QuickWand
← All guides

How to Verify a File or Text SHA-256 Checksum

You download an installer, an ISO, or a release archive, and the download page lists a long hex string labeled SHA-256 next to it. That is a checksum— a fingerprint of the exact bytes the publisher released. Verifying it confirms your copy arrived intact and was not corrupted or swapped out.

Here is how to check it for yourself.

How to verify a SHA-256 checksum

QuickWand's free Hash Generator hashes your file locally with the Web Crypto API, so even a large download never leaves your machine.

  1. Open the Hash Generator and select SHA-256 as the algorithm.
  2. Drop in your downloaded file (or paste the text you want to verify). The tool reads the bytes and computes the hash in your browser.
  3. Compare the result against the checksum the publisher listed. The easiest way is to copy the published value into the tool and let it confirm the match, or eyeball both strings end-to-end.
  4. Match → the file is intact, use it. Mismatch→ re-download and check again.

What a matching checksum proves — and what it doesn't

SHA-256 is a cryptographic hash: change a single bit anywhere in the file and the output changes completely and unpredictably. So a match is strong evidence your file is byte-for-byte identical to the one the publisher hashed. That reliably catches a truncated download, a flipped bit from a flaky connection, or a corrupted archive.

But be clear about the limits:

  • A checksum is only as trustworthy as where you got it. If an attacker can replace both the file and the published hash on the same page, matching them proves nothing. Get the expected hash over a channel you trust (HTTPS, ideally a separate source).
  • A checksum is not a signature. It confirms integrity (the bytes match) but not authenticity (who produced them). For that you need a cryptographic signature like GPG, which ties the file to a key.

Why publishers still use MD5 and SHA-1 sometimes

You will occasionally see MD5 or SHA-1 checksums on older download pages. They are fine for catching accidental corruption, but both are cryptographically broken— attackers can deliberately craft two different files with the same MD5 or SHA-1 hash (a collision). For any security-relevant verification, prefer SHA-256. The guide on generating MD5 vs SHA-256 hashes digs into when each one is appropriate.

A note on one-way hashing

Unlike Base64, a hash is a one-wayfunction: you cannot turn a SHA-256 digest back into the original file. That is what makes it useful for verification and for storing password fingerprints — and it is the opposite of reversible encoding like Base64. Verify with a hash; never assume a hash can be decoded.

Frequently asked questions

How do I verify a file's SHA-256 checksum?
Compute the SHA-256 hash of your downloaded file and compare it character-for-character against the checksum the publisher listed. If they match exactly, the file is intact. QuickWand's Hash Generator computes the hash in your browser, so the file is never uploaded.
What does it mean if the checksum doesn't match?
A mismatch means the file you have is not byte-for-byte identical to the one the publisher hashed. Usually that's a corrupted or incomplete download, so re-download and check again. If it still differs, treat the file as untrusted — it may have been altered.
Is verifying a checksum the same as verifying a signature?
No. A checksum confirms the file matches a known hash, which catches corruption and casual tampering. A cryptographic signature (like GPG) also proves who produced the file. A checksum alone is only as trustworthy as the channel you got the expected hash from.
Can I verify a large file without uploading it?
Yes. QuickWand's Hash Generator reads and hashes the file locally in your browser using the Web Crypto API, so even a multi-gigabyte file never leaves your device — there's no upload and no waiting on a server.

Free tool

Hash Generator

Generate cryptographic hashes of text or files using SHA-1, SHA-256, SHA-512 and more, computed in your browser.

Try Hash Generator— free →