Home » Wiki » How to Check a File Checksum: Everything You Need to Know About It

How to Check a File Checksum: Everything You Need to Know About It

by | Code Signing

How to Check File Checksum

Steps to Check File Checksum on Different Platforms

Verifying a file’s integrity is important. To check a file checksum, first identify the cryptographic hashing algorithm originally used to generate the checksum value, such as MD5 or SHA-1.

On Windows, open PowerShell and use the appropriate ‘Get-FileHash’ command to generate a new checksum for the file you want to check.

On Mac or Linux, use terminal commands like ‘md5sum’ or ‘sha1sum’. Compare the newly generated checksum to the original value provided for the file.

If they match, the file contents have not changed. If not, the file may have been altered or corrupted. Regularly checking file checksums ensures your important downloads and copies remain intact over time.

Key Takeaways

  • Checksums are cryptographic hash values that act like digital fingerprints for files. They let you verify that a file has not changed.
  • Checksums are used to validate downloads, detect data corruption, and verify data integrity in industries like legal, financial, and healthcare.
  • Popular checksum algorithms include MD5, SHA-1, SHA-256, SHA-512, CRC32, and others. MD5 is now considered insecure.
  • You can generate checksums for files using desktop tools, command line utilities, and online checksum generators.
  • To verify a checksum, calculate the checksum on your file and compare it to the checksum provided by the source. If they match, the file integrity is verified.

What is a Checksum, and Why Use One?

A checksum is a cryptographic hash value that acts as a digital fingerprint for a file or set of data. Checksums are calculated by running the data through a cryptographic algorithm, which generates a short hexadecimal string known as the checksum.

Some examples of checksums:

  • MD5: d27e9f1571fcd0aae3a45b31a3c7e1d8
  • SHA-256: 3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1

Checksums have several important uses:

  • Validating file integrity: Checksums verify that a file has not been changed accidentally or maliciously. Comparing checksums lets you check that two files are identical.
  • Validating downloads: Software distributions provide checksums to validate that a downloaded file or ISO matches the original. This catches errors or corruption.
  • Data integrity: Checksums are used in fields like legal, financial, and healthcare to validate data integrity and satisfy regulatory requirements.
  • Tamper detection: If a file’s checksum does not match the expected value, it indicates the file was altered or corrupted in transit.
  • Identifier: Checksums provide a unique identifier to distinguish between files with the same name.

List of Checksum Algorithms

Different cryptographic hash functions are used to generate checksums. Some popular algorithms include:

  • MD5: MD5 (Message-Digest algorithm 5) generates a 128-bit hash and renders it as a 32-character hexadecimal string. It is fast but now considered insecure for cryptography.
  • SHA1: SHA1 (Secure Hash Algorithm 1) creates a 160-bit hash rendered as a 40-character hexadecimal string. It is more secure than MD5 but can have collisions.
  • SHA256: SHA256 is widely used and trusted. It generates a 256-bit hash (64-character string) and is part of the SHA2 family along with SHA384 and SHA512.
  • SHA512: SHA512 generates a highly secure 512-bit hash (128 characters). It is slower than SHA256 but offers collision resistance.
  • CRC32: CRC32 (Cyclic Redundancy Check) is a non-cryptographic hash used for data integrity and error detection—32 bits and rendered in 8 hex characters.

Other less common algorithms include RIPEMD, Tiger, Whirlpool, and more.

Which Checksum Algorithm Should You Use?

  • SHA256 is recommended for most general file checksum uses. It provides strong security and faster performance than SHA512 and is widely supported.
  • SHA1 is still used in some applications but has collisions. Use SHA256 for more security.
  • MD5 should be avoided for cryptographic uses since it’s compromised. It still has value for data integrity.
  • SHA512 provides maximum security but is slower. Useful for highly sensitive data.
  • CRC32 is best for error checking but not for cryptographic security.

The level of security needed depends on your specific requirements. For most needs today, SHA256 hits the sweet spot between security and speed. Next, we’ll cover how to generate checksums.

A Step-by-Step Guide to Generate Checksums on Windows

On Windows, you can easily create checksums for files using the built-in CertUtil command line program.

Here are the steps:

  • Open Command Prompt. You can launch it by typing “cmd” in the Windows search box.
  • Navigate to the folder location of your file.
  • For example:
cd C:\Users\MyUser\Downloads
  • Run the CertUtil command to generate the checksum. Specify the algorithm and the file name:
certutil -hashfile filename.zip SHA256

This will print out the selected checksum for that file.

For example, to generate the SHA256 sum for install.exe, you would run:

certutil -hashfile install.exe SHA256
SHA256 hash of file install.exe:
3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1

CertUtil: -hashfile command completed successfully.

The checksum is displayed below the “SHA256 hash of file” line.

You can also generate MD5 and other checksums by changing the algorithm name.

A Step-by-Step Guide to Generate Checksums on Mac

On Mac OS, you can use the built-in shasum command to generate checksums via the Terminal.

To generate a SHA256 checksum on a Mac:

  • Open Terminal
  • Navigate to the folder with your file. For example:
cd Downloads
  • Run shasum with the -a flag to specify SHA256, and provide the file name:
shasum -a 256 downloaded-file.zip

This will print out the SHA256 checksum for that file.

To get the MD5 checksum, use the -a flag with a value of 1:

shasum -a 1 downloaded-file.zip

You can also use graphical checksum utilities on Mac, like HashTab or QuickHash, to generate checksums easily by dragging and dropping files.

A Step-by-Step Guide to Generate Checksums on Linux

On Linux distributions, you can generate checksums from the command line using utilities like sha256sum, md5sum, sha1sum, etc.

