ToolBoxOnline
ToolBox
AI Tools ✨
Developer

How to Verify a Downloaded File Is Not Corrupted or Tampered With

Learn how to use SHA-256 and MD5 checksums to verify file integrity. Step-by-step guide for Windows, Mac, and online tools.

verify checksumSHA-256 verificationMD5 checksumfile integrity checkhash verification

You download a 2GB software installer. The website shows a string of random-looking characters next to the download button labeled "SHA-256". Most people ignore it. Here is why you should not — and how to check it in 30 seconds.

Why checksums matter

When you download a file, two things can go wrong. First, the download can be corrupted — a few bits flipped during transfer, and your installer silently breaks. Second, someone could have tampered with the file — replacing the real download with malware.

A checksum protects against both. The software author computes a hash of the original file and publishes it. You compute the hash of the file you downloaded. If they match, the file is identical — bit for bit — to what the author intended. If they do not match, delete the file and download again from a different source.

Major projects like Ubuntu, Tor Browser, and VeraCrypt all publish checksums. It takes 30 seconds and eliminates the most common vector for malware distribution through downloads.

Method 1: Online Hash Generator (fastest for text)

Open the hash generator. Paste the text content you want to verify. For small text files, configs, and scripts, copy-paste works. For binary files, use Method 2 or 3.

Select SHA-256 from the dropdown. The hash appears instantly. Compare it side-by-side with the published checksum using the built-in comparison feature. If they match, your file is verified.

Method 2: Windows (PowerShell)

Get-FileHash -Path "C:Downloadsile.iso" -Algorithm SHA256

Replace the path with your actual file path. PowerShell prints the hash. Compare it visually with the published one.

For MD5:

Get-FileHash -Path "C:Downloadsile.iso" -Algorithm MD5

Method 3: Mac / Linux (Terminal)

shasum -a 256 ~/Downloads/file.iso

For MD5:

md5 ~/Downloads/file.iso

The output is the hash followed by the filename. Compare with the published checksum. If identical, the file is intact.

When you must verify checksums

  • Operating system installers: Corrupted ISO = unbootable system
  • Password managers and crypto wallets: Tampered installer = all your passwords or money stolen
  • BIOS/firmware updates: Corrupted firmware = bricked device
  • Privacy tools (Tor, Signal, VPN): Tampered binary = your privacy compromised
  • Large downloads over unreliable connections: Corrupted ZIP = mysterious extraction errors

For everything else — casual downloads, media files, documents — checksums are optional. But the 30 seconds it takes to verify can save hours of debugging a corrupted install. Make it a habit for anything security-critical. And the hash generator makes it easy.

Tools mentioned in this article

#️⃣

Hash Generator

Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text. Also supports MD5 for legacy checks. Compare two hashes side by side to verify file integrity.

🔒

MD5 Hash Generator

Generate MD5 hashes from any text input. Shows both lowercase and uppercase versions. While MD5 is not secure for passwords, it remains widely used for checksums and cache keys.

Share this tool

Back to all articles