How to Verify a SHA-256 Checksum on Windows, macOS, and Linux

A SHA-256 checksum helps confirm that a downloaded file matches the one supplied by its publisher. Calculate the file’s SHA-256 hash with a command already built into your operating system, then compare that result with the hash on the official download page.

Quick commands: On Windows, use Get-FileHash. macOS has shasum -a 256, while Linux generally uses sha256sum. Your calculated value has to match the publisher’s checksum exactly.

The Short Version

Operating systemSHA-256 command
Windows PowerShellGet-FileHash "C:\path\file.iso" -Algorithm SHA256
Windows Command Promptcertutil -hashfile "C:\path\file.iso" SHA256
macOSshasum -a 256 /path/file.iso
Linuxsha256sum /path/file.iso
  1. Copy the official SHA-256 checksum from the software publisher’s website.
  2. Run the command for your operating system against the downloaded file.
  3. Compare all 64 hexadecimal characters, not just a few at either end.
  4. If the values differ, don’t open the file. Delete it, then download another copy from an official source.

What a SHA-256 Checksum Actually Shows

SHA-256 creates a 256-bit digest, displayed as 64 hexadecimal characters. Change even one byte in the file and you’ll get a different digest. That makes the checksum useful for spotting downloads that are incomplete, corrupted, or modified.

A match confirms that your copy is identical to the file used to produce the published hash. It doesn’t prove who made that file, though. If an attacker can replace both the download and the checksum displayed beside it, a malicious file can still appear valid. Get the expected checksum from the publisher’s official HTTPS website or from a signed release record.

Checking SHA-256 on Windows

Using PowerShell

  1. Open File Explorer and find the file you downloaded.
  2. Right-click it and choose Copy as path. On Windows 10, you may need to hold Shift while right-clicking before that option appears.
  3. Open PowerShell or Windows Terminal.
  4. Run the command below, replacing the example with your file’s path.
Get-FileHash "C:\Users\Sam\Downloads\example.iso" -Algorithm SHA256

PowerShell shows the algorithm, the calculated hash, and the path to the file. Compare the entry under Hash with the publisher’s official SHA-256 checksum.

Using Command Prompt

Command Prompt can do the same job through the built-in Certificate Utility:

certutil -hashfile "C:\Users\Sam\Downloads\example.iso" SHA256

The checksum is the line between the status messages. Spaces and capitalization don’t matter during comparison, but every hexadecimal character still needs to match. All of them.

Checking SHA-256 on macOS

  1. Open Terminal from Applications > Utilities.
  2. Type shasum -a 256, followed by a space.
  3. Drag the downloaded file from Finder into the Terminal window. Its correctly escaped path will be inserted for you.
  4. Press Return.
shasum -a 256 ~/Downloads/example.iso

The first 64-character value in the output is the SHA-256 checksum. After that, you’ll see the file path.

macOS also lets you calculate the checksum with this command:

openssl dgst -sha256 ~/Downloads/example.iso

Checking SHA-256 on Linux

Most Linux distributions include sha256sum as part of GNU Coreutils. Open a terminal and run:

sha256sum ~/Downloads/example.iso

You can also have the utility compare the values for you. Create a text file containing the expected hash, two spaces, and the exact filename, then run the check:

cd ~/Downloads
printf '%s  %s\n' 'EXPECTED_HASH_HERE' 'example.iso' > example.iso.sha256
sha256sum --check example.iso.sha256

If the values match, the result is:

example.iso: OK

A FAILED result needs a little checking. Make sure you copied the expected checksum correctly and used the exact filename. If both are right, discard the download.

Comparing Two Checksums Without Guesswork

For a quick manual comparison, paste both values into a plain-text editor, one on each line. Don’t glance at the first few characters, skip the middle, and then check the ending. The full 64-character value needs to agree.

PowerShell can make an exact comparison without treating uppercase and lowercase letters as different:

$expected = "EXPECTED_HASH_HERE"
$actual = (Get-FileHash "C:\path\example.iso" -Algorithm SHA256).Hash
$actual -eq $expected

You should get True. If PowerShell returns False, the two values aren’t the same.

If the Checksums Don’t Match

  1. Don’t install or open the file.
  2. Check the algorithm named by the publisher. The posted value may be MD5, SHA-1, or SHA-512 rather than SHA-256.
  3. Confirm that you hashed the right file and the correct release version.
  4. Delete the downloaded file, along with any partial downloads left by the browser.
  5. Download it again from the official website, preferably over a stable connection.
  6. Calculate the checksum again. If it still differs, report the problem to the publisher.

Mistakes That Cause Bad Comparisons

  • Hashing the wrong file: Files for different versions or architectures may have similar names, but their checksums will differ.
  • Mixing algorithms: A SHA-256 result can’t match a checksum created with MD5 or SHA-1.
  • Leaving out quotation marks: Windows commands need quotes around file paths that contain spaces.
  • Using a hash from an unrelated site: Take the expected value from the official publisher or a verified release channel.
  • Treating the checksum like an antivirus scan: A match confirms file integrity. It doesn’t tell you whether the publisher’s original file is safe.

Better Habits for Verifying Downloads

  • If several checksum formats are offered, prefer SHA-256 or SHA-512.
  • Check installers, operating system images, firmware, and command-line binaries before you run them.
  • Use digital signatures, GPG signatures, or signed package repositories whenever the publisher supplies them.
  • Keep the expected hash separate from the downloaded file when you can.
  • Get software only from the vendor’s official website or a trusted package repository.

Leave a Comment

Related Posts