For example, to generate the SHA256 checksum on a file:

sha256sum downloaded-file.iso

To get the MD5 sum:

md5sum downloaded-file.iso

This will print the checksum along with the file name.

Many Linux GUIs also provide checksum tools. For example, right-clicking a file in Nautilus and going to Properties -> Hashes will generate the checksum.

Free Online Checksum Tools

Many free online tools can generate checksums from files. They allow you to upload a file or paste content and will calculate the checksum using algorithms like MD5, SHA256, CRC32, etc.

Some popular online checksum generators include:

These tools are handy when you want to generate a checksum but don’t have direct access to the file, like when downloading a file on another computer.

To use an online checksum tool:

  • Go to the website and select the checksum algorithm you want.
  • Upload your file or paste the content.
  • The website will calculate the checksum and display it onscreen.
  • You can then copy this checksum to verify against the original file.

Online checksum tools make it easy to generate checksums from anywhere with a browser.

How to Verify Checksums on Files

Once you have a checksum from the source, you can verify it against your downloaded file or data:

  • Recalculate the checksum: Generate the checksum on your copy using the same algorithm originally used.
  • Compare the checksum values: Check if the newly generated checksum matches the original checksum provided.
  • If they match, the file integrity is verified, and the file has not been changed.
  • If they don’t match, the file will not match the original. It may be corrupted or modified. Re-download to get a proper copy.

For example, you download a software installer ISO that has a SHA256 checksum of:

3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1

You run the SHA256 algorithm on the downloaded ISO file, and it generates the checksum:

3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1

Since the checksums match, this verifies the integrity of the downloaded file. It matches the original.

If the checksums do NOT match, then the downloaded file is different from the source and could be corrupted. You should re-download it to get a proper copy.

This simple checksum verification process provides an important way to validate the authenticity and integrity of downloaded files and data.

Why Validate Checksums on Downloads?

There are a few key reasons why you should validate checksums when downloading files:

  • Detect corruption: Verify downloads have not been corrupted during transit. Matching the checksums ensures you have an exact copy.
  • Prevent tampering: Checksums detect if files have been maliciously altered or hacked, protecting against viruses and trojans.
  • Avoid errors: Even minor download errors that affect 1 byte will be caught by a checksum mismatch.
  • Validate source: Matching checksums mean the download came from the intended source and has not been faked or spoofed.
  • Compliance: In regulated industries, checksums provide audit trails to demonstrate data integrity.

For these reasons, checksums are used for download integrity verification on Linux ISO images, software installers, database backups, media files, documents, and any files where authenticity matters. Get in the habit of checking!

Real-World Examples of Checksum Uses

To understand the practical application of checksums, here are some examples from different industries:

  • Software downloads: Software projects like Linux distributions provide checksums for ISO images to validate the download. This catches errors and verifies the source image.
  • File storage: Cloud backup services like Dropbox use checksums to detect file changes and sync the right versions across devices.
  • Forensic evidence: Law enforcement validates the chain of custody of evidence files using checksums, which demonstrate that the evidence is unchanged.
  • Financial data: Checksums are calculated on transactions, statements, and databases to validate financial data integrity and meet compliance.
  • Scientific data: Research data sets are preserved using checksums to detect changes and errors as data is processed and stored long-term.
  • Healthcare systems: Medical records, imaging files, and genomic data rely on checksums to verify authenticity and satisfy health regulations.

These examples demonstrate the widespread use of checksums as vital integrity checks for data security, validity, and trustworthiness across industries and applications.

Final Thoughts

Checksum verification provides a fast and convenient way to validate file integrity. By generating checksums with cryptographic algorithms like SHA256 and comparing them against known values, you can easily check for errors and authenticate downloads.

Whether you are installing software, transferring sensitive data, or want to be sure a download is completed properly, adding checksum confirmation to your process helps catch issues. This protects against corruption, tampering, and mistakes.

While checksums do not guarantee 100% security or authenticity, checking them should be standard practice when you need to validate the accuracy of file transfers and storage. Choose secure algorithms like SHA256, use checksum tools built into your operating system or available online, and get in the habit of verifying hashes whenever you download important files.

Frequently Asked Questions

What is the difference between checksums, hashes, and digital fingerprints?

Checksums, hashes, and digital fingerprints refer to the same thing: the cryptographic hash value generated from a file. They are different names for the checksum algorithm output.

Can checksums be reversed to reveal file contents?

No, cryptographic checksum algorithms are one-way functions. It is not possible to reverse a checksum to retrieve the original file contents. The only way is to guess possible inputs and check if they produce the same checksum output.

What is a checksum collision?

A checksum collision occurs when two different files produce the same checksum output. Some older algorithms, like MD5 and SHA1, have known collisions and are no longer suitable for cryptography. The SHA2 algorithms, like SHA256, prevent collisions.

How are checksums generated?

Checksums are produced by running the file contents through a cryptographic hashing algorithm. This processes the data in blocks, producing a fixed-length string output based on the file contents as input, but it is not reversible.

Can a corrupted file still have the same checksum?

It’s highly unlikely that a corrupted file will randomly have the same checksum as the original. Checksum algorithms are designed to diffuse tiny changes in input data across the output thoroughly. Even a tiny 1-bit change results in a completely different checksum value.

What is a CRC32 checksum?

CRC32 (Cyclic Redundancy Check) is a lightweight error detection checksum algorithm. It is non-cryptographic and more likely to have collisions. CRC32 is suitable for detecting accidental data corruption but not for verifying file authenticity or integrity.

What is a “salted” checksum?

A salted checksum appends random data (the salt) to the file contents before generating the hash. This protects against pre-calculated checksum attacks. Salting is used in password hashing, but it is optional for simple file checksums.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.