mini-tools.dev icon

mini-tools.dev

May 12, 2025·6 min read

How to Verify File Integrity with SHA-256 on Mac, Linux, and Windows

Every time you download software, a disk image, or any critical file from the internet, you're trusting that the file you received is exactly what the publisher intended. File integrity verification lets you confirm this with mathematical certainty.

What is file integrity verification?

When a publisher releases a file — say, a Linux ISO, a database binary, or a firmware package — they typically compute a cryptographic hash of that file and publish it alongside the download. After you download the file, you compute the same hash locally and compare it to the published value. If the hashes match, the file is exactly what the publisher shipped. If they differ, something went wrong: the file may have been corrupted during download, altered on a compromised mirror, or tampered with by a malicious actor.

SHA-256 (Secure Hash Algorithm 256-bit) is the standard choice for this task today. It produces a 64-character hexadecimal string that acts as a unique fingerprint for a file. Even a single flipped bit in the original file produces a completely different hash — this is the avalanche effect. There is no known practical way to produce two different files with the same SHA-256 hash, which is why it is trusted for security-critical verification.

Why not MD5 or SHA-1?

You will occasionally still see .md5 or .sha1 checksum files distributed with downloads. These algorithms are broken for security purposes: researchers have demonstrated practical collision attacks against both MD5 and SHA-1, meaning it is computationally feasible to craft a malicious file that produces the same hash as a legitimate one. If a checksum file is available in both SHA-256 and MD5, always use SHA-256.

How to verify on macOS

macOS ships with shasum, which supports all SHA variants:

# Compute the SHA-256 hash of a file
shasum -a 256 downloaded-file.dmg

# Example output:
# e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  downloaded-file.dmg

# Compare against a published checksum file
shasum -a 256 -c downloaded-file.sha256

The -a 256 flag selects SHA-256. The output is the hash, followed by two spaces, followed by the filename. To verify against a checksum file, the -c flag reads the hash and filename from the file and confirms they match.

How to verify on Linux

Linux distributions include sha256sum as a dedicated command:

# Compute the SHA-256 hash
sha256sum downloaded-file.tar.gz

# Example output:
# a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e  downloaded-file.tar.gz

# Verify against a published checksum file
sha256sum -c downloaded-file.sha256

# Output on success:
# downloaded-file.tar.gz: OK

If the file has been modified, sha256sum -c prints FAILED and exits with a non-zero status code, making it easy to use in scripts.

How to verify on Windows

Windows 10 and 11 include Get-FileHash in PowerShell:

# In PowerShell, compute SHA-256 hash
Get-FileHash downloaded-file.exe -Algorithm SHA256

# Example output:
# Algorithm  Hash                                                             Path
# ---------  ----                                                             ----
# SHA256     E3B0C44298FC1C149AFBF4C8996FB9242...  C:UsersyouDownloadsdownloaded-file.exe

# Compare directly with a known hash
(Get-FileHash downloaded-file.exe -Algorithm SHA256).Hash -eq "E3B0C44298FC1C..."
# Returns: True or False

Windows also provides certutil in Command Prompt as an alternative:

certutil -hashfile downloaded-file.exe SHA256

How to read a .sha256 checksum file

Publishers often distribute a file named something like SHA256SUMS or downloaded-file.sha256. The format is plain text — one line per file, with the hash and filename separated by two spaces:

a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e  ubuntu-24.04-desktop-amd64.iso
c5b4c815a29a46ba5d7e73b25e9b2c6d01a5c3e9a48a5f5f5f5f5f5f5f5f5f5  ubuntu-24.04-server-amd64.iso

Passing this file directly to sha256sum -c (Linux) or shasum -a 256 -c (macOS) will verify every file in the list in one step. Make sure both the downloaded file and the checksum file are in the same directory when you run the command.

When should you bother?

Always verify checksums when downloading: operating system installers, database software, cryptographic tools, firmware, and anything from a mirror site rather than the official publisher. For low-stakes downloads — a free font, a small script — verification is optional but still good practice. The entire process takes about ten seconds and can catch corrupted downloads before they cause problems.

Related Tool

Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes in your browser
← Back to Blog