from them, never writes), but the big drawback is the restriction of managing your files at the folder level, not individually as Dintch strives to do.*
    
    [A note about Lloyd – his primary interest is photography, so I imagine he wrote this utility for managing batches of photos which might very well remain grouped together in dated folders, which simplifies the terrain for the application.]
    
    * In my own usage I work around this folder-level limitation, in some cases, by enclosing an individual file inside its own folder (such as with a saved Mac OS installer file). This way Integrity Checker can still create a checksum of just that one file and put the .ic file in the folder, but what a kludgy way to run a railroad.
    
    LikeLiked by 1 person
  - 24
    
    hoakley on March 24, 2020 at 11:27 pm
    
    I don’t think that’s entirely correct. It’s perfectly possible to change the data in a file without its inode changing, and safe saves normally achieve just that. It’s a complicated system, I’m afraid, and sometimes loses xattrs in the process too.
    The only way to check if the data in a file have changed is to compare checksums, because that’s the only way to check the contents of the file.
    Howard.
    
    LikeLike
  - 25
    
    Duncan on March 25, 2020 at 12:07 am
    
    “…writing an XA to a file changes the modification date”
    
    (I’m not running Catalina so I have to rely on others for their reports.)
    
    If so, that’s an unfortunate side-effect of this or any other software that stores house-keeping metadata as part of the file itself. If one hashes their entire home directory all the original file modification dates will get over-written. Which would be a problem when trying to reconcile different copies of the same document (say some arrived from others as mail attachments or USB sticks, etc.) or for any sort of forensic troubleshooting.
    
    This is why I really wish Apple had included some sort of ‘side-car’ provision in APFS that could accommodate checksum (and ideally, ECC) data while leaving the original file alone.
    
    LikeLike
    - 26
      
      hoakley on March 25, 2020 at 12:19 am
      
      Duncan,
      Actually, I’ve just checked that, and it’s incorrect. Writing a xattr doesn’t affect the file datestamps at all, as the xattr isn’t stored with the file, nor is its size included in the file size, etc. As the xattr is stored in file system metadata, it’s essentially independent. (I knew that, but don’t understand why I didn’t spot the error.)
      Consider the case of the quarantine flag: when that’s added, changed, or removed, it doesn’t alter the regular file attributes/metadata at all.
      However, Time Machine uses FSEvents to determine what gets backed up, and I’ll bet that track xattr changes, so triggering their backing up. And so it should: if you don’t back up the tagged file, you can’t check whether the backed up file matches its digest, and your backup can’t be verified, can it?
      Tags are at their most important in backups and archives, as those are the copies which we rely on when the working copy gets munged. If you can’t verify a backup or archive, it too could be munged.
      Howard
      
      LikeLike
27

Joss on March 24, 2020 at 11:59 pm

Is there a way to read the XA? I’m getting the error “stdin: Property List error: Unexpected character Ø at line 1 / JSON error: JSON text did not start with array or object and option to allow fragments not set” when executing `xattr -p “co.eclecticlight.dintch.hash#S” /foo | xxd -r -p | plutil -convert xml1 – -o -`

LikeLike
- 28
  
  Joss on March 25, 2020 at 12:02 am
  
  Strike that… it seems that the hash *is* the XA, so it’s not binary at all.
  
  LikeLike
  - 29
    
    hoakley on March 25, 2020 at 12:11 am
    
    Er the xattr stored is a 32 byte binary blob of data. It’s not a property list, nor is it text. It’s easy to read in Swift, or view in my app xattred. But other than staring at its beauty, I’m not sure what you could do with it. Here’s an example:
    <73c149dc 3f1861ce 63605ac2 9386697e 2c82280b e05f9e3f 70611d4a cdee9db0>
    Howard.
    
    LikeLike
    - 30
      
      hoakley on March 25, 2020 at 12:22 am
      
      Bless WordPress for removing my example, because it was between < and >.
      I’ll fix that shortly.
      Howard.
      
      LikeLike
31

Duncan on March 25, 2020 at 12:19 am

Howard:

“the xattr stored is a 32 byte binary blob of data”

I’m curious – does that change the size of the file as reported in the Finder? Thanks.

LikeLike
- 32
  
  hoakley on March 25, 2020 at 12:21 am
  
  No, as file sizes reported in the Finder completely ignore xattrs. To get total file sizes including all xattrs, you’ll need an app like my Precize. It’s also a pain in the command line.
  That’s because xattrs aren’t stored in main disk storage, but in the file system metadata.
  Howard.
  
  LikeLike
33

Duncan on March 25, 2020 at 12:23 am

(Apologies for replying out-of-sequence, but I can’t seem to reply directly to second-level comments. The ‘Reply’ hover-over doesn’t appear. Also, I think we’re replying while others are composing at this time.)

Howard, than you for the clarification:

“Writing a xattr doesn’t affect the file datestamps at all, as the xattr isn’t stored with the file, nor is its size included in the file size, etc. As the xattr is stored in file system metadata, it’s essentially independent.”

That answers my previous comment above.

LikeLike
- 34
  
  hoakley on March 25, 2020 at 12:25 am
  
  Sorry – that’s a practical limit on the depths of comment.
  Sorry, I’m bushed now and off to bed. I’ll catch up in the morning, when you’ll have new version of Dintch to play with. It’s actually there already, via the product page.
  Howard.
  
  LikeLike
35

Duncan on March 25, 2020 at 12:33 am

Thanks, Howard.

Please don’t feel obligated to reply to this – I’m just offering it as a FYI…

You wrote:

“if you don’t back up the tagged file, you can’t check whether the backed up file matches its digest, and your backup can’t be verified, can it?”

Not to promote Integrity Checker more than necessary, but the folder-included .ic files do get backed up along with the data files and thus the backups *can* be checked as a result. (I do that all the time.) Without that feature the whole utility would be practically worthless, since the backups are the only recourse if the original is determined to be corrupted.

LikeLiked by 1 person
- 36
  
  hoakley on March 25, 2020 at 9:38 am
  
  Please, feel free to continue to use IntegrityChecker, if that’s what you want.
  Meanwhile I can verify the integrity of my key files wherever they go – even onto different Macs, across iCloud, and whether in active SSD storage, backups or in archives – without having to create new digests.
  Howard.
  
  LikeLike
37

John Gilbert on March 25, 2020 at 6:59 am

What is the purpose of all this? (Rhetorical)
My understanding of the motivation is to detect problems with long term archives on blu-ray, in the cloud or local HDD. For archives it is important to maximise compatibility with different files systems and operating systems. To my mind that rules out anything using xattrs. I am not confident that current xattrs will be readable on macOS in 10 years time, let alone on Windows or linux.
So I keep coming back to needing checksums to be stored in simple text files – either at the folder or file level (sidecar).

LikeLiked by 1 person
- 38
  
  hoakley on March 25, 2020 at 9:34 am
  
  Then you’re very welcome not to use my free tool, and to continue to pay for IntegrityChecker.
  APFS is now, largely thanks to iOS, one of the world’s most widely used file systems. Extended attributes are an integral part, on which iOS and macOS are heavily dependent. They are also supported in various ways by many other file systems. The use of xattrs and equivalent metadata forks is growing, not declining, as we move away for primitive file systems.
  But it’s your choice.
  Howard.
  
  LikeLike