Checksum File: How to Verify Download Integrity
Checksum guide: MD5, SHA-256, SHA-512 explained. How to calculate and verify hashes.
You just downloaded the installer for an important piece of software—maybe a Linux distro, a crypto wallet, or a security tool. How do you know the file wasn't corrupted during download or, worse, modified by an attacker? The answer is the checksum: a unique "fingerprint" of the file that lets you verify its integrity in seconds.
In this guide, we'll cover what MD5, SHA-1, SHA-256, and SHA-512 are, how to calculate and verify checksums on any operating system, and when to use each algorithm.
What is a checksum (and why you need it)
A checksum is a string of characters generated by applying a hash algorithm to a file. This algorithm takes the entire file contents as input (which can be gigabytes) and produces a fixed-length output (32-128 characters, depending on the algorithm).
The magic lies in two fundamental properties:
- Determinism: the same file always produces the same checksum
- Sensitivity: even a single modified bit completely changes the checksum
This means if you download a file and its checksum matches the one published by the author, you have mathematical certainty that the file is exactly the original, byte for byte.
MD5, SHA-1, SHA-256, SHA-512: which to use?
| Algorithm | Output length | Security | Recommended use |
|---|---|---|---|
| MD5 | 32 characters (128 bit) | Deprecated | Only accidental corruption check |
| SHA-1 | 40 characters (160 bit) | Deprecated | Legacy, avoid |
| SHA-256 | 64 characters (256 bit) | Secure | Recommended standard |
| SHA-512 | 128 characters (512 bit) | Very secure | Maximum security |
Recommendation: use SHA-256 for everything. It's the current standard, supported everywhere, and secure enough for any practical use. MD5 and SHA-1 are vulnerable to collisions (two different files with the same hash) and shouldn't be used for security verification.
How to calculate checksums on every operating system
Linux and macOS
# SHA-256 (recommended)
sha256sum file.zip
# SHA-512
sha512sum file.zip
# MD5 (only for compatibility)
md5sum file.zip # Linux
md5 file.zip # macOS
# Example output:
# e3b0c44298fc1c149afbf4c8996fb924... file.zipWindows (PowerShell)
# SHA-256 (default)
Get-FileHash file.zip
# SHA-512
Get-FileHash file.zip -Algorithm SHA512
# MD5
Get-FileHash file.zip -Algorithm MD5
# Output:
# Algorithm Hash Path
# --------- ---- ----
# SHA256 E3B0C44298FC1C149AFBF4C8996FB9... C:\file.zipWindows (Command Prompt)
# SHA-256
certutil -hashfile file.zip SHA256
# MD5
certutil -hashfile file.zip MD5How to verify a download
Most serious software publishes checksums alongside download files. Here's the correct process:
- Download the file from the official site
- Find the checksum on the same page (often in a .sha256 file or documentation)
- Calculate the checksum of the downloaded file with the appropriate command
- Compare: they must be identical, character for character
# Quick method on Linux: automatic verification
echo "e3b0c44298fc1c149afbf4c8996fb924... file.zip" | sha256sum -c
# Output: file.zip: OKImportant: make sure the checksum comes from a trusted source (official site, HTTPS). If an attacker can modify the file, they could modify the published checksum too.
Practical use cases
1. Verify downloaded software
Always for: operating system installers, crypto wallets, security tools, firmware.
2. Backup and file transfer
# Before transfer
sha256sum important-data.tar.gz > checksum.sha256
# After transfer (on another machine)
sha256sum -c checksum.sha256
# Output: important-data.tar.gz: OK3. Change detection
Periodically calculate checksums of critical files and compare them with previous values to detect unauthorized changes.
4. Deduplication
Files with the same checksum are identical. Useful for finding duplicates without byte-by-byte comparison.
Code implementation
Node.js
const crypto = require('crypto');
const fs = require('fs');
function getFileHash(filePath, algorithm = 'sha256') {
return new Promise((resolve, reject) => {
const hash = crypto.createHash(algorithm);
const stream = fs.createReadStream(filePath);
stream.on('data', data => hash.update(data));
stream.on('end', () => resolve(hash.digest('hex')));
stream.on('error', reject);
});
}
// Usage
const checksum = await getFileHash('file.zip');
console.log(checksum);Python
import hashlib
def get_file_hash(file_path, algorithm='sha256'):
h = hashlib.new(algorithm)
with open(file_path, 'rb') as f:
for chunk in iter(lambda: f.read(8192), b''):
h.update(chunk)
return h.hexdigest()
# Usage
checksum = get_file_hash('file.zip')
print(checksum)Bash (one-liner for multiple files)
# Generate checksums for all files in a folder
find . -type f -exec sha256sum {} \; > checksums.sha256
# Verify all
sha256sum -c checksums.sha256Common mistakes to avoid
- Trusting MD5 for security: MD5 is vulnerable, use it only for accidental corruption checks
- Downloading checksum from the same compromised site: if the attacker controls the site, they can modify both
- Partial visual comparison: verify ALL characters, not just the first/last ones
- Ignoring spaces: spaces in the checksum matter, copy everything exactly
Conclusion
The checksum is a simple but powerful tool for ensuring the integrity of your files. In 30 seconds you can verify that a gigabyte download is exactly what it should be, without doubts or uncertainties. It's a practice every developer and sysadmin should adopt as routine. The golden rules:
- Use SHA-256 for everything
- Always verify critical software (OS, crypto, security)
- Keep checksums of your backups
- Don't trust MD5 for security
Try our free checksum tool to calculate MD5, SHA-256, and SHA-512 directly in your browser, without uploading any files to our servers.