diff --git a/build.sh b/build.sh
index bb5f08d..e65b6ab 100755
--- a/build.sh
+++ b/build.sh
@@ -10,13 +10,23 @@ set -eu -o pipefail
 
 PREFIX=rust-1.48.0-x86_64-unknown-linux-gnu
 FILE=$PREFIX.tar.gz
+SHA=950420a35b2dd9091f1b93a9ccd5abc026ca7112e667f246b1deb79204e2038b
 
 if [ ! -f "$FILE" ]; then
     wget https://static.rust-lang.org/dist/$FILE
 fi
 
-#TODO: verify SHA256
-# 950420a35b2dd9091f1b93a9ccd5abc026ca7112e667f246b1deb79204e2038b  rust-1.48.0-x86_64-unknown-linux-gnu.tar.gz
+# Verify SHA256 of rust
+echo "$SHA  $FILE" | shasum -a 256 --check
+# TWO SPACES or sadness sometimes:
+# https://unix.stackexchange.com/questions/139891/why-does-verifying-sha256-checksum-with-sha256sum-fail-on-debian-and-work-on-u
+echo "$SHA  $FILE" | shasum -a 256 --check --status
+if [ $? -ne 0 ]; then
+    FOUNDSHA=$(shasum -a 256 $FILE)
+    echo "SHA256 mismatch on $FILE!"
+    echo "$FOUNDSHA did not match $SHA . Aborting..."
+    exit 1
+fi
 
 tar zxvpf $FILE
 mkdir -p build