A checksum is a fixed-length hash value derived from a file's contents using an algorithm like SHA-256. Any change to the file — even a single bit — produces a completely different hash. Publishers compute checksums of official releases so users can verify their download is identical to the original.

How do I verify a checksum on the command line?

On Linux/macOS: sha256sum file.iso (or shasum -a 256 file.iso). On Windows: certutil -hashfile file.iso SHA256. Compare the output to the published checksum.

What does a checksum mismatch mean?

A mismatch means your file is different from the one the publisher signed. This can indicate: a corrupted download (try downloading again), a tampered file on a compromised mirror, or that you're comparing against the wrong checksum. Do not execute a mismatched file.

Is SHA-1 still safe for checksum verification?

SHA-1 is deprecated for security purposes due to known collision attacks (demonstrated in 2017 by SHAttered). For casual integrity checks (not security), SHA-1 can still detect accidental corruption. For any security-sensitive verification, use SHA-256 or SHA-512.

guide

How to Verify a File Checksum in Your Browser (2026)

Last updated: 11 June 2026

You can verify a file checksum without uploading the file by using a client-side tool like brevio File Checksum Verifier — it computes SHA-256, SHA-512, and MD5 hashes entirely in your browser using the Web Crypto API, generating zero network requests during hashing.

To confirm this yourself: open Chrome DevTools (F12), go to the Network tab, clear the log, then drop a file into the tool. No requests appear. The file never leaves your browser.

What Is a Checksum?

A checksum (or hash) is a fixed-length string derived from a file's contents using a one-way mathematical function. If even a single byte in the file changes — whether from corruption, truncation, or tampering — the hash output changes completely. This makes checksums a reliable way to verify that a file you downloaded is exactly what the publisher released.

Software publishers compute a hash of the official file before releasing it, then publish that hash alongside the download link. When you download the file, you compute the hash yourself and compare. A match means the file is intact and unmodified. A mismatch means something went wrong.

How to Verify a Download Using SHA-256

Find the published checksum. Go to the software's official download page. Look for a "SHA-256" or "checksums" link, usually near the download button. Copy the expected hash string.
Open the verifier. Go to brevio File Checksum Verifier. No account or installation required.
Open DevTools to verify (optional). Press F12, Network tab, clear entries — this confirms zero network requests during hashing.
Drop your downloaded file. Drag the file onto the tool. The browser reads the file bytes locally using the Web Crypto API and computes the hash.
Paste the expected hash. Enter the hash you copied from the publisher's site into the "Expected hash" field. The tool compares automatically and shows a pass or fail result.

SHA-1 vs SHA-256 vs SHA-512

Algorithm	Output length	Security status	Typical use cases
MD5	128 bits (32 hex chars)	Broken — do not use for security	Legacy checksums only; fast but collisions are trivial
SHA-1	160 bits (40 hex chars)	Deprecated — collision attacks demonstrated	Old package mirrors; avoid for new use
SHA-256	256 bits (64 hex chars)	Secure — current standard	Software downloads, package managers, TLS certificates
SHA-512	512 bits (128 hex chars)	Secure — stronger than SHA-256	High-security contexts; overkill for most download verification

For most download verification tasks, SHA-256 is the right choice. If the publisher only offers MD5 or SHA-1, it's better than nothing for detecting accidental corruption, but neither should be trusted to detect deliberate tampering.

Where to Find Published Checksums

Publishers place checksums in different locations depending on their release process. Common places to look: a SHA256SUMS or checksums.txt file linked near the download button; a "Verify" or "Integrity" section on the download page; the project's GitHub Releases page (often attached as a release asset); or the package manager registry (npm, PyPI, Homebrew all publish hashes).

If a publisher does not provide a checksum, you can still compute the hash to detect future corruption — store the hash immediately after downloading from a trusted source and re-verify before each use.

Command-Line Equivalents

# Linux / macOS — SHA-256
sha256sum file.iso

# Linux / macOS — SHA-512
sha512sum file.iso

# macOS (built-in shasum)
shasum -a 256 file.iso
shasum -a 512 file.iso

# Windows (PowerShell / certutil)
certutil -hashfile file.iso SHA256
certutil -hashfile file.iso SHA512

# Compare against expected hash (bash)
echo "expectedhash  file.iso" | sha256sum --check

What a Mismatch Means

A checksum mismatch has two possible causes: accidental corruption or deliberate tampering.

Accidental corruption is more common. It happens when a download was interrupted, a disk sector failed, or a CDN served a partial or cached file incorrectly. In this case, delete the file and re-download from the official source. Verify the hash again before using the file.

Deliberate tampering is rarer but more serious. It can happen if you downloaded from a mirror site rather than the official source, if DNS was hijacked to redirect you to a malicious server, or if the publisher's distribution infrastructure was compromised. If you suspect tampering, do not open or execute the file. Report the discrepancy to the publisher and download from an alternative verified source.

Related tools: Hash Generator
Related guide: How to Generate a Hash

Frequently Asked Questions

What is a checksum?: A checksum is a fixed-length hash value derived from a file's contents using an algorithm like SHA-256. Any change to the file — even a single bit — produces a completely different hash. Publishers compute checksums of official releases so users can verify their download is identical to the original.
How do I verify a checksum on the command line?: On Linux/macOS: sha256sum file.iso (or shasum -a 256 file.iso). On Windows: certutil -hashfile file.iso SHA256. Compare the output to the published checksum.
What does a checksum mismatch mean?: A mismatch means your file is different from the one the publisher signed. This can indicate: a corrupted download (try downloading again), a tampered file on a compromised mirror, or that you're comparing against the wrong checksum. Do not execute a mismatched file.
Is SHA-1 still safe for checksum verification?: SHA-1 is deprecated for security purposes due to known collision attacks (demonstrated in 2017 by SHAttered). For casual integrity checks (not security), SHA-1 can still detect accidental corruption. For any security-sensitive verification, use SHA-256 or SHA-512.