guides / linux
Verify a checksum on Linux
sha256sum ships in GNU coreutils, so it's already on your machine. Single files, whole SHA256SUMS lists, and the trick that avoids eyeballing hex — step by step.
Single file
sha256sum ~/Downloads/ubuntu-24.04.iso17e2a49b8… (64 hex chars) /home/you/Downloads/ubuntu-24.04.iso
Compare the first field with the hash on the release page. Siblings exist for every length the publisher might use: md5sum, sha1sum, sha512sum — pick by the published hash's length (64 = SHA-256; the identifier reads the others).
Never compare by eye
Feed the expected value straight to -c — note the two spaces between hash and filename:
echo "17e2a49b8…the-published-hash… ubuntu-24.04.iso" | sha256sum -cPrints ubuntu-24.04.iso: OK or FAILED. Exact, scriptable, no squinting.
A whole SHA256SUMS file
Distros publish one sums file for all their images. With it sitting next to your download:
cd ~/Downloads && sha256sum -c SHA256SUMS --ignore-missing--ignore-missing checks only the files you actually have instead of complaining about every image you didn't download. Any FAILED line means delete and re-fetch from an official mirror.
When it complains
- "no properly formatted checksum lines found" — the file is BSD-format (
SHA256 (x) = …) or has Windows line endings.dos2unix SHA256SUMSfixes the endings; for BSD lines useshasum -cinstead, or import it into the batch tool, which reads both dialects. - "WARNING: 1 computed checksum did NOT match" — a real mismatch: corrupted or altered download. Re-download before anything else.
The signature layer
Serious distros also publish SHA256SUMS.gpg — a signature over the sums file itself. gpg --verify SHA256SUMS.gpg SHA256SUMS proves the checksum list is authentic, closing the loop a checksum alone can't (background: what is a checksum).
No terminal handy?
The verify tool checks one file against its published hash entirely in your browser, and the batch tool imports a whole SHA256SUMS. Same walkthroughs for Windows and macOS.
questions
How do I check one file against a hash I copied?
Fastest trick: echo "expected-hash file.iso" | sha256sum -c (note the two spaces). It prints file.iso: OK or FAILED — no eyeballing 64 characters.
What does --ignore-missing do?
Distros often publish one SHA256SUMS covering every image. Without the flag, sha256sum -c complains about each listed file you didn't download; with it, only the files actually present are checked.
"no properly formatted checksum lines found" — why?
The sums file is in BSD tag format (SHA256 (file) = …, from macOS or openssl) or has Windows line endings. Convert with dos2unix, use shasum -c which is more forgiving — or import it into the batch tool, which accepts both formats.
Where do distributions publish their checksums?
On the release/download page, usually as SHA256SUMS plus a GPG signature (SHA256SUMS.gpg). For untrusted networks, verify the signature too — the checksum proves integrity, the signature proves the checksum itself is authentic.
Can I do this without a terminal?
Yes: drop the file into the verify tool and paste the expected hash — same comparison, running locally in your browser. For many files, the batch tool imports the SUMS file whole.