What Is a Checksum and How Do You Verify One?
A checksum is a short hash derived from a file's contents. If even one byte changes — corrupted download, bad disk sector, or tampering — the checksum changes completely. That's what makes them useful for verifying file integrity.
How a checksum works
The publisher hashes the file and publishes the hash alongside the download:
ubuntu-24.04-desktop-amd64.iso
SHA256: 8762f7e74e4d64d72fceb5f70682e6b069932deedb4949c6975d0f0fe0a91be3
You download the file, hash it yourself, and compare. If your hash matches, the file is intact.
Verifying a checksum on the command line
macOS / Linux:
# SHA-256
shasum -a 256 ubuntu-24.04-desktop-amd64.iso
# MD5 (legacy, still common)
md5sum ubuntu-24.04-desktop-amd64.iso
Windows (PowerShell):
Get-FileHash ubuntu-24.04-desktop-amd64.iso -Algorithm SHA256
Compare the output against the published hash character by character — or automate it:
echo "8762f7e74e4d64d72fceb5f70682e6b069932deedb4949c6975d0f0fe0a91be3 ubuntu-24.04-desktop-amd64.iso" | shasum -a 256 -c
# ubuntu-24.04-desktop-amd64.iso: OK
Which algorithm should you use?
| Algorithm | Output | Use case |
|---|---|---|
| MD5 | 128-bit / 32 hex chars | Legacy compatibility only |
| SHA-1 | 160-bit / 40 hex chars | Avoid for new systems |
| SHA-256 | 256-bit / 64 hex chars | Standard for file integrity |
| SHA-512 | 512-bit / 128 hex chars | Extra margin, same trust |
SHA-256 is the safe default today. MD5 checksums are still common for download verification (not password storage — different problem), because a corrupted-file attack via MD5 collision is impractical in this context.
Checksums vs signatures
A checksum proves the file matches the hash, but the hash itself can be swapped by an attacker who controls the download page. A cryptographic signature (GPG, Sigstore) proves the hash came from a specific key held by the publisher. For high-security software distribution, verify the signature too.
Verify text checksums in the browser
Hash any string or paste file contents into the hash generator to compute MD5, SHA-1, and SHA-256 without installing anything.
To understand what hash functions are doing under the hood, see what is a hash function.
Got a config file to check?
Open the config toolkit →