What does a SHA-256 checksum verify?

That a file hasn't been corrupted or tampered with. Any single-bit change produces a completely different hash. Matching the published hash means the file is byte-for-byte identical.

SHA-256 Checksum Generator

Generate a SHA-256 checksum for any text or file in your browser. Verify software downloads, check file integrity, and compare checksums — no upload to any server.

Generate and Verify SHA-256 Checksums

Paste text or drop a file to instantly compute its SHA-256 hash. Compare against the published checksum to verify a download hasn't been tampered with or corrupted.

Text checksum: Hash any string or pasted content
File checksum: Drop a file to hash it locally — file never leaves your device
Compare mode: Paste the expected checksum to get an instant pass/fail
Uppercase/lowercase: Output in either format to match published checksums

Generate SHA-256 Checksum →

When to Verify a Checksum

Linux ISO downloads: Ubuntu, Debian, Fedora, and Arch all publish SHA-256 checksums on their download pages — always verify before installing
Software releases: Security-conscious projects (OpenSSL, Python, Node.js) publish checksums alongside releases — verify before running installers from untrusted mirrors
File transfer verification: After copying a large file across a network or storage device, compare checksums to confirm no corruption occurred
Dependency auditing: Verify that a downloaded library or package matches the expected hash before including it in a build

Verify a Checksum from the Command Line

Linux/macOS: sha256sum filename or shasum -a 256 filename
macOS only: shasum -a 256 filename — standard on all macOS versions
Windows PowerShell: Get-FileHash filename -Algorithm SHA256
Verify match: echo "expectedhash filename" | sha256sum --check — outputs filename: OK if it matches

Frequently Asked Questions

What does a SHA-256 checksum actually verify?

A SHA-256 checksum verifies two things: that the file hasn't been corrupted (accidental bit flips during download or storage), and that it hasn't been tampered with (replaced by a malicious version). SHA-256 produces a 256-bit hash — any single-bit change to the file produces a completely different hash. If the hash you compute matches the one published by the software author, the file is byte-for-byte identical to what they published.

What's the difference between MD5, SHA-1, and SHA-256 checksums?

All three produce a hash for integrity checking, but differ in security. MD5 (128-bit) and SHA-1 (160-bit) have known collision vulnerabilities — two different files can produce the same hash, making them unsuitable for security-critical verification. SHA-256 (256-bit) has no known practical collisions. For verifying downloads and file integrity, always use SHA-256 or SHA-512 if available. MD5 checksums you encounter on older software sites are still useful for detecting accidental corruption, but not for detecting tampering.

Can I verify a file checksum without uploading it?

Yes — this tool hashes files entirely within your browser using the Web Crypto API (SubtleCrypto.digest()). The file is read by JavaScript on your device and never transmitted. For sensitive files (private keys, confidential documents), browser-based hashing is preferable to any online tool that requires uploading. Alternatively, use the command line: sha256sum filename on Linux/macOS or Get-FileHash in PowerShell.