How do I verify a checksum?

1) Drop or select your file. 2) Paste the expected checksum from the publisher. 3) Click Verify. The tool auto-detects the algorithm, computes the file's hash, and shows a match or mismatch result.

Where do I find the official checksum?

Check the software's download page — look for a SHA-256 or SHA-512 hash next to the download link. Some projects provide a separate .sha256 or .sha512 file. Linux ISOs typically list checksums on their download mirrors.

What does a mismatch mean?

A mismatch means the file on your disk is different from what the publisher intended. This could be a corrupted download (try downloading again), a tampered file (possible security issue), or you're checking against the wrong file or algorithm.

Checksum Verifier — Verify File Checksums Online

Verify downloaded files by comparing their checksums against the publisher's official hash. Drop a file, paste the expected checksum, and get instant verification.

Step-by-Step File Verification

Step 1: Download the file you want to verify. Step 2: Find the official checksum on the publisher's website (usually on the download page or in a .sha256 file). Step 3: Drop your file in the tool below. Step 4: Paste the expected hash. Step 5: Click Verify — the tool computes the file's hash and compares it instantly.

Finding Official Checksums

Software publishers provide checksums in different ways. Linux ISOs: Look for SHA256SUMS or SHA512SUMS files on download mirrors. macOS/Windows apps: Check the “Downloads” or “Releases” page for hash values. GitHub releases: Many projects include checksums in release notes or provide a CHECKSUMS file. Package managers: npm, pip, and cargo verify checksums automatically.

What a Mismatch Means

If the checksum doesn't match: Most likely: The download was corrupted (try downloading again). Possible: You're comparing against the wrong version or platform. Rare but serious: The file has been tampered with. If re-downloading doesn't fix the mismatch and you're sure you have the correct expected hash, do not install the file and report the issue to the publisher.

Drop a file below and paste the expected checksum to verify.

Frequently Asked Questions

Is my data safe? Is anything sent to a server?▼

No data leaves your browser. All hashing uses the Web Crypto API built into your browser (for SHA algorithms) or a local JavaScript implementation (for MD5). Files are read locally and never uploaded. Your text, files, and HMAC keys are never transmitted, stored, or logged.

What’s the difference between MD5, SHA-1, SHA-256, and SHA-512?▼

These are all cryptographic hash functions that produce fixed-size outputs from any input. MD5 produces 128-bit (32 hex character) hashes but is cryptographically broken. SHA-1 produces 160-bit (40 character) hashes but was broken in 2017. SHA-256 produces 256-bit (64 character) hashes and is the recommended standard. SHA-512 produces 512-bit (128 character) hashes for maximum security.

Which hash algorithm should I use?▼

For most purposes, use SHA-256. It’s the current industry standard, used in TLS certificates, Bitcoin, code signing, and file integrity verification. Use SHA-512 for maximum security requirements. Only use MD5 or SHA-1 for legacy compatibility where security is not a concern.

Is hashing the same as encryption?▼

No. Hashing is one-way — you cannot reverse a hash to get the original data. Encryption is two-way — encrypted data can be decrypted with the correct key. Hashing is used for verification and integrity, not confidentiality.

What is HMAC and when do I need it?▼

HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function. While a regular hash only proves integrity, HMAC also proves authenticity — the data came from someone who knows the secret key. Essential for webhook verification (Stripe, GitHub, Shopify) and API authentication.

Can I hash large files?▼

Yes. The tool reads files in chunks using streaming APIs, so it can handle files up to 2GB without running out of memory. A progress bar shows hashing progress. All processing happens locally.

How do I verify a downloaded file?▼

Go to the File Hash tab, drop your file, and compute its hash. Then compare the result with the checksum from the file’s publisher. If they match, the file is authentic. You can also use the Compare tab to verify automatically.

Why does my MD5 hash have a warning?▼

MD5 has been cryptographically broken since 2004. Collisions can be generated in seconds. It cannot be trusted for security purposes. We include it for legacy compatibility but recommend SHA-256 for anything security-related.

Can I reverse a hash to find the original text?▼

No. Cryptographic hash functions are one-way. However, weak passwords can be found using rainbow tables. This is why password hashing should use bcrypt/argon2 with salting, not raw SHA-256.

Checksum Verifier — Verify File Checksums Online

Step-by-Step File Verification

Finding Official Checksums

What a Mismatch Means

Frequently Asked Questions

Related Tools