What is a Checksum File?

Updated December 12, 2025 | 4 min read

A checksum file contains a unique hash value that acts like a digital fingerprint for a file. It's used to verify that a downloaded file hasn't been corrupted or tampered with during transfer.

In Simple Terms:
Think of a checksum as a seal on a package. If the seal is broken (checksum doesn't match), you know the package was tampered with.

Common Checksum Types

  • MD5: 32-character hash (fast, but less secure)
  • SHA-1: 40-character hash (deprecated for security)
  • SHA-256: 64-character hash (recommended, very secure)
  • SHA-512: 128-character hash (maximum security)

Example MD5: d8e8fca2dc0f896fd7cb4cb0031ba249

Example SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Why Are Checksums Important?

1. Verify File Integrity

Ensure downloaded files haven't been corrupted during transfer (network errors, disk issues).

2. Detect Tampering

Verify files haven't been modified maliciously (malware injection, backdoors).

3. Confirm Authenticity

Match checksum provided by official source to confirm you have the genuine file.

When Should You Verify Checksums?

  • Operating System ISOs: Linux distributions, Windows ISO downloads
  • Software Downloads: Especially security-critical software
  • Large Files: Videos, game files, backup archives
  • Cryptocurrency Wallets: Critical to verify authenticity

How to Check Checksums

On Windows

Using PowerShell:

Get-FileHash filename.zip -Algorithm SHA256

Using Command Prompt:

certutil -hashfile filename.zip SHA256

On Mac

Terminal:

shasum -a 256 filename.zip

Or for MD5:

md5 filename.zip

On Linux

sha256sum filename.zip

Or for MD5:

md5sum filename.zip

Step-by-Step Verification

  1. Download the file (e.g., ubuntu-22.04.iso)
  2. Download checksum file (e.g., SHA256SUMS.txt)
  3. Open checksum file to see the expected hash
  4. Calculate hash of your downloaded file using commands above
  5. Compare hashes: They must match exactly
Important:
Even ONE character difference means the file has been modified or corrupted. Do not use it.

MD5 vs SHA-256: Which to Use?

  • MD5: Fast, but cryptographically broken. Only use for non-security purposes (comparing files)
  • SHA-1: Deprecated. Don't use for security
  • SHA-256: Recommended standard. Secure and fast enough
  • SHA-512: Maximum security, slightly slower

Recommendation: Always use SHA-256 or SHA-512 for security verification.

Common Checksum File Extensions

  • .md5 - MD5 checksum
  • .sha256 - SHA-256 checksum
  • .sha512 - SHA-512 checksum
  • .checksum - Generic checksum file

Checksums for Entire Directories

You can create checksums for all files in a directory:

Linux/Mac:

find . -type f -exec sha256sum {} \; > checksums.sha256

Verify later:

sha256sum -c checksums.sha256

Are Checksums Encryption?

No! Checksums are one-way hashes:

  • You cannot reverse a hash to get the original file
  • Used for verification, not encryption
  • Even tiny file changes create completely different hashes

Related Resources