How to verify a file checksum (MD5, SHA-256)

Updated 2026-06-21

To verify a file checksum, generate a hash of your downloaded file (usually SHA-256 or MD5) and compare it character-for-character against the checksum the source published. If the two strings match exactly, the file is intact and untampered. If a single character differs, the file is corrupt or has been altered — don't trust it.

Why checksums matter

A checksum is a short fingerprint computed from every byte of a file. Change even one bit — a dropped packet during download, a truncated file, or a malicious swap — and the resulting hash changes completely. Software projects, Linux ISOs, and firmware downloads publish a checksum next to the download link precisely so you can confirm what you received is what they shipped.

The hash itself doesn't fix anything; it only tells you whether two files are identical. That makes it perfect for catching incomplete downloads and verifying authenticity before you run an installer.

How to verify a checksum

1. Note the published checksum from the source page, and which algorithm it uses — SHA-256 is the modern standard, though MD5 and SHA-1 are still common on older download pages.
2. Open the Hash & Checksum Generator and drop in your downloaded file.
3. Read off the hash for the matching algorithm.
4. Compare it to the published value. Use the verify field to paste the expected checksum and let the tool confirm the match for you, rather than eyeballing 64 hex characters.

A match means the files are byte-for-byte identical. A mismatch means re-download the file — and if it keeps failing, treat the source with suspicion.

Picking the right algorithm

• SHA-256 — the safe default for verifying authenticity. Collision-resistant and widely published.
• SHA-512 — same idea, longer output, common in security-sensitive contexts.
• MD5 and SHA-1 — fine for spotting accidental corruption and matching legacy checksums, but considered broken for security. If a site only offers MD5, use it to check integrity, not to prove a file is safe.
• CRC32 — a fast, short check used for error detection in archives, not a security hash.

Always use whichever algorithm matches the published value — comparing a SHA-256 hash to an MD5 string will never match.

Hashing text, not just files

The same tool fingerprints plain text. Paste a string and get its MD5 or SHA-256 instantly — handy for confirming an API signing example, checking a config value, or comparing two snippets that should be identical.

Privacy

Verifying a download shouldn't mean uploading it. The Hash & Checksum Generator computes every hash locally in your browser tab — your file and text never leave your device, there's no account, and nothing is sent to a server. Drop in your file and check the checksum now.

Try the Hash & Checksum Generator →