Get it from the official source
We don't host files. These links take you straight to the genuine, safe installer on the developer's website.
You downloaded an installer, but how do you know it's the exact file the developer published and not a corrupted or tampered copy? That's what file verification answers. By comparing a cryptographic fingerprint of your download against the one the publisher provides, you can confirm in seconds whether the file is genuine.
This guide explains how to verify downloaded files using checksums and digital signatures on Windows, macOS, and Linux. It sounds technical, but each platform has a built-in command that does the work, and once you've done it a couple of times it becomes second nature for anything important.
Verification is especially worthwhile for operating system images, security tools, and any software you'll run with elevated privileges. tooldownload.net points you to official sources, and these checks let you confirm for yourself that what landed on disk is what the vendor intended.
Top picks & alternatives
Microsoft PowerShell
Built-in Get-FileHash command for SHA-256 verification.
Visit official site โ
Kleopatra (Gpg4win)
Graphical tool for managing keys and verifying signatures on Windows.
Visit official site โWhat a Checksum Actually Tells You
A checksum, or hash, is a fixed-length string calculated from a file's contents. Change even a single byte and the hash changes completely. Developers publish the expected SHA-256 hash alongside their downloads so you can recompute it locally and compare. If the two strings match exactly, your file is identical to the original. If they differ, the file is either corrupted or has been altered.
SHA-256 is the standard today. You may still see MD5 or SHA-1 on older sites, but both are considered weak against deliberate tampering, so treat them as integrity checks only, not security guarantees.
Verifying on Windows
Windows includes a built-in command. Open PowerShell, navigate to your downloads folder, and run the Get-FileHash command against the file. It prints the SHA-256 hash, which you then compare to the publisher's value. You can also paste both strings into a text editor to spot any difference quickly.
- Open PowerShell in the download folder
- Run: Get-FileHash .\installer.exe -Algorithm SHA256
- Compare the output to the official checksum
Verifying on macOS and Linux
On macOS, the Terminal command shasum -a 256 yourfile prints the SHA-256 hash. On most Linux distributions, sha256sum yourfile does the same. As with Windows, you compare the result against the published value. Many Linux projects also offer signed checksum files you can verify with GPG for an extra layer of authenticity.
Verifying Digital Signatures
Checksums confirm integrity, but a signature confirms identity. Open-source projects often publish a GPG signature alongside their files. After importing the developer's public key, you can verify the signature to prove the file came from that specific key holder. On Windows, signed installers can also be checked through the file's Properties and Digital Signatures tab.
What to Do If the Hash Doesn't Match
A mismatch is a clear stop sign. First, re-download the file in case the transfer was interrupted, then check the hash again. If it still doesn't match the official value, do not run the file. Delete it, and obtain a fresh copy directly from the developer's site. A persistent mismatch can indicate a compromised mirror or a man-in-the-middle attack.
Frequently asked questions
Questions & answers
No questions yet โ be the first to ask!
Ask a question
Please sign in with your email to ask a question.
Comments (0)
No comments yet. Share your experience!
Leave a comment
Please sign in with your email to comment.