File Checksums: How to Protect From Corrupted Downloads
Ever downloaded a file only to find it won't open or behaves strangely? Or worried that software you downloaded might have been tampered with? File checksums solve both problems.
The problem: silent data corruption
When you download a file, especially a big one, stuff can go wrong. Network hiccups, connection drops, faulty hardware, or even someone deliberately messing with the data before it reaches you.
Scary part? Your computer won't always warn you. A corrupted PDF might open but be missing pages. A broken software installer might run but crash later. An altered security tool could have malware baked in.
Checksums fix this.
What is a checksum?
A checksum is basically a fingerprint for a file. It's a short string of characters (like a1b2c3d4e5f6...) that mathematically represents the entire file.
Same file in, same checksum out, every single time. Different files produce different checksums. And even a tiny change, a single flipped bit, creates a completely different string. That last part is what makes them useful.
If you have the original checksum (from the software publisher) and calculate the checksum of your downloaded file, they should match exactly. If they don't, something is wrong with your copy.
Real world example: downloading Linux
Let's walk through a practical scenario. You want to download Ubuntu Linux:
- You grab
ubuntu-24.04.iso(about 5GB) - On Ubuntu's website, they publish SHA-256 checksums alongside the download:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 *ubuntu-24.04.iso
- You use a tool to generate the SHA-256 hash of your downloaded file
- If they match character for character, your download is good. If they differ, something went wrong. Delete it and download again.
Match = safe
When checksums match, you can be confident that:
- • The file wasn't corrupted during download
- • The file is exactly what the publisher intended
- • No one has tampered with the file in transit
Types of checksums
You'll encounter several checksum algorithms. Here are the most common:
MD5 (128-bit)
Fast and widely used, but cryptographically broken. Still acceptable for detecting accidental corruption, but shouldn't be trusted for security-critical verification.
SHA-1 (160-bit)
Better than MD5, but also has known vulnerabilities. Being phased out in favor of SHA-256.
SHA-256 (256-bit)
The current standard. No known vulnerabilities, recommended for all security applications. This is what you should use for verifying software downloads.
SHA-512 (512-bit)
Even more secure than SHA-256, but rarely necessary. Sometimes used for password hashing or high-security applications.
When to use checksums
You should always verify checksums for operating system downloads (Linux ISOs, Windows installers), security software like antivirus or VPN clients, development tools, anything over 1GB, and anything you grabbed from a third party mirror instead of the official site.
It's also worth doing for software updates if auto-update seems to be acting up, important documents you transferred via USB or cloud, and archived backups you're digging up years later.
Trust the source
A checksum only proves the file matches what the checksum publisherintended. If you get both the file AND the checksum from a compromised source, verification won't help. Always get checksums from official websites.
How to generate and verify checksums
On Windows:
Open PowerShell and use the built-in Get-FileHash command:
Get-FileHash -Algorithm SHA256 .\filename.iso
On macOS:
Open Terminal and use the shasum command:
shasum -a 256 filename.iso
On Linux:
Open Terminal and use sha256sum:
sha256sum filename.iso
Or use a web tool:
If command lines aren't your thing, you can use browser-based tools like FileMint's hash generator. Just drag your file into the browser. It calculates the checksum locally without uploading anything.
What if checksums don't match?
If your calculated checksum doesn't match the official one:
- Delete the file immediately, don't try to use it
- Download again, preferably from a different mirror or time of day
- Try a different browser or download manager (some have known download bugs)
- Check your connection, spotty WiFi or VPN issues can cause corruption
- If multiple downloads keep failing, scan for malware. Your system might be compromised
If downloads consistently fail, try a wired connection or a different network entirely.
Checksums vs digital signatures
Checksums verify integrity (the file wasn't changed) but not authenticity (who created it). Digital signatures give you both. They're checksums encrypted with the publisher's private key.
Many software projects offer both. If available, verify the digital signature first since it's more secure. Checksums alone are still useful when signatures aren't provided or are too complex to verify.
Related Guides
MD5 vs SHA-256: Which Hash Should You Use?
Compare MD5 and SHA-256 hash algorithms. Learn the differences, security implications, and when to use each for file verification and data integrity.
Client-Side Processing: Why Privacy Matters
Understand how browser-based file processing keeps your documents completely private. A deep dive into WebAssembly and why your files should never leave your device.