Guide
How to Check a Downloaded File's SHA-256 Hash
A step-by-step guide to verifying file integrity with SHA-256, what a matching hash proves, and what it does not.
A cryptographic hash is a fingerprint for data. Feed a file through SHA-256 and you get a 64-character hexadecimal string; change even one byte of the file and the string changes completely. If the hash you compute matches the hash the publisher lists, you can be confident you have exactly the bytes they published.
Checking a hash takes under a minute and catches two real problems: downloads corrupted in transit and files swapped or tampered with somewhere between the publisher and your disk.
Step 1: Find the published hash
Look for the checksum on the publisher's official website, usually near the download link or on a dedicated release page, in a file named something like SHA256SUMS. The hash must come from a source you trust separately from the download itself. A hash printed on the same compromised mirror as a malicious file would simply match the malicious file, which is why serious projects publish checksums on their primary site even when downloads come from mirrors.
Step 2: Compute the hash of your copy
You can compute the hash locally in several ways. SecretPNG's file hash tool streams the file through SHA-256 in your browser using WebAssembly, so large files are processed without being uploaded, and nothing about the file leaves your device. Alternatively, every major operating system has a built-in command: 'shasum -a 256 file' on macOS, 'sha256sum file' on Linux, and 'Get-FileHash file' in Windows PowerShell.
SecretPNG also supports SHA-384 and SHA-512, which some publishers use. MD5 and SHA-1 appear on older download pages; both are cryptographically broken for security purposes, and SecretPNG computes them only for legacy comparison, with a warning.
Step 3: Compare carefully
Compare the two strings in full, not just the first and last few characters. Attackers can generate files whose hashes match a target at the beginning and end, and eyeballing a truncated comparison defeats the purpose. SecretPNG's verify tool does the comparison for you: paste the expected hash, select your file, and it reports a clear match or mismatch.
If the hashes differ, do not open the file. Re-download it first, since corruption in transit is the most common cause. If a fresh download from the official source still mismatches, stop and contact the publisher.
What a matching hash proves, and what it does not
It is worth being precise about the guarantee, because hashing is often oversold.
- A match proves your file is byte-for-byte identical to the file the published hash describes.
- It does not prove the file is safe: if the publisher's site was compromised, the listed hash may describe a malicious file perfectly.
- Hashing is integrity, not encryption: a hash does not hide, protect, or lock the file in any way.
- For authenticity, some publishers additionally sign releases with a cryptographic signature, which verifies who published the file, not just what it contains.
Limitations to keep in mind
- A hash comparison is only as trustworthy as the source of the expected hash; both can be falsified together by an attacker who controls the publisher's page.
- Hashing detects modification but cannot tell you whether the original file was malicious to begin with.
- MD5 and SHA-1 should not be relied on for security decisions; treat them as legacy identifiers only.