To verify a file checksum, you generate a SHA-256 hash of the file you downloaded and compare it character for character against the official checksum the publisher posted. If the two strings match exactly, the file is intact. If even one character differs, the file is corrupted or has been altered. This guide shows how to do it on Windows, Mac, and Linux from the command line, and how to do the same thing with zero terminal commands in your browser.
Most people learn how to verify a file checksum the hard way: a download fails silently, an installer crashes, and only then do they discover the file was incomplete. A two-second checksum check catches that before you run the file, plus the scarier case where a download mirror was compromised and the file swapped for malware.
What a Checksum Actually Proves (And What It Does Not)#
A checksum is a fixed-length fingerprint of a file. Run the same file through the same hash algorithm twice and you get the identical string every time. Change a single byte and the entire fingerprint changes completely. That is the whole mechanism, and it is what makes checksums useful for spotting both accidental corruption and deliberate tampering.
Here is the part most tutorials skip, and it is the part that matters for your security. A matching checksum proves the file you have is byte-for-byte identical to the file the published checksum describes. It proves nothing about whether that reference checksum is trustworthy in the first place.
Key point: a checksum only verifies integrity, not authenticity, unless you trust the source of the checksum itself. If an attacker can replace both the download and the checksum on the same page, matching them tells you nothing.
Integrity versus authenticity#
These two words get used interchangeably and they should not be.
- Integrity means the file arrived exactly as it left the server, with no corruption from a dropped connection, a bad disk sector, or a flaky mirror. Any checksum, even an old MD5 one, verifies integrity perfectly.
- Authenticity means the file genuinely came from the publisher you think it did, with no malicious version substituted. That requires the checksum to come from a channel an attacker cannot also control.
The practical takeaway: get the file from a download mirror, but get the checksum from the publisher's main HTTPS site or a signed checksum file. If both live on the same untrusted mirror, a matching hash is security theater.
Why MD5 Checksums Are Still Fine for Corruption#
You will still see MD5 checksums published next to downloads, and forums are full of people insisting MD5 is "broken" and useless. That advice is half right, and the half that is wrong trips people up constantly.
MD5 is cryptographically broken in one specific sense: a skilled attacker can deliberately craft two different files that produce the same MD5 hash (a collision). That breaks MD5 for authenticity. But MD5 is still perfectly good at catching accidental corruption. A truncated download or a bit flipped by a failing drive will not magically collide with the original hash, so if a project only publishes an MD5 checksum and you just want to confirm the download did not break, MD5 answers that fine.
| Algorithm | Safe for corruption check | Safe for tamper/authenticity | Notes |
|---|---|---|---|
| MD5 | Yes | No | Collisions are practical; never trust for security |
| SHA-1 | Yes | No | Deprecated; collisions demonstrated since 2017 |
| SHA-256 | Yes | Yes | The current default for release verification |
| SHA-512 | Yes | Yes | Same family as SHA-256, longer digest |
The rule of thumb: if a download offers SHA-256, always prefer it. If it only offers MD5 and you are checking for a busted download, MD5 is acceptable. Never rely on MD5 or SHA-1 to prove a file was not tampered with.
How to Verify a File Checksum on Windows, Mac, and Linux#
The command differs per operating system, but the workflow is identical everywhere: generate the hash of your downloaded file, then compare it to the published value.
Step 1: Find the official checksum#
Before you hash anything, locate the reference checksum from the publisher. Look for a SHA256SUMS file, a .sha256 file next to the download, or a hash on the official release page. Confirm it is SHA-256 (a 64-character hex string) and not MD5 (32 characters) or SHA-1 (40 characters), because you must hash with the matching algorithm.
If the publisher offers a GPG signature for the checksum file, verifying it is the gold standard, since it confirms the checksum list itself came from the real publisher.
Step 2: Generate the hash on your machine#
Open a terminal in the folder containing your download and run the command for your platform.
Windows (Command Prompt or PowerShell):
certutil -hashfile yourfile.iso SHA256
certutil is built into Windows, so there is nothing to install. Swap SHA256 for MD5 or SHA1 if that is what the publisher provided. PowerShell users can also run Get-FileHash yourfile.iso -Algorithm SHA256 for cleaner output.
macOS:
shasum -a 256 yourfile.dmg
The -a 256 flag selects SHA-256. For MD5 on a Mac, use the separate md5 yourfile.dmg command. Both ship with macOS.
Linux:
sha256sum yourfile.iso
Most distributions include sha256sum, md5sum, and sha1sum out of the box. Each prints the hash followed by the filename.
Step 3: Compare the two hashes#
Put the hash your machine produced next to the official one. They are long, so do not eyeball the whole string. Check the first six and last six characters and confirm the length matches. If both ends agree, you are almost certainly looking at a match.
On Linux and Mac you can let the computer compare for you. If the publisher gave you a SHA256SUMS file, run sha256sum -c SHA256SUMS (or shasum -a 256 -c on a Mac) in the same folder and it prints OK or FAILED per file, removing any chance of a human misreading a character.
Step 4: Decide based on the result#
- Hashes match: the file is intact and identical to the published version. If you also trust where the checksum came from, you are safe to proceed.
- Hashes do not match: stop. Do not run the file. Re-download from a different mirror and verify again. A persistent mismatch from the official source is a red flag worth reporting to the project.
