OPTools OP
Back to Blog
Developer Tools

Verify File Integrity with SHA-256 โ€” Detect Tampering and Corruption

2026-06-03 5 min read

Comparing a file's SHA-256 hash against a published checksum confirms the file is authentic and unmodified. Here is how file integrity verification works.

You've downloaded a large file and you want to confirm you got exactly what you expected, not a corrupted download or a tampered version. SHA-256 file hashing is the standard way to do this, and it works in every major programming language and OS.

How file hash verification works

A hash function takes any input (in this case, a file) and produces a fixed-length output called a digest. The SHA-256 digest is always 64 hexadecimal characters. If the file changes even one bit, the hash changes completely. Two identical files always produce identical hashes.

The publisher calculates the hash of the file before distributing it and publishes that hash value. You download the file, calculate its hash, and compare. If they match, you have an exact copy.

Verifying file hashes on the command line

# macOS / Linux
sha256sum ubuntu-24.04.iso
# or
shasum -a 256 ubuntu-24.04.iso

# Windows (PowerShell)
Get-FileHash ubuntu-24.04.iso -Algorithm SHA256

# macOS also has shasum
shasum -a 256 myfile.zip

Computing SHA-256 in Node.js

import { createHash } from "crypto";
import { readFileSync } from "fs";

function sha256File(path) {
  const buffer = readFileSync(path);
  return createHash("sha256").update(buffer).digest("hex");
}

const hash = sha256File("./myfile.zip");
console.log(hash);
// "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

SHA-256 in the browser

async function sha256File(file) {
  const buffer = await file.arrayBuffer();
  const hashBuffer = await crypto.subtle.digest("SHA-256", buffer);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  return hashArray.map(b => b.toString(16).padStart(2, "0")).join("");
}

// Use with an input[type=file]
input.addEventListener("change", async (e) => {
  const hash = await sha256File(e.target.files[0]);
  console.log(hash);
});

SHA-256 vs MD5 for file verification

MD5 is fast and still widely used for file checksums, but it has known collision vulnerabilities. For anything security-related (verifying signed software downloads, for example), use SHA-256. For simple corruption detection where security isn't a concern, MD5 works fine.

Hash any text string with our Hash Generator.

sha256 hash file integrity verification

More Articles

Developer Tools

Base64 Encoding Explained: What It Is and When to Use It

Developer Tools

5 Ways a JSON Formatter Makes Your Dev Life Easier