SHA-256 File Checksums

A SHA-256 checksum is a 256-bit hash computed from a file's contents, serving as a cryptographic fingerprint that verifies both integrity (the file was not corrupted) and authenticity (the file was not tampered with). SHA-256 checksums are the current standard for secure file verification across the software industry.

Computing SHA-256 checksums:

On Linux, use sha256sum filename to compute a checksum. On macOS, use shasum -a 256 filename. On Windows, use certutil -hashfile filename SHA256 or PowerShell's Get-FileHash -Algorithm SHA256. These tools read the file, process it through SHA-256, and output a 64-character hexadecimal string. For multiple files, you can generate a checksum manifest: sha256sum *.tar.gz > SHA256SUMS.

Verification workflow:

Download the file and the checksum file (often named SHA256SUMS or CHECKSUMS.sha256). Run sha256sum -c SHA256SUMS to automatically verify all listed files. The tool reports "OK" for matching files and "FAILED" for mismatches. This automated approach is less error-prone than manual comparison of 64-character strings.

Security advantages over MD5:

Unlike MD5, SHA-256 has no known collision attacks. An attacker cannot feasibly create a malicious file with the same SHA-256 checksum as a legitimate file. This makes SHA-256 checksums suitable for security-sensitive distribution. However, the checksum is only as trustworthy as its source. If both the file and the checksum are served from a compromised server, the attacker can replace both. For maximum security, checksums should be signed with GPG/PGP keys.

Adoption across the industry:

All major Linux distributions now use SHA-256 checksums for ISO images and packages. Docker content trust uses SHA-256 digests. Python's pip verifies package integrity with SHA-256. GitHub releases show SHA-256 checksums. The Web Crypto API in browsers supports SHA-256, enabling client-side checksum computation without server round trips, which is exactly how this tool works.