You downloaded an installer or an ISO, and the publisher’s page lists a long string of letters and numbers labelled SHA-256. That string is there for one reason: to let you prove the file on your disk is exactly the file they released. This guide walks through what that string means and how to check it in a couple of minutes.
What is a checksum, in plain terms?
A checksum is a fingerprint for a file. Software reads every byte and condenses it into a short, fixed-length string. The same file always produces the same string, and even a one-byte difference produces a completely different one. So when a publisher posts the expected fingerprint, you can recalculate it from your copy and see whether the two match.
The words checksum and hash get used interchangeably here, and so do algorithm names like MD5, SHA-1, and SHA-256. They are different recipes for producing that fingerprint. What matters for you is simple: pick the same algorithm the publisher used, generate the value, and compare.
A useful mental model: the fingerprint is tiny, but it is tied to the file’s exact contents. You cannot work backwards from the fingerprint to the file, and you cannot quietly change the file without changing the fingerprint. That one-way, all-or-nothing behaviour is what makes verification trustworthy.
Why bother verifying a download?
Two problems hide inside a file that looks fine. The first is corruption: a download that dropped a chunk halfway, a flaky USB transfer, or a disk that flipped a bit. The file opens, maybe even runs, then crashes in odd ways later. The second is tampering: someone swaps the real installer for one carrying malware, or a mirror site serves a modified copy. Both leave the file looking normal in your downloads folder.
Verifying the checksum catches both. If your calculated value matches the publisher’s, the file is byte-for-byte what they shipped. If it does not match, you know before you run anything.
This matters most for:
- Operating system ISOs and bootable images
- Installers and setup files, especially from mirrors or torrents
- Firmware and driver packages
- Large archives where a partial download is easy to miss
- Anything downloaded over a flaky or public connection
If a project went to the trouble of publishing a hash, treat it as the last step of the download, not an optional extra.
How to get a file’s hash and compare it
Here is the flow, start to finish. You need the file and the publisher’s posted value.
Step 1: Find the publisher’s value
Look on the official download page, the release notes, or a file named something like SHA256SUMS. Note which algorithm it is. Many projects list more than one, so if SHA-256 is offered, prefer it. Copy the value, or keep the page open.
Step 2: Generate the hash from your copy
Open the file hash tool and drop your downloaded file in. It calculates the fingerprint on your own device, so the file never gets uploaded and nothing is stored once you leave. Choose the same algorithm the publisher used. For a large ISO this takes a few seconds while it reads through the whole file.
Step 3: Compare the two values
Paste the publisher’s value into the comparison box, or read the two strings side by side. A reliable trick is to check the first four and last four characters first, then confirm the rest. Case does not matter, since A1FF and a1ff are the same. If every character lines up, you are done. The file is genuine and intact.
Step 4: Decide based on the result
A match means trust the file and proceed. A mismatch means stop. Do not run an installer whose hash does not match. Re-download from the official source and check again, because the most common cause is a corrupted or incomplete download. If a fresh copy still fails to match, do not use the file.
MD5, SHA-1, or SHA-256: which one to use?
Use SHA-256 whenever security matters. Use MD5 or SHA-1 only when you are checking for accidental corruption and nothing more. The reason is that MD5 and SHA-1 are broken against deliberate attacks: it is practical to craft two different files that share the same MD5 fingerprint, so a matching MD5 no longer proves a file was not swapped on purpose.
| Algorithm | Good for accidental corruption | Safe against tampering | When to reach for it |
|---|---|---|---|
| MD5 | Yes | No | Quick integrity check of your own files |
| SHA-1 | Yes | No | Legacy systems that only publish SHA-1 |
| SHA-256 | Yes | Yes | Verifying any download you will run |
In practice: if you are confirming that a backup copied correctly to another drive, MD5 is quick and perfectly adequate. If you are verifying an OS image or an installer you are about to execute with admin rights, use SHA-256, because there you care about more than a dropped byte.
If the publisher only offers MD5 or SHA-1, that value still catches corruption, which is better than skipping the check. But for security-critical software, prefer projects that publish SHA-256.
A worked example
Say you grab a Linux ISO. The download page lists:
SHA-256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08You open the hash tool, drop in your .iso, and select SHA-256. After a few seconds it shows a value. You glance at the start (9f86d0) and the end (f00a08), see they match, then scan the middle. Everything lines up. That ISO is safe to write to a USB stick and boot.
Now imagine the tool returned a value starting 3a7bd3. No match. You re-download from the official mirror, hash again, and this time it matches. The first download had silently truncated. Without the check, you might have spent an hour debugging a “broken” installer that was never complete.
Common mistakes to avoid
- Comparing different algorithms. A SHA-256 value will never equal an MD5 value. Confirm you generated the same type the publisher posted.
- Trusting a hash from the same place as a bad file. If a mirror was compromised, both the file and its listed hash could be fake. Get the expected value from the official source.
- Eyeballing only the first few characters. Glancing at the start is a fine quick filter, but confirm the whole string before you trust an installer.
- Skipping the check on large files. Big downloads are exactly where partial transfers slip through unnoticed.
Once you have verified a download, you might want to clear out the old or duplicate copies cluttering your downloads folder. From there, see how to find duplicate files.