What does it mean when a checksum fails?

It means the file on your machine is not identical to the original. This is usually caused by a corrupted or incomplete download, but it can also indicate tampering, so you should not run the file until a copy matches.

Which algorithm should I use, MD5 or SHA-256?

Use SHA-256 when it is offered. MD5 and SHA-1 can still catch accidental corruption but are considered weak against deliberate tampering.

Do I need to install software to check a checksum on Windows?

No. Windows includes certutil in Command Prompt and Get-FileHash in PowerShell, both of which calculate file hashes without any extra downloads.

My hash doesn't match but the download seemed to finish. Why?

Downloads can complete with subtle corruption from dropped packets or disk errors. Re-download the file, ideally with a download manager that resumes and verifies, and check again.

Is a checksum the same as a digital signature?

No. A checksum confirms the file is intact, while a digital signature also proves it came from the genuine publisher. Use signature verification for the highest assurance.

Fix "Checksum Verification Failed" on Downloads

⬇️

Get it from the official source

We don't host files. These links take you straight to the genuine, safe installer on the developer's website.

⬇ Microsoft certutil documentation ↗ ⬇ Gnu Privacy Guard (GnuPG) ↗

A checksum is a short fingerprint calculated from the contents of a file. When a vendor publishes a SHA-256 or MD5 value next to a download, you can recalculate that same value on your own machine and compare. If the two strings match exactly, your copy is bit-for-bit identical to the original. If they differ, something is wrong — and that is what "checksum verification failed" is telling you.

A mismatch almost always means one of two things: the file was corrupted in transit (a dropped packet, a bad disk sector, or an interrupted download), or it was altered, possibly by malware or a compromised mirror. Either way you should not trust or run the file until you have a copy whose hash matches the official value.

The good news is that verifying checksums on Windows takes one short command and no extra software. This guide shows you exactly how to do it, how to read the result, and what to do when the numbers don't line up.

Helpful tools

Gpg4win

Windows GnuPG suite for verifying PGP signatures and files

Visit official site ↗

7-Zip

Archiver that can compute CRC and SHA hashes via right-click menu

Visit official site ↗

HashTab

Adds a Hashes tab to file Properties for quick checksum comparison

Visit official site ↗

Free Download Manager

Download manager that resumes and integrity-checks large files

Visit official site ↗

VeraCrypt

Security tool whose downloads come with published checksums and signatures

Visit official site ↗

Microsoft PowerToys

Utility suite that complements built-in Windows hashing tools

Visit official site ↗

Step-by-step fix

1
Find the official checksum on the vendor's download page and note which algorithm it uses (SHA-256 is preferred over MD5 or SHA-1).
2
Open PowerShell, navigate to the file's folder, and run: Get-FileHash yourfile.ext -Algorithm SHA256.
3
Alternatively, in Command Prompt run: certutil -hashfile yourfile.ext SHA256.
4
Compare the generated hash against the vendor's published value; the match must be exact (case does not matter).
5
If they do not match, delete the file and download it again from the official source over a stable connection.
6
If the new download still fails, switch to the vendor's primary mirror and confirm you are using the correct version's checksum.
7
For security-critical files, also verify the vendor's GPG/PGP signature using a tool like Gpg4win.
8
Only run or install the file once a downloaded copy produces a hash that matches the official value.

What a Checksum Actually Proves

A cryptographic hash like SHA-256 turns any file into a fixed-length string. Change even a single byte and the resulting hash changes completely, so it is an extremely sensitive corruption detector. Matching hashes give you strong confidence that your download is complete and untampered.

It is worth knowing that MD5 and SHA-1 are now considered weak against deliberate tampering, though they are still fine for catching accidental corruption. Whenever a vendor offers SHA-256, prefer it over MD5 for security-sensitive downloads such as operating system images.

How to Calculate a Hash on Windows

Windows ships with two built-in tools, so you rarely need to install anything. In Command Prompt, run certutil -hashfile yourfile.iso SHA256. In PowerShell, run Get-FileHash yourfile.iso -Algorithm SHA256. Both print the file's hash, which you then compare against the value on the vendor's download page.

Comparison is case-insensitive but otherwise must be exact. Copy the vendor's value into a text editor next to your result, or use PowerShell's comparison to avoid eye strain when checking 64-character strings.

When the Hashes Don't Match

A mismatch is not something to override or ignore. The most likely explanation is a corrupted download, so the first move is simply to delete the file and download it again, ideally over a stable wired connection or using a download manager that verifies integrity.

If the freshly downloaded file still fails to match the official hash, treat it as suspicious. The mirror could be compromised, the published value could be outdated, or the file could be intentionally modified. Switch to the official primary source and report the discrepancy to the vendor.

Make Sure You Have the Right Reference Value

Sometimes the checksum genuinely fails because you are comparing against the wrong number. Vendors release new versions frequently, and an old hash on a forum post will not match a current build. Always copy the checksum from the same official page and version that hosts the download.

Watch for the algorithm too — comparing your SHA-256 result against the vendor's MD5 value will obviously never match. Confirm both strings use the same algorithm before concluding anything is wrong.

Verify Signatures for Extra Assurance

For the highest-security downloads, vendors also publish a GPG or PGP signature. A signature proves not only that the file is intact but that it genuinely came from the publisher, because it is cryptographically tied to their private key. Tools like Gpg4win let you verify these signatures on Windows.

Signature verification is more involved than a simple hash check, but for things like Linux ISOs, cryptocurrency wallets, or security software, it is the gold standard for confirming authenticity.

Frequently asked questions

⚠️ Stay safe: Always download from the official website linked above, verify the file checksum where provided, and scan installers with your antivirus. ToolDownload.net is not affiliated with these vendors — see our disclaimer.

How to Fix a "Checksum Verification Failed" Error

Get it from the official source

Helpful tools

Gpg4win

7-Zip

HashTab

Free Download Manager

VeraCrypt

Microsoft PowerToys

Step-by-step fix

What a Checksum Actually Proves

How to Calculate a Hash on Windows

When the Hashes Don't Match

Make Sure You Have the Right Reference Value

Verify Signatures for Extra Assurance

Frequently asked questions

Questions & answers

Ask a question

Comments (0)

Leave a comment