How do I verify a SHA-256 checksum without installing anything?

Open PDFFlare's verify checksum online tool, paste the SHA-256 hash from the publisher's download page (a 64-character hex string), then drag the file you downloaded into the upload area. The tool auto-detects that the hash is SHA-256, computes the file's SHA-256 in your browser, and shows a green ✓ Match or red ✗ Mismatch. Identical experience on Mac, Windows, and Linux because everything runs in the browser — no shasum, Get-FileHash, or sha256sum needed.

Does PowerShell's Get-FileHash work the same way as shasum on Mac?

The underlying SHA-256 is identical, but the output format differs. PowerShell prints UPPERCASE hex; shasum and sha256sum on Mac/Linux print lowercase. Almost every publisher publishes lowercase. If you ran Get-FileHash and want to verify against a lowercase published hash, either lowercase the result yourself or paste both into PDFFlare — the tool normalizes case automatically and compares constant-time.

What if I copy a SHA256SUMS line that includes the filename?

PDFFlare's verify checksum tool understands SHA256SUMS-style lines — paste `abc123... ubuntu-24.04-desktop-amd64.iso` and it keeps just the hash portion. You can also drop the SHA256SUMS or .sha256 file itself into the companion drop zone (expand the disclosure below the verdict) and the tool extracts the contents automatically. This is the fastest workflow for verifying Linux distro ISOs because the SHA256SUMS file is what they ship.

Why does an MD5 checksum still appear on some download pages?

Backwards compatibility. MD5 has been cryptographically broken since 2004, but it's still useful as a non-security integrity check against a publisher you already trust — corruption from a flaky network or bad disk will change the MD5 just as much as it changes a SHA-256. PDFFlare's verify md5 hash flow handles MD5 (32-character hex), SHA-1 (40), SHA-256 (64), SHA-384 (96), and SHA-512 (128) the same way. Auto-detect picks whichever the publisher used.

If the verdict is mismatch, is the file dangerous?

Mismatch means the file you have is NOT byte-identical to what the publisher signed. Three causes: (1) corrupted download — incomplete bytes, common with large files over a flaky connection; (2) wrong file — you may have grabbed an older release or a different architecture; (3) tampering — a compromised mirror or MITM swapped the file. The safe response is the same in all three cases: re-download from the original source over HTTPS and verify again. If multiple downloads from different mirrors all mismatch, contact the publisher.

May 6, 20269 min read

How to Verify a Checksum on Mac, Windows, Linux (Free, Online)

You opened a download page, copied a long string of hex characters labeled “SHA-256,” and now you have to figure out whether the file you just downloaded matches it. The official docs point you at shasum -a 256 on Mac, Get-FileHash in PowerShell on Windows, and sha256sumon Linux — three different commands, three different output formats, and you still have to eyeball two 64-character strings to decide if they match. There's a faster way that works the same on every OS.

In this guide you'll learn how to verify a checksum online using PDFFlare's Verify Checksum tool — paste the publisher's hash, drop the file, get a big green ✓ Match or red ✗ Mismatch in seconds. Use it as a sha256 hash verifier when downloading Linux ISOs, to verify md5 hash digests on legacy archives, as a checksum verifier online for Windows installers, or as a verify file integrity online tool for backups. Auto-detects the algorithm by hex length so a single field handles SHA-256, MD5, SHA-1, SHA-384, and SHA-512.

What Is a Checksum and Why Verify It?

A checksum is a deterministic fingerprint of a file. Run any modern hash function (SHA-256 is the de-facto standard in 2026) over the raw bytes and you get a fixed-size digest — 64 hex characters for SHA-256, 32 for MD5, 128 for SHA-512. Change a single byte anywhere in the file and the digest changes completely. So when you compute the hash on YOUR copy of the file and compare it to the hash the publisher posted, a match means byte-for-byte identical. A mismatch means something happened: a corrupted download, a wrong file, or tampering somewhere in the chain.

SHA-256 — modern default. 64 hex chars. Used by Linux distros (Ubuntu, Fedora, Debian), GitHub releases, most package managers, container registries.
MD5 — legacy. 32 hex chars. Cryptographically broken since 2004 but still useful for non-security integrity checks against trusted sources, especially older Linux mirrors and archive formats.
SHA-1 — legacy. 40 hex chars. Broken for collision resistance since 2017 but still seen on older release pages.
SHA-512 — bigger SHA-2 sibling. 128 hex chars. Common on Apache projects and some Linux distros that publish both SHA-256 and SHA-512.

How to Verify a Checksum Online (Step by Step)

Find the publisher's hash.On the download page, look for “SHA-256”, “Checksum”, or a link to a SHA256SUMS file. Copy the hex string. PDFFlare also accepts the entire SHA256SUMS-style line (`abc… filename.iso`) — the tool keeps just the hash portion.
Open the verify checksum online tool. Visit /tools/dev/verify-checksum and paste the hash into the Expected hash field. The tool auto-detects the algorithm by counting hex characters — no need to choose SHA-256 vs MD5 manually.
Drop the file you downloaded. Drag the .iso / .zip / .exe / .dmg into the upload area, or click to browse. The file is hashed locally in your browser using crypto.subtle.digest(); nothing uploads.
Read the verdict. Green ✓ Match means the file is byte-perfect — install with confidence. Red ✗ Mismatch shows both the expected and actual hashes side by side so you can see exactly where they diverge.

