Check a Download Against Its Checksum
Software download pages often publish a checksum next to the file — a fingerprint you are supposed to verify and almost nobody does, because comparing 64 hex characters by eye is miserable. This tool does the comparison for you: paste the expected value, drop the file, and get an unambiguous match or mismatch. The file is hashed locally and never uploaded.
The actual tool runs in our ad-free secure workspace — nothing on this page processes your file.
Open File Hash Verifier →What this tool does
- Hashes your file locally and compares the result against the expected checksum you paste in.
- Auto-detects the algorithm from the pasted value's length — SHA-256, SHA-384, or SHA-512 — so you don't have to know which is which.
- Accepts common checksum-file formats (like the output of sha256sum), not just bare hex strings.
- Compares case-insensitively and ignores stray whitespace, eliminating the classic copy-paste failure modes.
- Verifies MD5 and SHA-1 values too, for older downloads — clearly labeled as legacy algorithms.
- Delivers a big, unmistakable verdict: match, or mismatch with both values shown.
Your privacy on this tool
Stays on your device
- The file is hashed on your device using streaming, so even huge downloads verify without upload.
- The expected checksum you paste and the comparison result stay in the page.
- Nothing about what you verify — file, hash, or outcome — is transmitted or recorded.
Reaches our server: nothing
This tool makes no upload. Your content is processed entirely in your browser.
How to use it
- Copy the published checksum from the download page (or its .sha256 file).
- Open the verifier at /app/verify-file-hash.
- Paste the expected checksum — the algorithm is detected automatically.
- Drop in the downloaded file and let it hash; large files stream with steady progress.
- Read the verdict: a match means you have the exact published bytes; a mismatch means stop and re-download from the official source.
Common uses
- Verifying an operating system ISO before installing it — the canonical case where a corrupted or tampered image ruins your day.
- Checking installers for security-sensitive software (password managers, wallets, VPN clients) against the vendor's published hashes.
- Confirming a large file transferred completely between machines or from a flaky drive.
- Validating backups against the manifest you generated when creating them.
- Double-checking a file a colleague sent, against the checksum they shared through a different channel.
Supported formats
- Any file type
- Expected values: SHA-256 / SHA-384 / SHA-512 hex, sha256sum-style files; MD5 and SHA-1 as legacy
Works in all modern browsers with WebAssembly; multi-gigabyte ISOs verify comfortably in desktop browsers.
Limitations & security notes
Limitations
- Verification is only as trustworthy as the source of the expected checksum — a hash copied from the same compromised page as the file verifies the attacker's version perfectly.
- A match proves integrity, not intent: the file is exactly what was published, which says nothing about whether what was published is safe.
- Old MD5/SHA-1 values verify against corruption fine, but a capable attacker can forge collisions for both — treat legacy matches with proportionate confidence.
- SecretPNG is in beta and has not been independently audited.
Security notes
- Ideally the checksum should come from a different channel than the file — the project's HTTPS site for the hash, a mirror for the download — so one compromise cannot cover both.
- Never trust a checksum shown inside the same email or message that carried the file attachment; verify against the sender's independent public source.
- Mismatch means stop, not shrug: re-download once from the official source, and if it still mismatches, alert the publisher rather than installing anyway.
- Programmatic comparison beats eyeballing — humans reliably check the first and last characters and skim the middle, which is exactly where truncation-related differences hide.
Frequently asked questions
- The checksums don't match. What should I do?
- Do not open or install the file. First re-download from the official source — most mismatches are truncated or corrupted downloads, especially over unstable connections. Verify the fresh copy. If it still mismatches, make sure you copied the right published value (right file, right version, right algorithm), and if everything checks out and it still fails, treat the file as untrustworthy and contact the publisher.
- Where do I find the expected checksum for my download?
- Usually on the download page itself, in a file named something like SHA256SUMS next to the download, or in the project's release notes. Prefer values served over HTTPS from the project's own domain. If a project offers signed checksum files, that is stronger still — though signature verification is beyond this tool's scope.
- Does a matching checksum mean the file is safe to run?
- No — it means the file is exactly what the publisher hashed, unaltered in transit. If the publisher's own build was compromised, or you fetched a hash from an attacker's page, a perfect match verifies the wrong thing faithfully. Matching is necessary for trust, not sufficient; it removes in-transit tampering and corruption from your list of worries.
- Why does the tool accept lowercase and uppercase hashes?
- Hex is case-insensitive — ABC123 and abc123 encode identical bytes — but different tools publish in different cases, and a naive string comparison would call them mismatched. The verifier normalizes case and trims whitespace so formatting differences never masquerade as integrity failures.
- Can I verify a hash from years ago in MD5?
- Yes — paste it and the tool will detect and check it, with a legacy warning attached. Against accidental corruption, an MD5 match is still meaningful. Against a deliberate attacker, it is weak: MD5 collisions are trivially constructible. Judge the result according to which threat you actually care about.
Related tools
Last reviewed: 2026-07-14Open File Hash Verifier
SecretPNG is in beta and has not been independently audited. Security status.