ad3laid3/Guides
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Guides/File-Verification-and-Checksums/Guide.md
MiTHRAL 7af6fb3b55 Guides Added
2026-05-14 22:26:43 -04:00

3.1 KiB
Raw Permalink Blame History

File Verification and Checksums

1. Goal

This guide explains how to verify downloaded files using hashes and signatures. Verification helps confirm that a file was not corrupted, swapped, or modified after release.

Checksums do not prove a file is safe by themselves. They prove that your copy matches a known value.

2. Common Verification Types

You will usually see:

  • SHA256: the most common checksum for releases.
  • SHA512: a longer checksum, also common.
  • GPG/PGP signature: proves a file was signed by someone with a specific private key.
  • Code signing: built into some operating systems for apps and installers.

If a project provides both a checksum and a signature, use both.

3. Recommended Tools

Use built-in commands first. Add a GUI only if it makes verification easier.

  • PowerShell Get-FileHash: built into modern Windows and good for SHA256/SHA512 checks.
  • sha256sum: standard on most Linux systems.
  • shasum: available on macOS and many Unix-like systems.
  • GnuPG: command-line OpenPGP tool for signature verification.
  • Gpg4win / Kleopatra: practical Windows GUI for GnuPG signatures and certificates.

Official links:

  • GnuPG: https://gnupg.org
  • Gpg4win: https://gpg4win.org

4. Verify SHA256 on Windows

Open PowerShell in the folder containing the file:

Get-FileHash .\filename.ext -Algorithm SHA256

Compare the output to the checksum published by the source.

The values must match exactly. Close is not good enough.

5. Verify SHA256 on Linux

Open a terminal in the folder containing the file:

sha256sum filename.ext

Compare the first long value to the published SHA256 checksum.

6. Verify SHA256 on macOS

Open Terminal in the folder containing the file:

shasum -a 256 filename.ext

Compare the output to the published checksum.

7. Verify a GPG Signature

Some projects publish a file plus a signature file:

example.iso
example.iso.sig

Basic flow:

  1. Download the file.
  2. Download the signature.
  3. Import the developer or project signing key from the official source.
  4. Verify the signature.
  5. Confirm the key fingerprint matches what the project publishes.

Example command:

gpg --verify example.iso.sig example.iso

A valid signature means the file matches the signer. It does not automatically mean the signer is trustworthy. Always check the signing key fingerprint from an official source.

8. What a Mismatch Means

If the checksum does not match:

  1. Do not run the file.
  2. Delete the file.
  3. Download it again from the official source.
  4. Recheck the hash.
  5. If it still does not match, treat the release or mirror as untrusted.

Possible causes:

  • incomplete download;
  • wrong version;
  • corrupted file;
  • mirror replaced the file;
  • malicious modification.

9. Keep Verification Notes

For important files, keep a small note next to the download:

File: example.iso
Source: https://example.org/releases
Version: 1.2.3
SHA256: ...
Checked: 2026-05-14

This is useful for operating system images, firmware, backups, archives, and tools you may reinstall later.