What Is a Checksum and Why It Matters

A hashing algorithm takes any input, a file of any size, and produces a fixed-length output called a hash or digest. The same input always produces the same output, but it is computationally infeasible to reverse the process or to craft a different file that produces the same hash (for strong algorithms). That property is what makes a checksum useful for verifying integrity.

When a publisher releases software, they run their official file through the algorithm and publish the result. You download the file, run the same algorithm yourself, and compare. If the two strings match exactly, your file is bit-for-bit identical to theirs.

Not all algorithms are equal. MD5 and SHA-1 are old and have known weaknesses; researchers can deliberately create two different files with the same MD5 or SHA-1 hash, a so-called collision. They are still fine for catching accidental corruption, but they should not be relied on for security against a determined attacker.

• MD5: fast, widely seen, but cryptographically broken. Use only as a basic corruption check.
• SHA-1: also deprecated for security purposes.
• SHA-256: part of the SHA-2 family, currently the standard recommendation for verifying downloads.

When a publisher offers SHA-256, use it.

Two threats make checksums worthwhile. The first is corruption: a download can be interrupted or scrambled in transit, leaving you with a broken installer that fails or behaves oddly. A checksum catches that instantly. The second, and more serious, is tampering: if an attacker compromises a mirror or performs a man-in-the-middle attack, they could swap the real file for a trojanized one. A matching checksum from a trusted source proves the file was not altered.

Checksums are most valuable for high-risk downloads like operating system ISOs, large installers and tools downloaded from mirrors rather than the primary site.

A checksum tells you a file matches a reference value, but it does not prove who published that reference value. If an attacker controls the download page, they can post a matching checksum for their malicious file. That is where digital signatures come in: a signature uses cryptographic keys to prove both integrity and authenticity, tying the file to a verified publisher.

In practice, use both when available. Verify the checksum, and where the project provides signed releases (common with GPG signatures on Linux distros), verify the signature against the publisher's known public key.

The whole exercise only works if the reference checksum is genuine. Always get it from the official source, ideally over HTTPS, and ideally from a different page or channel than the download itself. Many projects publish checksums on their official site, in release notes, or in a signed file. Be suspicious if a random third-party mirror offers both the file and the only copy of its checksum.

If the published checksum and your calculated one do not match, do not run the file. Delete it and download again from the official source, then re-verify.