Home / Guides / Verify Downloads

[HOW TO VERIFY DOWNLOADED FILES]

A practical step-by-step guide to verifying file integrity using checksums, with examples from popular software download sites.

By Vladimir Lorentz | Last updated: January 2025 | ~6 min read

[WHY VERIFY YOUR DOWNLOADS?]

Every time you download a file from the internet, you're trusting that what you receive is exactly what the publisher intended to send. But things can go wrong. Files can be corrupted during transfer, mirrors can serve outdated versions, and attackers can intercept downloads to inject malware.

Verifying downloads with checksums protects you from all these risks. It takes less than a minute and gives you certainty that your file is authentic and complete. Security-conscious organizations and software publishers provide checksums specifically so you can verify their downloads.

This guide walks you through the complete process: finding official checksums, calculating the hash of your downloaded file, and interpreting the results.

[STEP 1: FIND THE OFFICIAL CHECKSUM]

Before you can verify a download, you need the official checksum to compare against. Most reputable software publishers provide these on their download pages. Here's where to find them for popular software:

Common Checksum Locations

  • Linux Distributions: Usually on the download page or in a separate file (e.g., SHA256SUMS) alongside the ISO downloads. Ubuntu, Fedora, Debian all provide these prominently.
  • Open Source Software: Check the GitHub releases page, project website, or look for files named CHECKSUMS, SHA256SUMS.txt, or similar.
  • Commercial Software: Often listed on the download page, in the support/documentation section, or sent via email with the download link.
  • Browser Extensions: Major browser stores verify extensions automatically, but you can find checksums on the developer's website for manual verification.

Example: Finding Ubuntu's Checksum

  1. Go to ubuntu.com/download
  2. Click on your desired version
  3. Look for "verify your download" or "checksums" link
  4. Find the SHA-256 hash corresponding to your specific file

# Example from Ubuntu's SHA256SUMS file:

81fae9cc21e2b1e3a9a4526c7dad3131b668e346c580702235ad4d02645d9455 *ubuntu-24.04-desktop-amd64.iso

IMPORTANT:

Always get the checksum from the official source, not from the same place you downloaded the file (if using a mirror). If an attacker compromised the download, they could also change the checksum. The official project website is the trusted source.

[STEP 2: CALCULATE THE FILE'S HASH]

Now that you have the official checksum, calculate the hash of your downloaded file using Hash File Online:

  1. Open Hash File Online

    Go to hash-file.online in your browser

  2. Select Your Downloaded File

    Click the file selection button or drag and drop your downloaded file onto the drop zone. The file name and size will appear to confirm selection.

  3. Choose the Matching Algorithm

    Select the same algorithm used by the publisher. If they provide a SHA-256 checksum, select SHA-256. Using the wrong algorithm will produce a completely different hash.

  4. Click "Calculate Hash"

    The calculation happens entirely in your browser. For large files, you'll see a progress indicator. Your file is never uploaded anywhere.

  5. View Your Result

    The calculated hash appears below. You can copy it to your clipboard with one click.

# Your calculated SHA-256 hash:

81fae9cc21e2b1e3a9a4526c7dad3131b668e346c580702235ad4d02645d9455

[STEP 3: COMPARE THE HASHES]

Now compare your calculated hash with the official checksum. You can do this manually or use the built-in verification feature:

Using Hash File Online's Verification

After calculating a hash, paste the expected checksum into the verification field. The tool will instantly tell you if they match.

Manual Comparison

If comparing manually, check every character carefully. Hashes are case-insensitive (uppercase and lowercase letters are equivalent), but every character must match exactly.

MATCH - File is verified

Official: 81fae9cc...45d9455

Your file: 81fae9cc...45d9455

The file is authentic and unmodified. Safe to use.

MISMATCH - Verification failed

Official: 81fae9cc...45d9455

Your file: 3a7b2f1e...89c2a11

File may be corrupted or tampered with. Do not use.

[WHAT IF THE HASHES DON'T MATCH?]

A hash mismatch means something is wrong. Don't use the file until you resolve the issue. Here's what to check:

  1. Verify you used the correct algorithm

    MD5, SHA-1, SHA-256, and SHA-512 produce completely different hashes. Make sure you selected the same algorithm the publisher used.

  2. Check you're comparing the right file

    Publishers often offer multiple versions (32-bit vs 64-bit, different languages). Ensure the checksum corresponds to your exact file version.

  3. Try downloading again

    The most common cause of mismatch is download corruption. Delete the file and download fresh, preferably from the official source rather than a mirror.

  4. Use a different download mirror

    If re-downloading from the same source fails, try a different mirror or the primary download location.

  5. Check for version updates

    The publisher may have released an updated version with a new checksum. Verify you have the latest checksum for your file version.

SECURITY WARNING:

If you've exhausted these options and hashes still don't match, do not use the file. It may have been tampered with. Contact the software publisher if you need assistance, and report the issue so they can investigate potential security problems with their distribution.

[WHERE TO FIND CHECKSUMS: REAL EXAMPLES]

Here's where popular software publishers list their checksums:

Ubuntu Linux

SHA256SUMS file linked on each download page, plus GPG signatures for additional verification.

Python

python.org/downloads lists MD5 and SHA-256 checksums directly on the download page for each release.

VLC Media Player

SHA-256 checksums available on the download page and in separate checksum files.

7-Zip

SHA-256 hashes listed on the official download page at 7-zip.org.

Node.js

SHASUMS256.txt file available for each release, containing SHA-256 hashes for all downloadable files.

Apache Software

All Apache projects provide SHA-512 checksums and GPG signatures on their download pages.

[BEST PRACTICES]

  • Always verify important downloads—operating systems, security software, development tools, and anything that will have system access.
  • Get checksums from official sources—the publisher's main website, not mirrors or third-party sites.
  • Prefer SHA-256 or SHA-512—if multiple checksum types are available, use the stronger algorithm.
  • Verify before installing—check the hash before running any installer or mounting any disk image.
  • Keep a record—for compliance or audit purposes, export verification reports to document what you verified and when.

[VERIFY A DOWNLOAD NOW]

Ready to verify a file? Use Hash File Online to calculate hashes instantly, directly in your browser with complete privacy.

[START VERIFICATION]

[RELATED GUIDES]