Skip to main content
SecurityFebruary 15, 20268 min read

How to Verify File Integrity with SHA-256: A Complete Guide

Learn how to verify file integrity using SHA-256 checksums without uploading files to any server. Step-by-step guide for developers and security-conscious users.

Verify file integrity with our SHA-256 Hash Generator. Compare checksums without uploading files to any server.

The Corrupted Download

You just downloaded a 2GB Linux ISO. You burn it to a USB drive, boot your computer, and... it fails. The installer crashes with cryptic errors.

After two hours of troubleshooting, you realize the file was corrupted during download. A single bit flipped. The entire file is useless.

This is why we use checksums. A SHA-256 hash acts as a fingerprint. If even one bit changes, the hash changes completely. You can verify your download is perfect before using it.

What is SHA-256?

SHA-256 is a cryptographic hash function. It takes any input—text, files, data—and produces a 64-character hexadecimal string.

Think of it like a fingerprint. Just as your fingerprint uniquely identifies you, a hash uniquely identifies data. Change even one bit, and the entire hash changes.

This is called the avalanche effect. It makes SHA-256 perfect for verifying file integrity.

Where SHA-256 is Used

SHA-256 appears everywhere in modern computing:

  • Software distribution - Linux distributions publish SHA-256 hashes for all downloads
  • Password storage - Websites store password hashes, not passwords
  • Blockchain - Bitcoin uses SHA-256 to link blocks together
  • Git version control - Every commit is identified by a SHA-256 hash
  • SSL certificates - Certificates are identified by their SHA-256 fingerprint
  • Package managers - npm, pip, and others use SHA-256 to verify packages

How to Verify File Integrity

Verifying a file is straightforward. Follow these steps:

  • Get the expected hash from the official website - Use HTTPS. Do not trust hashes from forums.
  • Generate the hash of your downloaded file - Use the commands below
  • Compare character by character - They must match exactly
  • If they do not match, delete the file and download again

SHA-256 Commands by Platform

Here is how to generate SHA-256 hashes on different platforms:

Windows (PowerShell)

Get-FileHash filename.iso -Algorithm SHA256
 
600 dark:text-purple-400">class=600 dark:text-purple-400">class="text-green-600 dark:text-green-400">"text-gray-500 dark:text-gray-400"># Or using certutil:
certutil -hashfile filename.iso SHA256

Mac and Linux

sha256sum filename.iso
 
600 dark:text-purple-400">class=600 dark:text-purple-400">class="text-green-600 dark:text-green-400">"text-gray-500 dark:text-gray-400"># Or on Mac without sha256sum:
shasum -a 256 filename.iso

JavaScript (Web Crypto API)

600 dark:text-purple-400">async 600 dark:text-purple-400">function 600 dark:text-blue-400">hashFile(file) {
  600 dark:text-purple-400">const buffer = 600 dark:text-purple-400">await file.600 dark:text-blue-400">arrayBuffer();
  600 dark:text-purple-400">const hashBuffer = 600 dark:text-purple-400">await crypto.subtle.600 dark:text-blue-400">digest(600 dark:text-purple-400">class="text-green-600 dark:text-green-400">'SHA-256', buffer);
  600 dark:text-purple-400">const hashArray = Array.600 dark:text-purple-400">from(new 600 dark:text-blue-400">Uint8Array(hashBuffer));
  600 dark:text-purple-400">return hashArray.600 dark:text-blue-400">map(b => b.600 dark:text-blue-400">toString(16).600 dark:text-blue-400">padStart(2, 600 dark:text-purple-400">class="text-green-600 dark:text-green-400">'0')).600 dark:text-blue-400">join(600 dark:text-purple-400">class="text-green-600 dark:text-green-400">'');
}

SHA-256 vs Other Algorithms

Use SHA-256 for all new applications. It is secure, widely supported, and future-proof.

SHA-1 was once popular but is now broken. Researchers have created collisions—different files with the same hash. Do not use SHA-1 for security.

MD5 is completely broken for security. It is faster than SHA-256, which makes it okay for non-security checksums. But never use MD5 for passwords or signatures.

What Hashes Cannot Do

A hash proves a file has not changed. It does not prove who created the file. Anyone can hash a file and claim they made it.

To prove authorship, use digital signatures. They combine hashing with public-key cryptography. They prove both integrity and origin.

Also, hashes do not encrypt. If you hash a password, the hash is not hidden. Attackers can crack hashes using rainbow tables. Always use proper password hashing like bcrypt or Argon2.

Frequently Asked Questions

Can two files have the same SHA-256 hash?

In theory, yes—this is called a collision. In practice, SHA-256 is so large that finding a collision is computationally infeasible. No SHA-256 collision has ever been found. The hash space is 2^256, which is larger than the number of atoms in the observable universe.

Why is SHA-256 fast and is that good?

SHA-256 is designed for speed using bitwise operations optimized for modern CPUs. This is excellent for file verification and data integrity. However, for password hashing, speed is actually a disadvantage because attackers can try billions of guesses per second. Use bcrypt, Argon2, or PBKDF2 for password storage.

How do I verify a file hash on Windows?

Open PowerShell and run: Get-FileHash filename.iso -Algorithm SHA256. The output shows the hash value. Compare it character-by-character with the expected hash from the official source. Alternatively, use certutil: certutil -hashfile filename.iso SHA256. For a GUI tool, use our online SHA-256 generator which works entirely in your browser.

What if my hash does not match?

If the hashes do not match exactly, the file is corrupted or was modified. Even a single bit change produces a completely different hash. Delete the file and download it again. Check your internet connection and ensure the download completed fully. If the problem persists, try a different mirror or contact the software distributor.

Is SHA-256 still secure in 2026?

Yes, SHA-256 remains secure and is widely recommended by security experts. It has no known practical vulnerabilities. However, SHA-3 is available as a newer alternative with a different design. For most applications, SHA-256 is perfectly adequate and will remain secure for decades.

Can I use SHA-256 for password storage?

No, never use SHA-256 alone for passwords. SHA-256 is too fast, allowing attackers to test billions of passwords per second. Use dedicated password hashing algorithms like bcrypt, Argon2, or PBKDF2. These are intentionally slow and include salt to prevent rainbow table attacks.

Can I hash text strings, not just files?

Absolutely. SHA-256 works on any data—text, files, binary data. For text, the hash will be different depending on encoding (UTF-8 vs ASCII) and whether you include a newline character. Always specify the exact text format when sharing hash values.

Can SHA-256 be reversed or decrypted?

No, SHA-256 is a one-way function. You cannot recover the original data from a hash. This is by design and is what makes it secure. The only way to 'reverse' a hash is to guess the input and check if the hash matches—a brute force attack that is impractical for complex inputs.

SHA-256file integritychecksumhash verificationlinux iso verifydownload verification