Verify SHA-256 Checksums Across Operating Systems

How to verify a SHA-256 checksum on Mac (shasum vs the web)

macOS ships with shasum -a 256 ~/Downloads/ubuntu-24.04-desktop-amd64.iso— runs SHA-256 on the file and prints the digest. To verify, you copy the publisher's expected hash and compare two long hex strings by eye. PDFFlare's verify sha256 checksum flow does the same comparison constant-time and shows a single green / red verdict instead. No Terminal needed; the comparison is unambiguous.

How to verify a SHA-256 checksum on Windows (Get-FileHash)

PowerShell's Get-FileHash -Algorithm SHA256 .\ubuntu.iso outputs the hash in UPPERCASE hex — annoying because almost every publisher publishes lowercase. PDFFlare normalizes case automatically, so pasting an uppercase hash and verifying against a lowercase published value (or vice versa) just works. Acts as a checksum verifier online whether you're on Windows 10, 11, or Server.

How to verify a SHA-256 checksum on Linux (sha256sum)

Linux gives you the cleanest CLI experience: sha256sum -c SHA256SUMS reads every line of a SHA256SUMS file and verifies every listed file in one shot — ideal for big batches. For a single file though, the verify checksum online tool is faster: drop the SHA256SUMS file itself into the companion drop zone, drop the actual file at the top, and PDFFlare picks the matching hash from the SHA256SUMS contents and verifies it.

Common Checksum Verification Scenarios

Verifying an Ubuntu / Fedora / Debian ISO before flashing

Before dd or Rufus writes the image to a USB stick, run the verify iso checksum step. Linux distros are a common target for compromised mirrors because everyone downloads them. The 30 seconds the verification takes is cheap insurance against installing a tampered image. Do this BEFORE writing to disk, not after.

Verifying a GitHub release artifact

Many open-source projects publish a checksums file alongside their release tarballs. Drop the released artifact into PDFFlare's sha256 hash verifier, paste the matching line from checksums.txt or SHA256SUMS, and confirm in one click. If a release page only publishes a GPG signature instead of a SHA-256, you'll need a GPG client — but most projects publish both, and SHA-256 alone is enough to catch corruption and most tampering.

Verifying a Windows installer or macOS .dmg

Software vendors sometimes publish a SHA-256 fingerprint alongside .exe / .msi / .dmg downloads. PowerShell can compute the local hash, but pasting two long hex strings into a small terminal window and trying to compare them by eye is error-prone. The verify checksum online tool gives you a clear green / red answer — no eyeballing required.

Comparing file hashes after a backup or transfer

When you copy a 50 GB backup to a new drive, hash the source using PDFFlare's File Checksum tool, record the SHA-256, then later use this Verify tool to compare file hash values against the destination. Match means byte-perfect. Mismatch means silent disk corruption or partial copy — re-do the transfer before you trust the backup.

Common Mistakes

The two most common “why doesn't my hash match?” situations have nothing to do with the file being bad:

Pasting the GPG signature instead of the hash. Some download pages have a .asc signature file and a SHA256SUMS file. The signature signs the SHA256SUMS file, not your download. You need the hash from INSIDE the SHA256SUMS file, not the signature itself.
Hashing the wrong file.Common when a project publishes multiple architectures (x86_64, arm64) or multiple flavors (full, minimal). Make sure the hash you pasted corresponds to the exact filename you downloaded. PDFFlare's SHA256SUMS-line parsing helps because the full line includes the filename you can spot-check.
Stale download from a CDN cache.Some mirrors lag behind the canonical hash. If you mismatch against the official hash but match against an older one, re-download from the project's primary mirror.

Privacy: Files Stay in Your Browser

Verifying download integrity should never require uploading the download. PDFFlare's verify checksum tool reads the file via the browser's File API and hashes it in crypto.subtle.digest()(a small client-side MD5 module fills the gap for that one algorithm). Nothing crosses the network during the hash computation. You can confirm by opening DevTools → Network and watching the tab stay empty while the hash runs. This is what makes the tool safe for sensitive backups, internal builds, encrypted archives, and proprietary downloads — anything you can't send to a third-party hash service.

Related Tools

File Checksum — compute MD5 / SHA-1 / SHA-256 / SHA-384 / SHA-512 of any file in one pass. The companion to Verify Checksum: this one shows you the hashes; Verify takes a hash and tells you yes-or-no whether the file matches.
Hash Generator — same algorithms, but for strings. Useful for cache keys, JWT payload digests, and anywhere you need to hash text rather than bytes.
HMAC Generator — for keyed hashes (webhook signatures, JWT HS256). Not for download verification, but adjacent enough that people who verify checksums also sign payloads.
Base64 Encode / Decode — convert between base64 and hex when a publisher provides one but you need the other to compare.

Wrapping Up

A 30-second verify checksum step prevents installing a corrupted or tampered file on your machine. Whether the publisher gave you a SHA-256, MD5, or SHA-512 hash, whether you're on Mac, Windows, or Linux, and whether the hash is hex or base64, PDFFlare's Verify Checksum tool handles the math and gives you a clear green / red answer without any install.