File Checksum Calculator
Compute MD5, SHA-1, SHA-256, SHA-512 file hashes and verify downloads
Drag & drop a file here, or click to browse
Any file type — processed entirely in your browser
You just downloaded a 4 GB ISO from a mirror site and the official page shows SHA-256: 3a7bd.... You need to verify the file wasn’t corrupted or swapped with a malicious version — but you don’t have shasum on this Windows machine, and you don’t want to install anything just for a one-time check. Or you’re building a CI pipeline that publishes artifacts with their checksums, and you want to spot-check the hashes manually before shipping the release.
Why This Tool (Not shasum or Online Hash Checkers)
Command-line tools like shasum, md5sum, and certutil are platform-specific and require a terminal. Online file hash checkers upload your file to their server — which defeats the purpose of integrity verification if the server is compromised, and is impractical for large files on slow connections.
This tool hashes files entirely in your browser using the Web Crypto API and FileReader. No bytes leave your machine. You can hash multi-gigabyte files (limited only by your browser’s memory) without any upload.
How File Checksums Work
A file checksum is the output of a hash function applied to the raw bytes of a file. The hash function reads the file as a stream of bytes and produces a fixed-length digest. If even a single bit of the file is different, the hash changes completely (the avalanche effect).
The verification workflow:
- The publisher computes the hash of the original file and posts it alongside the download
- You download the file and compute the hash independently
- You compare the two hashes — they must match character for character
- A mismatch means the file was corrupted in transit or tampered with
# Linux / macOS
sha256sum ubuntu-24.04-desktop-amd64.iso
# 3a7bd3c1... ubuntu-24.04-desktop-amd64.iso
# Automated verification
sha256sum -c SHA256SUMS
# ubuntu-24.04-desktop-amd64.iso: OK# Windows PowerShell
Get-FileHash -Algorithm SHA256 .\ubuntu-24.04-desktop-amd64.iso
# Algorithm Hash
# --------- ----
# SHA256 3A7BD3C1...Supported Algorithms
MD5 (128-bit)
Fast but cryptographically broken since 2004. Practical collision attacks exist — two different files can be crafted to produce the same MD5 hash. Still widely used for non-security checksums because of its speed and ubiquity. Many legacy systems and package managers still publish MD5 hashes.
Use for: Quick corruption detection when security is not a concern, deduplication, legacy compatibility. Do not use for: Verifying software authenticity, security-critical integrity checks.
SHA-1 (160-bit)
Deprecated since Google’s SHAttered attack in 2017 demonstrated a practical collision. Still encountered in older systems — Git used SHA-1 for commit hashes until transitioning to SHA-256. Most certificate authorities and browsers have stopped accepting SHA-1 certificates.
Use for: Legacy system compatibility only. Do not use for: Any new system or security-sensitive purpose.
SHA-256 (256-bit)
The current industry standard for file integrity verification. Used by Linux distributions (Ubuntu, Fedora, Debian), software publishers (Python, Node.js, Docker), cryptocurrency systems, and TLS certificates. No known practical attacks.
Use for: Software download verification, code signing, any security-sensitive purpose.
SHA-512 (512-bit)
Provides the highest security margin. On 64-bit processors, SHA-512 is often faster than SHA-256 because it operates on 64-bit words. Produces longer hashes (128 hex characters vs 64), which may be unwieldy for display.
Use for: Maximum security requirements, large file hashing on 64-bit systems.
Real-World Verification Examples
Verifying a Linux ISO
Ubuntu publishes SHA-256 hashes at releases.ubuntu.com:
3a7bd3c165e9eb0e2c2d2c80dc4e47f3 ubuntu-24.04-desktop-amd64.isoDrop the downloaded ISO into this tool, select SHA-256, and compare the output with the published hash. Character-for-character match means the file is authentic.
Verifying a Python Package
PyPI shows SHA-256 hashes on every package’s download page. After downloading a .whl file:
- Hash it with this tool using SHA-256
- Compare with the hash shown on the PyPI page
- Mismatch → the file was corrupted or tampered with; re-download from PyPI directly
Docker Image Digests
Docker images are identified by sha256: digests. When you pull an image, Docker verifies the content hash matches the manifest digest. You can verify a saved image (.tar) by hashing it and comparing with docker inspect --format='{{.RepoDigests}}'.
Browser Implementation Details
This tool uses the Web Crypto API (crypto.subtle.digest) for SHA-1, SHA-256, and SHA-512. MD5 is computed using a JavaScript implementation because the Web Crypto API deliberately excludes MD5 from its supported algorithms.
Files are read using the FileReader API as ArrayBuffer objects. For very large files, the browser reads the file in chunks to avoid exhausting memory. Progress is shown during hashing.
// How the tool computes a file hash
async function hashFile(file, algorithm) {
const buffer = await file.arrayBuffer();
const hashBuffer = await crypto.subtle.digest(algorithm, buffer);
const hashArray = Array.from(new Uint8Array(hashBuffer));
return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}Hash Comparison Feature
Paste a known hash into the comparison field to automatically check whether it matches the computed hash. The tool performs a constant-time comparison and clearly indicates match or mismatch. This eliminates the error-prone process of visually comparing 64+ hex characters.
Frequently Asked Questions
Does this upload my file? No. The file is read entirely in your browser using the FileReader API. No data is transmitted to any server. You can verify this by opening your browser’s DevTools Network tab — zero requests are made during hashing.
How large a file can I hash? This depends on your browser and available RAM. Most modern browsers can handle files up to several gigabytes. For extremely large files (10+ GB), command-line tools may be more practical.
Which algorithm should I use? Use SHA-256 unless you have a specific reason not to. It’s the industry standard for file verification, is supported everywhere, and has no known vulnerabilities. Use MD5 only for legacy compatibility or quick non-security checks.
Why do my MD5 hashes differ from md5sum?
Make sure you’re comparing the hash of the same exact file — even a single byte difference (including trailing newlines or BOM characters) produces a completely different hash. Also check that md5sum is reading the file in binary mode (md5sum -b).