Skip to main content
Filemint logo
Home
Back to Guides
Security7 min read

File Checksums: How to Protect From Corrupted Downloads

Ever downloaded a file only to find it won't open or behaves strangely? Or worried that software you downloaded might have been tampered with? File checksums solve both problems.

The Problem: Silent Data Corruption

When you download a file—especially a big one—stuff can go wrong. Network hiccups, connection drops, faulty hardware, or even malicious hackers can mess with the data before it reaches you.

Scary part? Your computer won't always warn you. A corrupted PDF might open but be missing pages. A broken software installer might run but crash later. An altered security tool could have malware baked in.

This is where checksums come in.

What Is a Checksum?

A checksum is basically a unique fingerprint for a file. It's a short string of characters (like a1b2c3d4e5f6...) that mathematically represents the entire file.

The key properties are:

  • Deterministic: The same file always produces the same checksum
  • Unique: Different files produce different checksums
  • Sensitive: Even a tiny change creates a completely different checksum

If you have the original checksum (from the software publisher) and calculate the checksum of your downloaded file, they should match exactly. If they don't, something is wrong with your copy.

Real-World Example: Downloading Linux

Let's walk through a practical scenario. You want to download Ubuntu Linux:

  1. Download the file: You grab ubuntu-24.04.iso (about 5GB)
  2. Find the official checksum: On Ubuntu's website, they publish SHA-256 checksums:
    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 *ubuntu-24.04.iso
  3. Calculate your file's checksum: Use a tool to generate the SHA-256 hash of your downloaded file
  4. Compare: If they match character-for-character, your download is good. If they differ, something went wrong—delete it and download again.

Match = Safe

When checksums match, you can be confident that:

  • • The file wasn't corrupted during download
  • • The file is exactly what the publisher intended
  • • No one has tampered with the file in transit

Types of Checksums

You'll encounter several checksum algorithms. Here are the most common:

MD5 (128-bit)

Fast and widely used, but cryptographically broken. Still acceptable for detecting accidental corruption, but shouldn't be trusted for security-critical verification.

SHA-1 (160-bit)

Better than MD5, but also has known vulnerabilities. Being phased out in favor of SHA-256.

SHA-256 (256-bit)

The current standard. No known vulnerabilities, recommended for all security applications. This is what you should use for verifying software downloads.

SHA-512 (512-bit)

Even more secure than SHA-256, but rarely necessary. Sometimes used for password hashing or high-security applications.

When to Use Checksums

Always Verify:

  • Operating system downloads: Linux ISOs, Windows installers
  • Security software: Antivirus, VPNs, encryption tools
  • Development tools: Compilers, IDEs, libraries
  • Large files: Anything over 1GB is more likely to have transfer errors
  • Files from mirrors: Third-party download sites may host modified versions

Nice to Verify:

  • Regular software updates: If auto-update seems to fail
  • Shared important files: Documents transferred via USB or cloud
  • Archived files: Verifying backups years later

Trust the Source

A checksum only proves the file matches what the checksum publisherintended. If you get both the file AND the checksum from a compromised source, verification won't help. Always get checksums from official websites.

How to Generate and Verify Checksums

On Windows:

Open PowerShell and use the built-in Get-FileHash command:

Get-FileHash -Algorithm SHA256 .\filename.iso

On macOS:

Open Terminal and use the shasum command:

shasum -a 256 filename.iso

On Linux:

Open Terminal and use sha256sum:

sha256sum filename.iso

Or Use a Web Tool:

If command lines aren't your thing, you can use browser-based tools like FileMint's hash generator. Just drag your file into the browser—it calculates the checksum locally without uploading anything.

What If Checksums Don't Match?

If your calculated checksum doesn't match the official one:

  1. Delete the file immediately — don't try to use it
  2. Download again — preferably from a different mirror or time of day
  3. Use a different browser or download manager — some browsers have download bugs
  4. Check your connection — spotty WiFi or VPN issues can cause corruption
  5. Scan for malware — if multiple downloads fail, your system might be compromised

If downloads consistently fail, try a wired connection or a different network entirely.

Checksums vs Digital Signatures

Checksums verify integrity (the file wasn't changed), but not authenticity (who created it). Digital signatures provide both—they're checksums encrypted with the publisher's private key.

Many software projects offer both. If available, verify the digital signature first, as it's more secure. Checksums alone are still valuable when signatures aren't provided or are too complex to verify.

Calculate File Checksums

Generate MD5, SHA-256, and more—all in your browser.

Related Guides

MD5 vs SHA-256

Which hash algorithm should you use?

Client-Side Processing

Why browser-based tools protect privacy.