Tutorials

How to Verify a SHA-256 Checksum on Windows, Mac, and Linux

📅 2026-05-12 ⏱ 6 min read ← Back to Blog

You downloaded a 4GB Linux ISO, a software update, or a backup archive. The publisher's website lists a SHA-256 checksum next to the download link. How do you actually use that string to confirm the file is authentic?

Below are the canonical commands for every major platform, plus a browser-only option that requires zero installation.

The one-liner for your platform

Windows (PowerShell): Get-FileHash -Algorithm SHA256 file.iso
Windows (cmd): certutil -hashfile file.iso SHA256
macOS: shasum -a 256 file.iso
Linux: sha256sum file.iso
Browser: drop the file into our File Hash tool

Windows: PowerShell (recommended)

PowerShell has been built into every Windows installation since Windows 7 / Server 2008, and its Get-FileHash cmdlet is the cleanest way to compute SHA-256 on Windows.

PS C:\> Get-FileHash -Algorithm SHA256 .\Downloads\ubuntu-24.04.iso

Algorithm  Hash                                                                Path
---------  ----                                                                ----
SHA256     8762F7E74E4D64D72FCEB5F70682E6B069DA9E5A6...                        C:\Users\you\Downloads\ubuntu-24.04.iso

Compare the output's Hash field against the published value. They must be byte-identical, case-insensitive. If they match, the file is authentic. If even one character differs, the file is corrupted or has been tampered with — do not run it.

To check multiple files at once

Get-ChildItem *.iso | Get-FileHash -Algorithm SHA256 | Format-List

You can also pipe to Where-Object to filter for a specific expected hash:

$expected = "8762F7E74E4D64D72FCEB5F70682E6B069DA9E5A6..."
Get-FileHash file.iso -Algorithm SHA256 | Where-Object Hash -eq $expected

If the file matches, this command returns the file's hash record. If not, it returns nothing.

Windows: cmd.exe / CertUtil

For older scripts or environments without PowerShell, certutil ships with every Windows version since XP SP3:

C:\> certutil -hashfile ubuntu-24.04.iso SHA256
SHA256 hash of ubuntu-24.04.iso:
8762f7e74e4d64d72fceb5f70682e6b069da9e5a6...
CertUtil: -hashfile command completed successfully.

The output is lowercase by convention here, but case doesn't matter for comparison — hex digits A-F and a-f are equivalent.

macOS

macOS ships with two near-identical tools: shasum (a Perl script) and sha256sum via Homebrew. The built-in shasum works on every Mac:

$ shasum -a 256 ~/Downloads/ubuntu-24.04.iso
8762f7e74e4d64d72fceb5f70682e6b069da9e5a6...  /Users/you/Downloads/ubuntu-24.04.iso

The -a 256 flag selects the SHA-256 variant; shasum can also produce SHA-1, SHA-224, SHA-384, and SHA-512 with -a 1, -a 224, -a 384, -a 512.

Checking against a SHA256SUMS file

Many projects publish a SHA256SUMS file with multiple file hashes. To verify all of them at once:

$ shasum -a 256 -c SHA256SUMS
ubuntu-24.04.iso: OK
ubuntu-24.04.iso.zsync: OK

If any file's hash doesn't match, the line ends with FAILED and shasum exits with a non-zero status code.

Linux

Every Linux distribution ships with sha256sum as part of GNU coreutils:

$ sha256sum ubuntu-24.04.iso
8762f7e74e4d64d72fceb5f70682e6b069da9e5a6...  ubuntu-24.04.iso

The output format is the same as shasum on macOS, intentionally — they're compatible. To check multiple files against a published SHA256SUMS file:

$ sha256sum -c SHA256SUMS
ubuntu-24.04.iso: OK

Use --ignore-missing if some files in the manifest aren't present locally.

The browser-only option

If you don't want to open a terminal — or you're on a locked-down corporate machine where you can't install or run command-line tools — you can compute the hash entirely in your browser. Modern browsers expose the Web Crypto API, which runs SHA-256 in native code at full speed without uploading the file anywhere.

Drop the file into our File Hash tool. The hash is computed locally; the file never leaves your device. You can verify this by opening browser DevTools, switching to the Network tab, and confirming zero outbound requests during the hashing process.

Or use our Hash Verifier, which takes both the file and the expected hash and tells you directly whether they match (or what algorithm the hash belongs to, if you're not sure).

Comparing hashes correctly

Two pitfalls to avoid:

Whitespace and line endings. When pasting a hash from a webpage, you might accidentally grab a leading or trailing space. The comparison is byte-exact for the hash, but invisible whitespace is a common cause of "they look the same but the check fails." Strip whitespace before comparing.
Case sensitivity. The hash itself is case-insensitive (hex A-F = a-f). But the surrounding tools may differ — Get-FileHash outputs uppercase by default, sha256sum outputs lowercase. Normalize both to lowercase before string comparison if you're scripting this.

What if the hash doesn't match?

In order of likelihood:

Download was interrupted. Some browsers fail silently on partial downloads. Re-download and try again.
You have a different version. Publishers sometimes update files without updating the hash on cached or mirrored pages. Check the publisher's primary site for the current hash.
You're hashing the wrong file. If the publisher hashes the ISO and you hashed the ZIP that contained the ISO, they won't match. Check what the published hash is for.
The file has been tampered with. Rare but real — especially if you downloaded from an unofficial mirror, a torrent without a trusted seeder, or a network where someone could have intercepted the download. Don't use the file.

A mismatch is always a signal to slow down and figure out which of the above applies before proceeding.

For an even faster check, use our Hash Verifier: paste the published hash, drop your file, get an instant ✓ or ✗. Auto-detects algorithm from hash length so you don't have to know whether it's MD5, SHA-1, or SHA-256.