How to Verify a File Checksum (SHA-256) Safely

When you download an installer, an ISO, or any important file, the publisher often lists a checksum (usually SHA-256) next to it. Comparing that value against the file you actually received proves it downloaded completely and was not tampered with. Here is how to do it in a few seconds, privately.

The tool

File Checksum & Verify

Open File Checksum & Verify

Step by step

  1. Open File Checksum & VerifyGo to the tool — it runs entirely in your browser, so the file is never uploaded.
  2. Add your fileDrop the downloaded file onto the drop zone, or click to browse. Its SHA-256, MD5, SHA-1, and SHA-512 checksums are computed on the spot.
  3. Paste the published checksumCopy the checksum from the download page and paste it into the verify box. Capitalisation and spacing do not matter.
  4. Read the resultA green “Match” means the file is byte-for-byte identical to what the publisher released. “No match” means it differs — re-download it, or check you used the right algorithm.

What a checksum actually proves

A checksum is the output of a hash function (like SHA-256) run over every byte of a file. Because changing even one byte produces a completely different checksum, matching the publisher’s value confirms two things at once: the download finished without corruption, and nobody altered the file in between.

It is the same idea as the Hash Generator, but for whole files instead of text — and it is the standard way open-source projects, operating systems, and security tools let you confirm a download is genuine.

Which algorithm should I use?

Use whatever the publisher published. SHA-256 is by far the most common today and is the safe default. Some older pages still list SHA-1 or MD5, and the tool computes those too so you can match them. One caveat: MD5 and SHA-1 are fine for spotting an accidentally corrupted or truncated download, but they are no longer secure against a deliberate attacker — so when a page offers SHA-256 alongside an older value, verify against the SHA-256.

Why do this in your browser

The whole point of a checksum is trust, so it makes little sense to hand the file to a random website to check it. This tool computes everything locally with the built-in Web Crypto API: the file never leaves your device, which means you can verify sensitive documents and multi-gigabyte installers without uploading anything.

When the checksum does not match

A mismatch is usually harmless — an interrupted or partial download is the most common cause, and re-downloading fixes it. Confirm you compared against the checksum for the exact same version and platform, since a value for a different build will never match.

If a fresh, complete download from the official source still does not match the published value, stop and do not run the file: it may have been tampered with or served from a compromised mirror.

Frequently asked questions

Is my file uploaded when I verify it?

No. The checksum is computed locally with your browser’s Web Crypto API, so the file never leaves your device.

What does “No match” mean?

The file differs from the one the checksum describes — most often an incomplete download (re-download it), a checksum for a different version, or a different algorithm. If a clean download from the official source still fails, do not run the file.

Is MD5 supported?

Yes — MD5 (and SHA-1) are included so you can verify older downloads that only publish those. They reliably catch accidental corruption, but are not secure against deliberate tampering, so prefer SHA-256 whenever the source offers it.

All guides