OPTools OP
Back to Blog
Security

Verify File Integrity With SHA-256 Checksum โ€” Detect Modified Files

2026-06-04 4 min read

SHA-256 checksums confirm a downloaded file is exactly what was published. Here is how to compute and compare checksums in your browser.

You download a large file: a Linux ISO, a software installer, a dataset. How do you know it arrived intact and hasn't been tampered with? SHA-256 checksums are how. Here's what they are and how to use them.

What a checksum is

A checksum is a fixed-length string produced by running a file through a hash function. SHA-256 produces a 64-character hexadecimal string regardless of whether the input is 1 KB or 10 GB. If even one bit of the file changes, the hash output changes completely and unpredictably.

Software publishers compute the hash of the file before distributing it and publish the hash on their website. After you download the file, you compute the hash yourself and compare the two values. If they match, the file is exactly what they published. If they don't match, either the download was corrupted or the file was modified.

How to verify a file with our tool

Our Hash Generator computes SHA-256 (and other hash types) for any file you drop in, entirely in the browser. The file never leaves your machine. To verify a download:

  1. Find the SHA-256 hash published by the software developer (usually next to the download link)
  2. Drop your downloaded file into the Hash Generator and select SHA-256
  3. Compare the output to the published hash character by character, or use your browser's Ctrl+F to search for the hash string
  4. If they match exactly, the file is authentic. If even one character differs, discard the file.

When verification matters most

  • Operating system ISOs: a tampered OS image could install malware with root access
  • Software installers from less mainstream sources: official sites are generally safe, third-party mirrors less so
  • Sensitive datasets: if you receive a dataset that you'll use for analysis, verifying it confirms the data you received matches what was sent
  • Software updates in corporate environments: verifying installers before deployment is good IT practice

SHA-256 vs. MD5 for verification

MD5 is still published by some sites because it's been around longer. MD5 is cryptographically broken (you can create two different files with the same MD5 hash), but for simple corruption detection (not active attack), it still works. SHA-256 is better and should be preferred. SHA-512 is stronger still but slower to compute.

sha256 checksum file integrity verify

More Articles

Security

Password Security in 2026: What Makes a Password Truly Strong?

Security

Two-Factor Authentication (2FA): The Complete Beginner's Guide