What is a checksum and how do you use one? (Windows & Mac instructions)

When you download software, especially from third-party websites or mirrors, it’s important to verify that the file hasn’t been corrupted or tampered with. A checksum allows you to do exactly that.

This guide explains what checksums are, why they’re important, and how to verify downloaded files on both Windows and macOS using built-in tools.

Quick answer: What is a checksum?

A checksum (also called a hash value) is a unique string generated from a file’s contents. Software vendors often publish checksum values alongside their downloads.

After downloading a file, you can generate your own checksum and compare it to the one provided by the vendor:

• If the values match, the file is identical to the original version published by the developer.
• If they don’t match, the file may be corrupted, incomplete, or modified by a third party.

Verifying checksums is particularly useful when downloading operating systems, security tools, open-source software, or any application obtained outside of an official app store.

Why should you verify downloads?

Most software downloads complete without issues, but checksum verification provides an additional layer of assurance.

It helps detect:

• Corrupted downloads.
• Incomplete file transfers.
• Accidental file modifications.
• Maliciously altered software.
• Man-in-the-middle attacks during download.

Security-conscious users, system administrators, and IT professionals routinely verify checksums before installing software on critical systems.

How to verify a checksum on Windows

Windows includes a built-in utility called `certutil` that can generate file hashes without installing additional software.

Step 1: Download the file and checksum

Download the software as normal. If the vendor provides a compressed ZIP file, verify the checksum before extracting the contents. Many software vendors publish checksums directly on their download pages. Others provide them in a separate text file.

For example, the download page for VLC Media Player includes published SHA256 hash values that users can compare against their own results.

Step 2: Open Command Prompt

Press Windows Key + R, then type:

cmd

and press Enter.

Step 3: Navigate to the download location

Navigate to your Downloads folder in Command Prompt by entering:

cd downloads

Step 4: Generate the checksum

Run the following command, replacing [FILENAME] with your downloaded file name, and [HASH] with the algorithm specified by the software vendor.

certutil -hashfile [FILENAME] [HASH]

For example:

certutil -hashfile vlc-3.0.23-win64.exe SHA256

Step 5: Compare the results

Windows will output a long string of letters and numbers.

Compare this value with the checksum published by the software vendor.

• Matching hashes: The file is unchanged and safe to install.
• Different hashes: Do not install the software until you’ve identified the cause. Download the file again from the official source and verify it once more.

Supported Windows hash algorithms

certutil

supports:

• MD2
• MD4
• MD5
• SHA1
• SHA256
• SHA384
• SHA512

For security purposes, SHA256 or stronger algorithms are generally preferred.

How to verify a checksum on macOS

macOS includes built-in checksum tools that can be accessed through Terminal.

Step 1: Download the file

Download the software and locate the checksum published by the vendor. As with Windows, some vendors display hashes directly on their download pages: look for a link labelled “SHA256,” “checksums,” or “verify”. Others provide them separately. If you can’t locate it, check the vendor’s release notes, GitHub releases page, or security documentation. Some open-source projects also expose hashes through Homebrew formulas.

Step 2: Open Terminal

Press Command + Space and search for:

Terminal

Open the Terminal application.

Step 3: Navigate to your download folder

If the file is stored in Downloads, enter:

cd Downloads

Step 4: Generate the checksum

For a SHA256 hash, use the following (where [FILENAME] is replaced with the real filename):

shasum -a 256 [FILENAME]

For example:

shasum -a 256 vlc-3.0.23.dmg

Step 5: Compare the checksum

The generated hash will appear in Terminal. Compare it against the vendor’s published checksum. If the values match, the file is identical to the original release. If they differ, delete the file and download it again from the official source.

Other hash algorithms on macOS

Use one of these commands if the hash algorithm isn’t SHA256:

MD5

md5 [FILENAME]

SHA1

shasum -a 1 [FILENAME]

SHA256

shasum -a 256 [FILENAME]

SHA384

shasum -a 384 [FILENAME]

SHA512

shasum -a 512 [FILENAME]

SHA256, SHA384, and SHA512 are generally recommended. MD5 and SHA1 are considered cryptographically weak and should only be used when no stronger hash is available.

What happens if the checksum doesn’t match?

A checksum mismatch doesn’t automatically mean malware is involved, but it does indicate that the file you downloaded is different from the file published by the developer.

Common causes include:

When hashes don’t match:

1. Delete the downloaded file.
2. Download it again from the vendor’s official website.
3. Verify the checksum a second time.
4. Avoid installing software until the checksum matches.

How checksums work

Checksums are generated using mathematical functions called hash algorithms. A hash algorithm takes data of any size and produces a fixed-length output called a hash value.

For example, SHA256 always generates a 64-character hexadecimal string regardless of whether the input is a small text file or sn entire operating system image.

One important property of cryptographic hashes is that even a tiny change to the original file produces a completely different hash value. This makes hashes useful for verifying file integrity.

Checksums are also used in many other security technologies, including:

• Password storage.
• Digital signatures.
• Software distribution systems.
• Package managers.
• Data integrity verification.

Common checksum algorithms

Several checksum and hashing algorithms exist, each offering different levels of security and error detection.

MD5

MD5 generates a 128-bit hash and was once widely used for file verification. Today, it is considered insecure because attackers can deliberately create different files that produce the same hash value.

SHA1

SHA1 improved upon MD5 but is also no longer considered secure against collision attacks.

SHA256

SHA256 is part of the SHA-2 family and remains one of the most commonly used algorithms for software verification. Most reputable software vendors now publish SHA256 hashes.

SHA384 and SHA512

These algorithms offer stronger security and longer hash lengths than SHA256, though they are less commonly used for everyday download verification.

Simple checksums and parity checks

Some networking and storage systems use simpler checksum methods designed to detect accidental errors rather than malicious modifications.

One example is a parity bit, which adds a single extra bit to help detect transmission errors. While useful for identifying basic corruption, parity checks are far less reliable than modern cryptographic hash functions and are not suitable for software verification.

Summary

Verifying checksums takes only a few seconds and can help ensure downloaded software hasn’t been corrupted or altered before installation. For most users, SHA256 verification using built-in Windows or macOS tools is the simplest and most reliable approach. If a checksum doesn’t match, delete the file, re-download it from the official source, and verify again before installing.

However, checksums have an important limitation: they only confirm that your file matches what the vendor published. If the vendor’s distribution system is compromised, both the file and the published hash could be affected.

For higher-security scenarios, such as verifying operating systems or security tools, consider using digital signatures (such as PGP), which rely on a separate trust model and provide stronger guarantees of authenticity.