How to Check a File Checksum: A Step-by-Step Guide
Home » How to Check a File Checksum: A Step-by-Step Guide
(3 votes, average: 5.00 out of 5)
Say no to risky downloads! Learn how to verify the checksum of a downloaded file in 5 easy steps to ensure that the file is malware free and legitimate. Discover how comparing checksums can give you peace of mind and protect your devices from malware, data breaches and installation errors
With more than 5 billion internet users worldwide and millions of people now working remotely, downloading content has become the norm. This practice doesn’t seem like an issue until you consider the risks they pose to your business. For example, an average of 1,211 pieces of new malware variants were identified by SonicWall in 2021 alone. With this in mind, it means that the chances of downloading compromised executables and other files are now higher than ever.
To help you mitigate the chances of malware infection, we’ve previously shown you how to check if a file has a virus before downloading it and how to recognize safe download websites. But there’s more to learn. In this article, which is the second of a series of three articles on checksums, you’ll learn how to check a checksum (i.e., how to verify the checksum of a downloaded file) step by step and further secure your downloads.
What Is a Cryptographic Checksum?
A checksum is like a digital fingerprint of a file or code. It’s a calculated value made of numbers and letters used to verify the integrity of a file. One of the most common uses of checksums is confirming whether a downloaded file is corrupted or has been tampered with since it was originally created. How? This is what you’re going to learn next.
How to Verify the Checksum of a Downloaded File in 5 Easy Steps
Some publishers provide you with their files’ checksums upfront. This means that when you go to a software vendor’s download page of a file or code, especially in the case of software packages, you’ll find a string of alphanumeric characters near the download button that looks like a load of gibberish; that’s the file’s checksum.
Let’s see how you can use it to validate files on Windows and Linux. Before we do that, it’s important to highlight that there are two ways to manually verify checksums:
Using the built-in checksum tool available on all major operating systems.
Using a third-party checksum calculator like Microsoft’s FCIV (File Checksum Integrity Verifier) or GtkHash.
In this guide, we’re going to use the first and more straightforward option in the Windows operating system.
1. Windows — Download the File
To show you how to verify checksum of a downloaded file, we’ll download the latest UBUNTU Mate ISO. This free, open-source operating system includes a checksum for file integrity checking purposes.
As you can see, in this case, the ISO comes with a SHA256 checksum. This means that once you’ve downloaded the image, in order to verify its integrity, you’ll have to generate the SHA-256 checksum for it.
Open the command prompt by clicking the Start button.
Type cmd in the run bar and select Run as Administrator to launch the Command Prompt window in Admin mode.
3. Go to The Directory Where the File Is Saved
Use the cd (change directory) command to navigate to the directory where you saved the downloaded ISO:
4. Type certUtil –hashfile [Filename] SHA256 to Generate the Checksum
Type certUtil -hashfile [filename, in this case ubuntu-mate-20.04.3-desktop-amd64.iso] SHA256
Press Enter.
This will generate the checksum. Note: An ISO is usually pretty big, so it may take some time to generate the file checksum.
5. Compare the Two Checksums
Compare the checksum displayed on the vendor’s page with the one you’ve just generated. If it matches, you’re good to go because it means that the ISO is clean and free of errors. If it doesn’t, it means the file might be corrupted or compromised. Easy right?
versus
Yeah! They match.
Let’s see how it works in Linux.
1. Linux—Download the File
To simplify things and allow you to compare the two processes, we’ll use the same UBUNTU Mate ISO example.
2. Open a Terminal Window
Press Ctrl+Alt+T. A terminal window will immediately pop up on your screen.
3. Go to the Directory Where the File Is Saved
Much like in the previous Windows CMD Prompt example, use the cd command to navigate to the directory where you stored the downloaded ISO. This process will look like this in Linux:
4. Type sha256sum [Filename] to Generate the Checksum
Type sha256sum [filename] — we’re using a specific version of Ubuntu. So, in this case, you could type sha256 sum ubuntu-mate-20.04.3-desktop-amd64.iso.
Press Enter.
This will generate the checksum:
5. Compare the Two Checksums to See If They Match
It’s comparison time! You’ll now want to check the comparison on the vendor’s website against the one you generated. Does I match? If yes, you’re set because it means the ISO is unaltered and free of errors. If it doesn’t match, the file might be compromised in some way.
Let’s quickly compare your generated checksum value with the one provided on the UBUNTU Mate Download page:
versus
They match!
Now you’re ready to verify every file you download from those websites displaying checksums!
How Accurate Is a File Checksum?
One of the key characteristics of a checksum is that any change made to the original file, even a small one, will result in a totally different checksum algorithm. As a result, the checksum you generate for the file you download won’t match the one displayed on the publisher’s download page. This guarantees a high level of accuracy and file integrity assurance.
Final Thoughts on How to Check a File Checksum
As you can see, understanding how to check a file checksum isn’t rocket science; it’s something even users with relatively basic computer skills can manage if they know what to do. It just takes a few minutes, and it can save you from the disastrous consequences of malware infections or corrupted files installations such as data breaches.
Add the power of checksums to your download routine when possible and remember: every little thing counts in protecting the security of your device!
If you want to learn even more about how to check checksum, don’t miss our next and last article of the series. This article will serve as the ultimate step-by-step guide on how to generate an MD5 checksum to check the validity of a signed executable’s digital signature.
Code Signing Best Practices
Download thisCode Signing Best Practices guideto improve your software and supply chain security.
Help keep your end users safe from supply chain attacks.
Prove your software's authenticity using digital identity.
Protect your software's integrity by preventing alterations.
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Email Us
+1 (727) 291-0611
Chat Now
