How to Verify File Checksums: A Complete Guide

Why Verify Checksums?

Every time you download a file from the internet, there is a risk that the file has been altered. This can happen for benign reasons -- network errors, incomplete transfers, or storage corruption -- or for malicious ones, such as a man-in-the-middle attack that replaces a legitimate installer with malware. Checksum verification is your first line of defense against both.

A checksum is a hash of a file's contents. Software publishers compute the hash of their release files and publish the values alongside the download links. After downloading, you compute the hash of your local copy and compare it to the published value. If they match, the file is identical to what the publisher intended. If they differ, the file has been modified and should not be trusted.

Verifying Checksums on macOS

macOS includes the shasum command, which supports SHA-1, SHA-256, SHA-384, and SHA-512 out of the box. It also includes md5 for MD5 checksums.

SHA-256 (Recommended)

# Compute SHA-256 hash of a downloaded file
shasum -a 256 ~/Downloads/ubuntu-24.04-desktop-amd64.iso

# Output:
# a1b2c3d4e5f6...  /Users/you/Downloads/ubuntu-24.04-desktop-amd64.iso

# Compare against the published checksum:
# If the hex strings match, the file is intact.

SHA-512

# Compute SHA-512 hash
shasum -a 512 ~/Downloads/node-v22.0.0.pkg

MD5

# Compute MD5 hash (for legacy checksums only)
md5 ~/Downloads/some-file.zip

# Or using openssl:
openssl dgst -md5 ~/Downloads/some-file.zip

Verify Against a Checksum File

Many projects provide a SHA256SUMS file alongside their downloads. You can verify your file against it automatically:

# Download the checksum file and the ISO
cd ~/Downloads
curl -O https://releases.ubuntu.com/24.04/SHA256SUMS

# Verify (prints "OK" if the hash matches)
shasum -a 256 -c SHA256SUMS 2>/dev/null | grep ubuntu-24.04-desktop-amd64.iso
# ubuntu-24.04-desktop-amd64.iso: OK

Verifying Checksums on Linux

Linux distributions provide dedicated commands for each hash algorithm:sha256sum, sha512sum, sha1sum, andmd5sum.

SHA-256 (Recommended)

# Compute SHA-256 hash
sha256sum ~/Downloads/fedora-workstation-40.iso

# Verify against a checksum file
sha256sum -c SHA256SUMS

# Check a specific file from the checksum file
sha256sum -c SHA256SUMS --ignore-missing

SHA-512

# Compute SHA-512 hash
sha512sum ~/Downloads/large-archive.tar.gz

MD5 (Legacy)

# Compute MD5 hash
md5sum ~/Downloads/some-file.zip

# Verify against an MD5 checksum file
md5sum -c MD5SUMS

Batch Verification

# Verify all files listed in a checksum file
sha256sum -c SHA256SUMS
# file1.tar.gz: OK
# file2.tar.gz: OK
# file3.tar.gz: FAILED
# sha256sum: WARNING: 1 computed checksum did NOT match

Verifying Checksums on Windows

Windows includes certutil in Command Prompt and Get-FileHash in PowerShell. Both can compute checksums without installing additional software.

PowerShell (Recommended)

# SHA-256 (default)
Get-FileHash C:\Users\You\Downloads\installer.exe

# SHA-512
Get-FileHash C:\Users\You\Downloads\installer.exe -Algorithm SHA512

# MD5
Get-FileHash C:\Users\You\Downloads\installer.exe -Algorithm MD5

# Compare directly against a known hash
$expected = "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
$actual = (Get-FileHash C:\Users\You\Downloads\installer.exe).Hash
if ($expected -eq $actual) { "MATCH - File is intact" } else { "MISMATCH - File may be corrupted or tampered" }

Command Prompt (certutil)

:: SHA-256
certutil -hashfile C:\Users\You\Downloads\installer.exe SHA256

:: SHA-512
certutil -hashfile C:\Users\You\Downloads\installer.exe SHA512

:: MD5
certutil -hashfile C:\Users\You\Downloads\installer.exe MD5

Common Scenarios

Downloading an Operating System ISO

This is the most important scenario for manual checksum verification. OS images are large files that are prime targets for tampering (supply chain attacks on mirrors) and corruption (network errors during multi-gigabyte downloads).

Most Linux distributions publish checksum files alongside their ISO downloads. Ubuntu, for example, provides SHA256SUMS and SHA256SUMS.gpg files. The.gpg file is a GPG signature of the checksum file, which adds a layer of authentication on top of integrity verification (more on this below).