The No-Terminal Way: Verify a Checksum in Your Browser#
Command-line tools are reliable, but plenty of people do not want to open a terminal, lack admin rights on a work machine, or find the syntax error-prone. There is a faster path that produces the exact same SHA-256 result.
A browser-based free SHA-256 hash generator lets you drag and drop the file and computes the digest right on your device using the browser's built-in Web Crypto API. Nothing uploads anywhere. The file never leaves your computer, which matters when you are checking a sensitive installer or a confidential document.
The workflow is the same three steps, minus the typing:
- Open the hash generator and drag your downloaded file onto it.
- Read the SHA-256 digest it produces.
- Paste the publisher's official checksum into the compare field; the tool tells you instantly whether they match.
That last point saves you from yourself. Instead of squinting at two 64-character strings, you paste the expected value and get a clear match or no-match result with the differing characters highlighted. The same tool can switch algorithms, so an older download with only an MD5 hash is covered too.
Tip: because the hashing runs locally in your browser, this also works offline once the page has loaded. Useful on an air-gapped machine or a locked-down network.
Common Reasons a Checksum Does Not Match#
A mismatch is alarming, but it is usually mundane. Run through these before assuming the worst.
- Wrong algorithm. You hashed with SHA-256 but the published value is MD5, or vice versa. The strings never match across algorithms, so check the digest length first.
- Incomplete download. The most common cause. A dropped connection leaves you with a truncated file. Re-download and re-check.
- You hashed the wrong file. An old copy with the same name, or a renamed installer, hashes differently. Confirm you are pointing at the right file.
- Whitespace or case in the comparison. A stray space or capitalization difference can look like a mismatch when you paste. Hex hashes are case-insensitive, so normalize both to lowercase; a good compare tool does this for you.
- The publisher updated the file. Some projects rebuild releases and update checksums, so match your reference hash to the exact version you downloaded.
If you have ruled all of those out and the official hash still will not match, treat the download as untrustworthy. That is exactly the situation checksum verification exists to catch.
Where Checksum Verification Fits in a Security Routine#
Verifying a checksum is one layer, not the whole defense. Download from official sources over HTTPS so the connection itself is authenticated, and prefer GPG-signed checksums for anything security-critical, because a signature ties the hash to a verifiable key rather than just a web page.
Once a file is verified and installed, your remaining risks shift to passwords and accounts. If a tool you installed asks you to create credentials, run them through a password strength checker and generate a unique one with a secure password generator so a verified install does not become the new weak link.
Hashing is also useful beyond downloads. The same SHA-256 digest that verifies an ISO can fingerprint a config file to detect later changes, deduplicate documents, or confirm a backup matches its original.
Conclusion: How to Verify a File Checksum the Right Way#
Knowing how to verify a file checksum turns a leap of faith into a two-second certainty. Generate the SHA-256 hash of your download, compare it to the publisher's official value, and only proceed if they match exactly. Use the command line if you live in a terminal, or drag the file into a browser-based generator if you would rather skip the syntax entirely.
The detail that separates a real check from a placebo is where your reference checksum comes from. Match the file against a hash from the publisher's trusted, HTTPS-served, ideally signed source and you have verified both integrity and authenticity. Match it against a hash on the same sketchy mirror as the download and you have verified nothing that matters. Get the checksum from a source you trust, generate yours with a free SHA-256 hash generator, compare, and you are done.
Frequently Asked Questions#
What is the difference between a checksum and a hash? In everyday use they mean the same thing for file verification: a fixed-length fingerprint computed from a file's contents. Technically "checksum" is the broader term and includes simple error-detection codes like CRC32, while "hash" usually implies a cryptographic function like SHA-256. When a download page says "checksum," it almost always means a cryptographic hash such as MD5, SHA-1, or SHA-256.
Does a matching SHA-256 checksum mean the file is safe? It means the file is byte-for-byte identical to the one the published checksum describes. That guarantees the file was not corrupted in transit. It only guarantees the file is genuinely from the publisher if you obtained the checksum from a source an attacker could not also tamper with, such as the publisher's HTTPS site or a GPG-signed checksum file.
Is MD5 good enough for verifying a download? For catching accidental corruption, yes. A truncated or damaged download will not accidentally produce the same MD5 as the original. For proving a file was not deliberately tampered with, no, because attackers can craft MD5 collisions. If the publisher offers SHA-256, use it instead and reserve MD5 for plain corruption checks.
How do I verify a checksum on Windows without installing anything?
Use the built-in certutil command: open Command Prompt in the file's folder and run certutil -hashfile yourfile.iso SHA256. PowerShell users can run Get-FileHash yourfile.iso -Algorithm SHA256 for a cleaner output. If you would rather avoid the terminal entirely, drag the file into a browser-based hash generator that runs locally on your machine.
Why do my two hashes look different even though I downloaded the right file? The usual culprits are hashing with the wrong algorithm (comparing a SHA-256 hash to an MD5 value), an incomplete download, or whitespace and capitalization differences when you pasted the values. Hex hashes are case-insensitive, so normalize both to lowercase. If everything matches and the hash still differs from the official source, re-download from another mirror and verify again.
Can I verify a checksum offline?
Yes. The command-line tools (certutil, shasum, sha256sum) all run entirely locally with no internet needed. A browser-based generator that uses the Web Crypto API also works offline once the page has loaded, since the hashing happens on your device rather than on a server.



