MD5 File Checksums

An MD5 checksum is a 128-bit hash value computed from a file's contents, used to verify that the file has not been corrupted during download, transfer, or storage. MD5 checksums have been a standard practice in software distribution for decades, though they are increasingly being replaced by SHA-256 checksums.

How MD5 checksums work:

The entire file is read as a byte stream and processed through the MD5 algorithm, producing a 32-character hexadecimal string. This string serves as a fingerprint for the file. After downloading a file, you compute its MD5 checksum locally and compare it to the published checksum. If they match, the file is intact. If they differ, the file was corrupted during transfer.

Using MD5 checksums in practice:

On Linux and macOS, the md5sum command (or md5 on macOS) computes file checksums. On Windows, certutil -hashfile filename MD5 or PowerShell's Get-FileHash can be used. Many download pages display MD5 checksums alongside download links. Package managers like apt historically used MD5 checksums in their package indices (though modern versions prefer SHA-256).

Limitations for security:

MD5 checksums only protect against accidental corruption, not deliberate tampering. Because MD5 collisions are easy to generate, an attacker who controls the download server could substitute a malicious file with the same MD5 checksum. This is not theoretical: researchers have demonstrated creating different executable files with identical MD5 hashes. If a download page and the download itself are served from the same compromised server, the attacker could update both the file and the displayed checksum.

Modern recommendations:

For verifying downloads against accidental corruption (bit flips, incomplete transfers), MD5 checksums remain adequate. For security-sensitive verification, use SHA-256 checksums. Many projects now publish SHA-256 checksums exclusively. When possible, verify checksums over a different channel than the download (for example, checksums signed with GPG keys). The tool on this page computes MD5 checksums instantly in your browser without uploading the file anywhere.