Installing Developer Tools

When downloading compilers, runtimes, or development tools directly (outside a package manager), always verify the checksum. This includes Node.js binaries, Python installers, Rust toolchains, Go distributions, and Java JDKs. Each of these projects publishes checksums on their official download pages.

Firmware Updates

Router firmware, BIOS updates, and IoT device firmware should always be verified before flashing. A corrupted firmware update can permanently damage hardware (a condition known as "bricking"). Manufacturers typically provide checksums in their release notes or support documentation.

How Package Managers Use Checksums

Modern package managers automate checksum verification, but understanding how they work helps you appreciate the security they provide -- and recognize when it might fail.

npm (Node.js)

npm uses SHA-512 checksums stored in the package-lock.json file under theintegrity field. When you run npm install, npm downloads each package, computes its SHA-512 hash, and compares it to the value in the lockfile. If they do not match, the installation fails. This protects against both corrupted downloads and registry tampering.

// package-lock.json excerpt
{
  "node_modules/lodash": {
    "version": "4.17.21",
    "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
    "integrity": "sha512-v2kDE...base64hash..."
  }
}

pip (Python)

pip supports hash checking through requirements.txt with the--hash option and through pip-tools generated lockfiles. PyPI provides SHA-256 hashes for all packages, and pip verifies them during download.

# requirements.txt with hash pinning
requests==2.31.0 \
    --hash=sha256:a1b2c3d4e5f6...
flask==3.0.0 \
    --hash=sha256:f6e5d4c3b2a1...

apt (Debian/Ubuntu)

apt uses a chain of trust: repository metadata is signed with GPG keys, and the metadata includes SHA-256 hashes of every package. When you run apt install, the system verifies the GPG signature of the package list, then verifies each downloaded package against its listed hash. This provides both authentication (the package list is from the trusted repository) and integrity (the package has not been modified).

Docker

Docker images are content-addressable: each image layer is identified by its SHA-256 hash (the "digest"). When you pull an image, Docker verifies that the content of each layer matches its digest. You can also pin images to specific digests for reproducible deployments:

# Pin to exact image digest for reproducibility
FROM node@sha256:a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2

GPG Signatures vs Checksums

Checksums and GPG signatures serve complementary but different purposes. Understanding the difference is important for thorough file verification.

Checksums: Integrity Only

A checksum verifies that a file has not been modified, but it does not tell you who created the file. If an attacker compromises the download server, they can replace both the file and the checksum simultaneously. You would verify the checksum of the malicious file against the attacker's malicious checksum, and everything would appear correct.

GPG Signatures: Integrity and Authentication

A GPG (or PGP) signature proves both that the file has not been modified and that it was signed by someone who possesses a specific private key. Even if an attacker compromises the download server, they cannot forge a valid GPG signature without the publisher's private key.

# Verify a GPG-signed checksum file (Linux/macOS)

# 1. Import the publisher's public key
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0xABCDEF1234567890

# 2. Verify the signature on the checksum file
gpg --verify SHA256SUMS.gpg SHA256SUMS
# gpg: Good signature from "Ubuntu CD Image Automatic Signing Key"

# 3. Now verify the file against the authenticated checksum file
sha256sum -c SHA256SUMS --ignore-missing

The ideal verification process combines both: first verify the GPG signature of the checksum file (authentication), then verify the file against the authenticated checksum (integrity). This two-step process provides the strongest guarantee that the file is exactly what the publisher intended.

Choosing the Right Algorithm

When you have a choice of which checksum algorithm to use:

• SHA-256: The best default choice. Fast enough for any file size, strong enough for any threat model. Use this unless you have a specific reason not to.
• SHA-512: Slightly stronger and often faster on 64-bit hardware. A good choice when available.
• SHA-1: Deprecated for security purposes. Only use it if the publisher only provides SHA-1 checksums (and consider asking them to upgrade).
• MD5: Suitable only for detecting accidental corruption. Do not rely on MD5 checksums when security is a concern.

For a deeper comparison of these algorithms, read our article on MD5 vs SHA-256.

Verify Files Instantly

If you prefer a graphical interface over the command line, our Hash Generator includes a file hashing tab where you can drag and drop any file to compute its SHA-256, SHA-512, or MD5 checksum instantly. The tool also includes a verification tab where you can paste a known hash and compare it against a computed value. All processing happens in your browser -- your files never leave your machine.