guides / linux

Verify a checksum on Linux

sha256sum ships in GNU coreutils, so it's already on your machine. Single files, whole SHA256SUMS lists, and the trick that avoids eyeballing hex — step by step.

Single file

sha256sum ~/Downloads/ubuntu-24.04.iso
17e2a49b8… (64 hex chars)  /home/you/Downloads/ubuntu-24.04.iso

Compare the first field with the hash on the release page. Siblings exist for every length the publisher might use: md5sum, sha1sum, sha512sum — pick by the published hash's length (64 = SHA-256; the identifier reads the others).

Never compare by eye

Feed the expected value straight to -c — note the two spaces between hash and filename:

echo "17e2a49b8…the-published-hash…  ubuntu-24.04.iso" | sha256sum -c

Prints ubuntu-24.04.iso: OK or FAILED. Exact, scriptable, no squinting.

A whole SHA256SUMS file

Distros publish one sums file for all their images. With it sitting next to your download:

cd ~/Downloads && sha256sum -c SHA256SUMS --ignore-missing

--ignore-missing checks only the files you actually have instead of complaining about every image you didn't download. Any FAILED line means delete and re-fetch from an official mirror.

When it complains

The signature layer

Serious distros also publish SHA256SUMS.gpg — a signature over the sums file itself. gpg --verify SHA256SUMS.gpg SHA256SUMS proves the checksum list is authentic, closing the loop a checksum alone can't (background: what is a checksum).

No terminal handy?

The verify tool checks one file against its published hash entirely in your browser, and the batch tool imports a whole SHA256SUMS. Same walkthroughs for Windows and macOS.

questions

How do I check one file against a hash I copied?

Fastest trick: echo "expected-hash file.iso" | sha256sum -c (note the two spaces). It prints file.iso: OK or FAILED — no eyeballing 64 characters.

What does --ignore-missing do?

Distros often publish one SHA256SUMS covering every image. Without the flag, sha256sum -c complains about each listed file you didn't download; with it, only the files actually present are checked.

"no properly formatted checksum lines found" — why?

The sums file is in BSD tag format (SHA256 (file) = …, from macOS or openssl) or has Windows line endings. Convert with dos2unix, use shasum -c which is more forgiving — or import it into the batch tool, which accepts both formats.

Where do distributions publish their checksums?

On the release/download page, usually as SHA256SUMS plus a GPG signature (SHA256SUMS.gpg). For untrusted networks, verify the signature too — the checksum proves integrity, the signature proves the checksum itself is authentic.

Can I do this without a terminal?

Yes: drop the file into the verify tool and paste the expected hash — same comparison, running locally in your browser. For many files, the batch tool imports the SUMS file whole.