What is a checksum?
A checksum is a small fingerprint computed from data, used to prove the data hasn't changed. Here's how that works, which algorithms matter, and how to actually verify a file.
The core idea
Run a file through a hash function and you get a fixed-size value — for SHA-256, 64 hexadecimal characters — that depends on every bit of the input. Recompute it later, or on the other side of a download, and compare: same checksum, same data. Change anything — one flipped bit in a 10 GB image — and the checksum changes completely (the avalanche effect). Two properties do the heavy lifting: the function is one-way (you can't reconstruct data from its hash) and, for cryptographic hashes, collision-resistant (nobody can craft two inputs sharing one output).
Checksum, hash, MAC, signature — the ladder
| term | what it proves | needs |
|---|---|---|
| checksum / hash | data is intact | nothing — anyone can compute it |
| MAC (HMAC) | intact and made by a key-holder | a shared secret key |
| digital signature | intact and from a specific publisher | the publisher's key pair (GPG, minisign) |
Strictly, "hash" is any hash function's output while "checksum" is a hash used for integrity — and some checksums, like CRC-32, come from error-detecting codes that were never meant to resist an adversary. The ladder matters because a checksum from a compromised download page proves nothing; that's the gap signatures close.
The algorithms you'll actually meet
| algorithm | hex length | status in 2026 | typical sighting |
|---|---|---|---|
| SHA-256 | 64 | standard | next to nearly every download |
| SHA-512 / SHA-384 | 128 / 96 | solid | certificates, TLS, big-margin profiles |
| SHA-3 | 56–128 | solid, different DNA | newer protocols and standards |
| BLAKE3 | 64 | solid, fastest | B3SUMS files, content-addressed tools |
| SHA-1 | 40 | broken for security (2017) | git internals, old archives |
| MD5 | 32 | broken for security (2004) | legacy MD5SUMS, corruption checks |
| CRC-32 | 8 | error detection only | zip, PNG, gzip internals |
Length is how you read an unlabelled hash — that's the whole trick behind the hash identifier, ambiguities included (64 characters could be three different algorithms). The head-to-heads have the details: MD5 vs SHA-256, SHA-1 vs SHA-256, SHA-256 vs SHA-512.
Verifying a download, start to finish
- Copy the published checksum from the project's official page (not the mirror).
- Hash your downloaded file: drop it into the verify tool right in your browser, or use the native command — certutil on Windows, shasum on macOS, sha256sum on Linux.
- Compare exactly — tooling, not eyeballs. Case doesn't matter; every character does.
- Mismatch? Re-download first (most mismatches are truncated transfers), check the algorithm, and if it persists, don't run the file.
Whole folders and SHA256SUMS files go through the batch tool, which reads and writes the same format as the command-line tools.
Why checksums earn their thirty seconds
Downloads fail quietly: proxies truncate, disks corrupt, mirrors drift out of date, and occasionally someone malicious swaps a file. A checksum catches all of the accidental cases and — paired with a hash from a trustworthy page — most of the hostile ones. For the strongest guarantee, projects sign their checksum files; when you see SHA256SUMS.gpg, that's the ladder's top rung in action.
questions
Are "checksum" and "hash" the same thing?
Nearly. A hash is a hash function's output; a checksum is a hash used to confirm integrity. All checksums are hashes, not vice versa — and some (like CRC32) come from error-detecting codes rather than cryptographic hashes.
What's the most common checksum today?
SHA-256, by a wide margin. It's what Linux distributions, browsers vendors and most software projects publish next to downloads, and it has no known practical attacks.
Can a checksum tell me what changed in a file?
No — only that something changed. A single flipped bit produces a completely different hash (the avalanche effect), and the hash carries no information about where or how big the change was.
Do I really need to verify downloads?
Proportionally to the stakes. Operating system images, firmware, anything you'll run with admin rights, and anything fetched over a shaky connection: yes, the thirty seconds pay for themselves. A wallpaper: probably not.
What's the difference between a checksum and a digital signature?
A checksum proves the file matches the published hash; a signature proves who published it. If an attacker controls the download page, they can update the checksum to match their tampered file — but they can't forge a GPG or minisign signature without the private key. Serious projects publish both.