File Checksum

File Checksum

Calculate MD5, SHA-1, SHA-256, SHA-512 checksums for files. Verify file integrity and compare hashes. Free online file hash calculator

Checking a downloaded ISO matches the publisher's SHA-256 takes 5 seconds and catches the rare-but-real case where the mirror you grabbed it from served corrupted bytes — or, in the worst case, an attacker-controlled mirror served you a modified installer. This tool computes MD5, SHA-1, SHA-256, SHA-384, SHA-512, and SHA-3 checksums of files entirely in your browser. Multi-gigabyte files work, but expect time proportional to file size. Files are never uploaded.

What checksum verification actually catches

  • Bit rot — random storage corruption. Modern filesystems with ECC catch most of this; older or no-checksum filesystems (ext4 without journaling, FAT) do not.
  • Network transfer corruption — TCP has its own 16-bit checksum that catches most random errors but not adversarial ones. CDN/HTTP-level errors do happen, especially over flaky connections.
  • Mirror compromise — an attacker who controls a download mirror substitutes a modified installer. The publisher's checksum, served from a trusted channel (their main site, signed release notes), catches this if you actually check.
  • Wrong file delivered — a typo, a stale cache, a "yesterday's build" served when you wanted today's. The checksum is the source of truth.

What checksum verification does NOT catch: a fully-compromised publisher who serves a malicious file AND its matching malicious checksum. For that you need code signing (Authenticode on Windows, notarization on macOS, PGP signature on Linux distros).

Working example

Input

File: Ubuntu-24.04.2-desktop-amd64.iso  (5.2 GB)

Output

Computed:
  SHA-256: c2e6f4fcb1ba9b41b3a8d... (full 64 hex chars)

Publisher (https://releases.ubuntu.com/24.04.2/SHA256SUMS):
  c2e6f4fcb1ba9b41b3a8d... ubuntu-24.04.2-desktop-amd64.iso

✓ Match. Download is intact.

Time to compute: ~45s on M2 MacBook, ~2 min on a 2018 laptop.

Always compare against the checksum on the publisher's official site, not the same site you downloaded from. If both checksum and ISO live on the same mirror, an attacker who modified the ISO would also modify the checksum to match. Cross-channel verification is the point.

Pick the right algorithm

  • SHA-256 — default for everything. Universally supported, fast on modern hardware, no known collision attacks. The right answer in 99% of cases.
  • SHA-512 — same security as SHA-256, often faster on 64-bit CPUs. Use when the publisher provides SHA-512 (or you want a wider digest).
  • SHA-1 — still seen on legacy download pages and git commits. Acceptable for integrity (not security) verification; collisions exist but require attacker-chosen input.
  • MD5 — only for non-security integrity checks (corrupted-download detection on a trusted mirror). Catastrophically broken for adversarial use; collisions are routine.
  • SHA-3 / BLAKE2 / BLAKE3 — modern alternatives. BLAKE3 is particularly fast (multi-GB/s on modern CPUs). Use whatever the publisher provides.

When to reach for this tool

  • You downloaded an installer (Ubuntu, macOS, Docker image, software ISO) and want to verify it matches the publisher's checksum before running.
  • You are sending a large file to a colleague and want to confirm the recipient got the same bytes after transfer.
  • You inherited a tarball with a SHA256SUMS file and want to verify each entry without running shasum on the command line.
  • You are debugging "the build artifact is different on CI vs locally" — checksum both and see if they actually differ.

What this tool will not do

  • It will not verify digital signatures. A signature proves who created the file; a checksum proves what bytes are there. For Authenticode (.exe), notarization (.app), or GPG-signed releases, use the OS or gpg tools.
  • It will not handle files larger than your browser can hold in memory. Most browsers support file streaming via the File API up to several GB; beyond that, use sha256sum on the command line.
  • It will not auto-compare against an online database. You provide both the file and the expected checksum; the tool computes and shows match/no-match.

Files are read by the browser via the File API and processed locally via Web Crypto SubtleCrypto.digest. No bytes are uploaded. Useful for confidential builds, internal artifacts, or simply when you do not want a 5GB file leaving your machine to a third-party hashing service.

Frequently asked questions

My file size matches but checksum does not. How can this happen?

File size is the count of bytes; checksum is a fingerprint of the bytes themselves. Two different files can have the same size and different contents. Always trust the checksum, not the size. Common causes: partial download (size right because the server reported the correct length but bytes were not all transferred), filesystem corruption mid-file, file modification (added metadata, malware injection).

How long should checking a 10GB file take?

SHA-256 on a modern x86 with SHA-NI instructions runs at 1-2 GB/s. A 10GB file should hash in 5-10 seconds CPU time, plus disk I/O. Browser overhead adds time; expect ~30 seconds to 2 minutes. If it is much slower, your disk is the bottleneck (HDD vs SSD makes a huge difference).

Why do some checksums use uppercase and some lowercase hex?

Convention only. The bytes are identical; hex representation is case-insensitive. Linux sha256sum outputs lowercase; some Windows tools output uppercase; both verify the same. Tools should compare case-insensitively when matching strings.

Is MD5 still safe to use for anything?

For non-adversarial integrity (verifying a download from a trusted publisher) — yes, marginal. The collisions discovered against MD5 require chosen-prefix attacks (the attacker picks both files). For "did the file arrive intact across the network" detection, MD5 is fine because the attacker is not crafting both files. Migrate when you can; do not rely on MD5 for new systems.

How do I check a SHA256SUMS file with multiple entries?

Each line is "checksum filename". On Linux: sha256sum -c SHA256SUMS. This tool checks one file at a time; for batch, the command line is more efficient.

My SHA-1 of git commit matches but the content seems different?

Git's SHA-1 is computed over the commit object (author, message, tree hash, parent hash), not just the file content. Two commits with identical content can have different SHA-1s (different timestamps, authors, parents). To verify file content alone, hash the file directly.

Related tools

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-512 hashes from text or files. Verify file checksums. Free online hash calculator and checksum generator

File Size Calculator

Convert file sizes between bytes, KB, MB, GB, TB. Calculate transfer times at different speeds. Free online file size converter

Text Encryption Tool

Encrypt and decrypt text with AES-256 encryption. Secure message encryption with password protection. Free online text encryptor/decryptor

SSH Key Generator

Generate SSH key pairs (RSA, Ed25519) in your browser. Export in OpenSSH or PEM format. Secure client-side key generation. Free online SSH keygen tool

PDF Tools

Merge, split, rotate PDF files online. Create PDFs from images. Rearrange PDF pages. Free online PDF editor and converter without upload limits

Last updated · E-Utils editorial team