diff --git a/tool/ports/mk/install.mk b/tool/ports/mk/install.mk
index 00fca6ea3e..255c9e5c8c 100644
--- a/tool/ports/mk/install.mk
+++ b/tool/ports/mk/install.mk
@@ -59,7 +59,9 @@ include $(GENODE_DIR)/tool/ports/mk/common.inc
 
 $(call check_tool,wget)
 $(call check_tool,patch)
-$(call check_tool, $(HASHSUM))
+$(call check_tool,sha1sum)
+$(call check_tool,sha256sum)
+$(call check_tool,$(HASHSUM))
 
 #
 # Assertion for the presence of a LICENSE and VERSION declarations in the port
@@ -193,6 +195,19 @@ _svn_dir = $(call _assert,$(DIR($1)),Missing declaration of DIR($*))
 
 _file_name = $(call _prefer,$(NAME($1)),$(notdir $(URL($1))))
 
+_verify_sha256 = \
+	($(ECHO) "$(SHA($1))  $(call _file_name,$1)" \
+		| sha256sum -c > /dev/null 2> /dev/null)
+
+# Generate shell code for verifying a file
+ifeq ($(CHECK_HASH),no)
+_verify_sha1 = ($(ECHO) CHECK_HASH=no enables only SHA256 checksums; false)
+else
+_verify_sha1 = \
+	($(ECHO) "$(SHA($1))  $(call _file_name,$1)" \
+		| sha1sum -c > /dev/null 2> /dev/null)
+endif
+
 # Some downloads are available via HTTPS only, but wget < 3.14 does not support
 # server-name identification, which is used by some sites. So, we disable
 # certificate checking in wget and check the validity of the download via SIG
@@ -206,10 +221,8 @@ _file_name = $(call _prefer,$(NAME($1)),$(notdir $(URL($1))))
 		(test -f $$name || $(MSG_DOWNLOAD)$(URL($*))); \
 		(test -f $$name || wget --quiet --no-check-certificate $(URL($*)) -O $$name) || \
 			($(ECHO) Error: Download for $* failed; false)
-	$(VERBOSE)\
-		($(ECHO) "$(SHA($*))  $(call _file_name,$*)" |\
-		$(HASHSUM) -c > /dev/null 2> /dev/null) || \
-			($(ECHO) Error: Hash sum check for $* failed; false)
+	$(VERBOSE) $(call _verify_sha256,$*) || $(call _verify_sha1,$*) \
+		|| ($(ECHO) Error: Hash sum check for $* failed; false)
 
 
 ##