What is a checksum?
A checksum is the fixed-length value produced by running a hash function over an entire file. Because hashing is "deterministic" and exhibits the "avalanche effect"—the same file always computes to the same value, and changing even a single byte makes the result completely different—this value works as a file's digital fingerprint.
Software publishers usually post an official checksum (most commonly SHA-256) on their download page. After downloading a file, you compute its checksum yourself and compare it with the official one: a match means the file is intact; a mismatch means the file was corrupted in transit, or tampered with by someone.
Why verify files?
Verifying a checksum mainly guards against two situations:
- Transfer corruption: an unstable network, an interrupted-and-resumed download, or a faulty storage device can all leave a file missing a few bytes. Such files often error out during installation, and verifying beforehand saves the hassle of discovering the problem only after a failed install.
- Malicious tampering: a compromised download mirror or a man-in-the-middle attack could let an attacker swap a legitimate program for one carrying malware. As long as the official checksum was obtained from a trusted source, comparing it exposes such a substitution.
For important software like operating system images, development tools, and cryptocurrency wallets, verifying checksums is a habit worth cultivating.
Tip: To guard against malicious tampering, make sure the official checksum isn't sitting on the same compromised server as the file. It's best to cross-check the checksum itself from the official main site, a signed announcement, or multiple sources to confirm it's genuine.
The basic verification process
- Download the file.
- Find the corresponding checksum on the official page, and confirm which algorithm it uses (MD5, SHA-1, or SHA-256).
- Use a tool or command to compute the checksum of the downloaded file with that same algorithm.
- Compare the two values. Hash comparison is case-insensitive; only the character order needs to match.
- If they match, use the file with confidence; if not, re-download it or try a different download source.
How to compute it on Windows
Windows has the built-in certutil command, so no software needs to be installed. Open Command Prompt or PowerShell and enter:
certutil -hashfile C:\path\to\file.iso SHA256
Replace SHA256 with MD5 or SHA1 to compute other algorithms. If you prefer PowerShell, the more intuitive Get-FileHash also works:
Get-FileHash C:\path\to\file.iso -Algorithm SHA256
How to compute it on macOS
macOS ships with the relevant commands; just open "Terminal" to use them. To compute SHA-256:
shasum -a 256 /path/to/file.iso
After -a you can put 1 (SHA-1), 256 (SHA-256), or 512 (SHA-512). To compute MD5, use a separate command:
md5 /path/to/file.iso
How to compute it on Linux
Most Linux distributions include these tools built in, with a dedicated command for each algorithm:
md5sum file.iso
sha1sum file.iso
sha256sum file.iso
sha512sum file.iso
If the official provider supplies a checksum file like SHA256SUMS, you can have the system compare automatically; a match shows OK:
sha256sum -c SHA256SUMS
Command quick reference per system
| System | SHA-256 command |
|---|
| Windows | certutil -hashfile file SHA256 |
| macOS | shasum -a 256 file |
| Linux | sha256sum file |
If you don't want to memorize commands, or want to verify entirely in your browser, use this site's hash generator:
- Switch to the "File Hash" tab and drag the downloaded file in (or click to select it).
- Check the algorithm the official source uses, press compute, and you'll get the file's checksum.
- Paste the official checksum into the "Compare Hash" field, and the tool tells you instantly whether they match—no need to compare 64 characters by hand.
All computation happens locally in your browser, the file is never uploaded to any server, and even large files can be handled with confidence.
Tip: Comparing long hash values character by character is easy to get wrong. Use the tool's comparison feature—paste the value and let it judge match or mismatch—it's both fast and error-free.
Things to watch out for
- Match the algorithm: a value computed with SHA-256 can only be compared against the official SHA-256, not against MD5.
- Limitations of MD5 and SHA-1: they can still detect accidental corruption, but because they're broken, you can't fully rely on them to guard against deliberate tampering. When possible, prefer the official SHA-256.
- The checksum source must be trustworthy: the reliability of verification depends on whether the official value you compare against is genuine. Obtain it from the official main site whenever possible, and cross-check from multiple sources when necessary.
- Case-insensitive: a hash value presented in uppercase or lowercase is the same; ignore case when comparing.
Use the Hash Generator now