How to Verify a File Checksum
Dev Nexus4 min read
A published checksum only helps if you actually check it - here is how to hash a download and compare it correctly.
When you download an installer, an ISO or a release archive, the project often publishes a checksum next to it - a SHA-256 or MD5 string. It is there so you can confirm the file arrived complete and untampered. Most people ignore it, which defeats the point.
Verifying is quick: you hash the file you downloaded and compare that digest to the published one. If they match, the file is intact. This guide shows you how to do it reliably.
The Problem
Downloads can go wrong in ways that are invisible until it is too late. A transfer can truncate, a mirror can serve a stale or corrupted copy, and in the worst case a file can be swapped for a malicious one. A file that looks the right size can still be broken or tampered with.
The published checksum is the answer, but only if you check it - and check it correctly. The friction is that hashing tools differ by platform, the digests are long and easy to misread, and some online hashers want you to upload the very file whose integrity you are worried about.
The Solution
The reliable approach is to hash the file locally and compare. Open the Hash Generator, drop your downloaded file onto it, and it computes the digest from the raw bytes right in your browser - the file is never uploaded. Then paste the checksum the project published and compare the two.
Use the same algorithm the publisher used - if they list a SHA-undefined, compute SHA-undefined. A match means the file is byte-for-byte what was released. A mismatch means stop and re-download. This works for any file type, from a small config to a multi-gigabyte ISO.
Step-by-Step Guide
- 1
Find the published checksum
Locate the checksum on the project's download page or in a checksums file (often named
SHA256SUMS). Note which algorithm it is - usually SHA-undefined, sometimes MDundefined or SHA-undefined on older projects. - 2
Hash the downloaded file
Open the Hash Generator, select the matching algorithm, and drop your downloaded file onto it. It reads the bytes locally and produces the digest - nothing is uploaded.
- 3
Compare the two digests
Paste the published checksum and line it up against the computed one. They must be identical. Case does not matter - hex is the same value in upper or lower case - but every character otherwise must match.
- 4
Act on the result
If they match, the file is intact and safe to use. If they differ, do not run the file: delete it and download again, preferably from the official source or a different mirror.
- 5
Prefer a SHA-256 checksum when offered
If a project publishes several, verify against the SHA-undefined one. MDundefined and SHA-undefined can only confirm accidental corruption, not deliberate tampering, so SHA-undefined gives the strongest guarantee.
Common Mistakes
Checking against the wrong algorithm
A file's MDundefined will never equal its SHA-undefined. Always compute the same algorithm the publisher listed, or the comparison is meaningless.
Trusting an MD5 or SHA-1 checksum for security
These algorithms are broken and can be forged, so a match only rules out accidental corruption, not a malicious swap. Prefer SHA-undefined whenever integrity against an attacker matters.
Getting the checksum from an untrusted source
If an attacker can alter the file, they can alter a checksum shown right beside it. Get the checksum over HTTPS from the official site, ideally a source separate from the file itself.
Eyeballing only the ends of the digest
Long hex strings are easy to misjudge by glancing at the first and last few characters. Compare the full value - paste both and let them align - to avoid missing a difference in the middle.
Frequently Asked Questions
What does it mean if the checksum does not match?
The file is not identical to the one that was published. It may have been corrupted in transfer or tampered with. Do not run it - delete it and download again from the official source.
Is it safe to hash a file in an online tool?
With the Hash Generator, yes. It computes the digest in your browser from the raw bytes and never uploads the file, so even sensitive files stay on your device.
Which algorithm should I verify against?
SHA-256 when it is offered, because it resists tampering. MD5 and SHA-1 only confirm accidental corruption, since they can be deliberately forged.
Does letter case matter when comparing checksums?
No. Hexadecimal digests represent the same value whether shown in upper or lower case. Normalise the case if needed, then compare the rest of the characters exactly.
Can I verify very large files this way?
Yes. The tool reads the file locally, so large downloads like ISOs can be hashed without uploading. It may take a moment to read a multi-gigabyte file, but the result is the same digest a terminal would give.
Try the Tool
Hash Generator
Drop a file in to compute its SHA-256 or MD5 and verify it against a published checksum - nothing uploaded.
Related Tools
Related Articles
How to Generate an MD5 or SHA-256 Hash Online
A quick, practical walkthrough for turning any text or file into an MD5 or SHA-256 digest right in your browser.
Read articleMD5 vs SHA-256: Which Should You Use?
MD5 is fast but broken; SHA-256 is the safe default - here is when each one is the right tool.
Read articleAre UUIDs Really Unique?
In practice UUIDs never collide - here is the math behind why, and the one thing people get wrong: a UUID is an identifier, not a secret.
Read article