How to Verify File Integrity with Hash

Why Verify File Integrity?

Files transmitted over the internet may be corrupted due to network errors, storage media issues, or intermediate server failures. More seriously, if a software download site is compromised by attackers, distributed installation packages may have malicious code injected. By comparing the file's hash value (provided by the official publisher) with the hash of your locally downloaded file, you can detect both situations.

Verifying File Hash on Linux

# Calculate MD5 hash of a file
md5sum ubuntu-24.04-desktop-amd64.iso
# Output: a39513a0badf2ea1a9c24b0a3a9b4c45  ubuntu-24.04-desktop-amd64.iso

# Calculate SHA256 hash
sha256sum ubuntu-24.04-desktop-amd64.iso
# Output: [64-char hash]  ubuntu-24.04-desktop-amd64.iso

# Verify against a checksum file (if provided)
sha256sum -c SHA256SUMS
# ubuntu-24.04-desktop-amd64.iso: OK

# Batch verify multiple files
sha256sum -c checksums.txt

Verifying File Hash on macOS

# MD5 (built-in md5 command)
md5 ubuntu-24.04-desktop-amd64.iso
# MD5 (ubuntu-24.04-desktop-amd64.iso) = a39513a0badf2ea1a9c24b0a3a9b4c45

# SHA256 (using shasum)
shasum -a 256 ubuntu-24.04-desktop-amd64.iso
# [64-char hash]  ubuntu-24.04-desktop-amd64.iso

# Also works with openssl
openssl md5 myfile.iso
openssl sha256 myfile.iso

Verifying File Hash on Windows

# PowerShell: Get-FileHash (built-in)
Get-FileHash ubuntu-24.04.iso -Algorithm MD5
Get-FileHash ubuntu-24.04.iso -Algorithm SHA256

# Output format:
# Algorithm  Hash                              Path
# ---------  ----                              ----
# SHA256     [64-char hash]                    C:\...\ubuntu-24.04.iso

# Compare hashes directly in PowerShell
$expected = "abc123..."
$actual   = (Get-FileHash ubuntu.iso -Algorithm SHA256).Hash
if ($expected -eq $actual) { "MATCH - file OK" } else { "MISMATCH - file corrupted!" }

Practical Verification Steps

1. Download the file from the official software website, and find the official hash value (usually on the download page or in a separate .sha256 file)
2. Use the above commands to calculate the hash value of your downloaded file
3. Compare the calculated result with the official value character by character (note that case doesn't affect MD5/SHA256 equivalence, but it's recommended to normalize to the same case before comparing)
4. If they match exactly, the file is intact; if they don't match, the file is corrupted or tampered with and should be re-downloaded

Limitations of Hash Verification

Hash verification alone has an important limitation: if the official publisher's website itself is hacked, the attacker may simultaneously replace both the download file and the hash value — your calculated hash would match what's shown on the site, but both are malicious versions. This is why many important software packages (like Linux distributions, security tools) also provide GPG digital signatures — you can independently verify the signature to confirm the file truly came from a trusted publisher, not just that the file is intact.

Should You Use MD5 or SHA256 for Verification?

If the official source provides both MD5 and SHA256, prefer SHA256. Although MD5's collision issues make it unsuitable for security signatures, for the scenario of "file accidentally corrupted in transit," MD5 remains effective (random corruption cannot accidentally produce a collision). However, for the scenario of "preventing intentional tampering," you must use SHA256 or stronger, because an attacker may carefully craft a collision.