File Hash Calculator
Drop a file or pick one with the file picker — get all common hashes side-by-side. Paste the publisher's expected hash to instantly verify your download. Files never leave your browser.
How to verify a download
- Find the publisher's expected hash. Open-source projects post it on the download page or in a
SHASUMS/checksums.txtfile. - Paste that expected hash into the "Compare to" field above.
- Pick your downloaded file with the file picker.
- If "✓ Match" appears, the file is intact. If not, your download is corrupt or tampered with.
What hash should you compare against?
- SHA-256 is the modern default. Most projects publish SHA-256 alongside (or instead of) MD5/SHA-1.
- MD5 is still common for ISO files and old-school release archives. MD5 still works for accidental-corruption checks, but if both are published, prefer SHA-256.
- SHA-1 is deprecated. If a publisher only offers SHA-1, accept it for accidental-corruption verification but raise an eyebrow about their tooling.
What this catches
- Truncated / corrupted downloads — partial transfers, network errors.
- Wrong file — you saved the wrong link by mistake.
- Mirror tampering — if you got the file from a mirror but the hash from the original publisher, a tampered mirror is detectable.
What this does not catch
- Sophisticated supply-chain attacks where the attacker also controls the published hash.
- Tampering before the publisher signed it — happens upstream.
- The publisher itself being compromised.
For critical downloads (OS images, security tools), pair the hash
check with a signature check (gpg --verify on the
detached signature file). The signature is what binds the hash to
the publisher's identity.
Need text instead? Hash text on the home page. Want to learn more? Which hash function should you use?
FAQ
Is the file uploaded anywhere?
No. The file is read into memory by your browser and hashed locally. Open DevTools → Network and confirm: there are zero requests during hashing. Even multi-hundred-MB files stay on your machine.
What's the maximum file size?
Limited by your browser's memory. Typically 500 MB to 1 GB on desktop, less on mobile. For multi-GB files, use the command line: sha256sum <file> on Linux, shasum -a 256 <file> on macOS, certutil -hashfile <file> SHA256 on Windows.
Why might my hash differ from the publisher's?
Most commonly: incomplete download. Re-download and try again. Other causes: text-mode FTP/HTTP transfer changed line endings (rare today); zip/tar tools sometimes hash the unpacked content rather than the archive.
Can I hash multiple files?
One at a time, currently. For batch operations, the command line is faster: sha256sum *.iso or find . -type f -exec sha256sum {} +.