nutilz
#

File Hash Checker

Verify file integrity with SHA-1, SHA-256, SHA-384 & SHA-512

📂

Drop any file here, or click to browse

Any file type — all processing happens in your browser

🔒 No upload — your file never leaves your device. All hashing runs entirely in your browser.

What Is a File Hash?

A file hash is a short, fixed-length fingerprint of a file — typically a string of 64 or 128 hexadecimal characters — produced by feeding the file through a cryptographic hash function. The function is deterministic: the same file always produces the same hash. What makes it powerful is the avalanche effect: change even one bit anywhere in the file and the resulting hash is completely unrecognizable from the original. A 100 GB backup and a 1 KB text file both produce a 64-character SHA-256 hash of exactly the same format.

This one-way property is what makes hashes useful for integrity verification. You cannot reconstruct the original file from its hash — you can only check whether a file you have produces the same hash as a reference value. If it does, the file is provably identical. If it doesn't, something changed: a download error, a storage failure, or deliberate tampering.

Software publishers routinely post SHA-256 checksums alongside their download links for exactly this reason. Operating system images, installer packages, Docker base images, firmware updates, and compiled binaries are all commonly published with accompanying hashes. Checking the hash before executing a file is one of the most effective and simple security hygiene habits you can adopt.

How to Use the File Hash Checker

  1. 1.Drag any file onto the drop zone, or click to open a file browser. The tool accepts any file type and has no enforced size limit beyond what your browser's memory can hold.
  2. 2.SHA-1, SHA-256, SHA-384, and SHA-512 hashes are computed simultaneously using your browser's native WebCrypto API. Most files finish in under a second.
  3. 3.Click the Copy button next to any hash row to copy it to your clipboard.
  4. 4.To verify a file, paste the expected hash (from the publisher's website or a checksums file) into the Verify Hash field. The tool automatically detects which algorithm it corresponds to and shows a green match or red mismatch.
  5. 5.To check a different file, click anywhere on the drop zone to open the file browser again. The hashes update instantly.

SHA-1, SHA-256, SHA-384, and SHA-512 Compared

All four algorithms belong to the SHA (Secure Hash Algorithm) family, standardized by the US National Institute of Standards and Technology. They differ primarily in output size and security strength.

AlgorithmOutput (bits)Hex charsStatusWhen to use
SHA-116040DeprecatedLegacy software only
SHA-25625664StandardMost verification tasks
SHA-38438496StrongHigh-security contexts
SHA-512512128StrongLong-term archival

SHA-1 was the industry standard until Google's 2017 SHAttered attack demonstrated a practical SHA-1 collision — two different PDF files with the same SHA-1 hash. Major browsers stopped accepting SHA-1 TLS certificates in 2017. It is still safe for non-security purposes like detecting accidental data corruption, but not for verifying authenticity. SHA-256 became the replacement and is now universally supported. SHA-384 and SHA-512 are part of the SHA-2 family and are cryptographically healthy by all current analysis; they are simply overkill for typical download verification but the right choice if you are building long-lived archival systems or working in regulated industries with specific compliance requirements.

Verifying Downloaded Software with SHA-256

The most practical use case for a file hash checker is verifying a software download before installing it. Here is a real example using a Linux distribution ISO.

When you visit the Ubuntu download page, alongside each ISO file you will find a link to a SHA256SUMS file and a SHA256SUMS.gpg signature. The SHA256SUMS file contains one line per release variant, like this:

a435f6f393dda581172490eda9ef42c65a13d76968e63e18d4e2a1e1e8e28cca  ubuntu-24.04-desktop-amd64.iso

Download the ISO, drag it into the File Hash Checker, and compare the SHA-256 output to the first 64 characters on that line. If they match exactly, you have an authentic Ubuntu image — unmodified since Canonical built it. If they don't match, re-download; a large ISO can silently truncate on an unstable connection.

The same pattern applies to Python installers from python.org, Node.js binaries from nodejs.org, and virtually every serious open-source project. Look for checksums, SHA256SUMS, or hashes on the download page, typically in fine print or a collapsible section.

For Windows software that does not publish its own checksums, VirusTotal uses file hashes to let you look up whether a file has been previously scanned. Searching the SHA-256 of a suspicious installer in VirusTotal can reveal whether any antivirus engines have flagged it — a two-minute check that has caught real malware.

Other Use Cases for File Hashing

Backup integrity verification. After creating a backup archive, record its SHA-256 hash. When you need to restore, recompute the hash and compare. If storage media has degraded — a phenomenon called bit rot — the hash will differ and you will know before spending hours on a failed restore.

Docker image digests. Docker pull commands support a @sha256: digest suffix for pinning to an exact image layer. You can verify a saved Docker image tar archive using this tool before loading it on an air-gapped machine.

Build artifact consistency in CI/CD. Recording the SHA-256 of compiled binaries before and after a deploy lets you confirm that nothing was modified between the build step and production. Some supply chain attacks inject changes between the build and the deploy; a hash check catches this.

File deduplication. Two files with identical SHA-256 hashes are provably identical, making hashes useful for finding duplicate files across large directories without reading every byte of every file pair.

Digital forensics. When analyzing evidence in legal or security investigations, the SHA-256 hash of a drive image or file establishes its integrity over time — if the hash matches when re-checked months later, the evidence has not changed since collection.

Common Mistakes When Checking File Hashes

Invisible whitespace in the expected hash. When copying a hash from a webpage or PDF, it is easy to accidentally include a trailing space or newline character. The Verify Hash field in this tool trims whitespace automatically, but command-line tools like sha256sum -c will fail if the reference file contains any formatting inconsistency.

Comparing hashes from different algorithms. A SHA-1 hash is 40 hex characters. A SHA-256 hash is 64. A SHA-512 hash is 128. Copying a SHA-512 hash into a tool that expects SHA-256 will always fail — not because the file is corrupt, but because the hash lengths don't match. This tool handles all four algorithms simultaneously, so any valid hash of the correct length will match against the corresponding algorithm.

Checking the wrong file variant. Many projects publish multiple downloads — a 64-bit installer, a 32-bit installer, a portable zip, and an ARM build — each with a distinct hash. Confirming the hash of the 64-bit installer against the published hash for the 32-bit installer will fail even if both files are completely authentic.

Not verifying the hash source itself. A hash is only trustworthy if it came from a source you trust. An attacker who compromises a download server can replace both the file and the published hash. Serious projects publish hashes alongside GPG signatures; verifying the GPG signature on the checksums file gives you cryptographic assurance that the hash came from the developer's private key, not just an untrusted web page.

File Hashing in Modern Development Workflows

File hashing has become deeply embedded in modern software engineering beyond the obvious download-verification use case. Understanding where hashes appear helps you work more confidently with the tools and platforms you use every day.

Git object model. Git is built entirely on SHA-1 (transitioning to SHA-256 in newer versions). Every commit, tree, blob, and tag in a git repository is identified by its cryptographic hash. When you run git log --oneline, the 7-character IDs you see are the first 7 characters of that commit's full 40-character SHA-1 hash. The entire integrity of your repository history depends on these hashes — any modification to a committed file would change its hash and break the chain back through history.

npm and package registries. When you install an npm package, the npm client checks the downloaded tarball's SHA-512 hash against the value stored in package-lock.json. If they differ — because the registry served a different version or the network corrupted the download — the install fails with an integrity check error. This protects your projects from subtly modified packages, a real attack vector known as a supply chain attack. Running npm ci instead of npm install enforces these hash checks strictly.

Subresource Integrity (SRI) in browsers. When loading JavaScript or CSS from a CDN, you can add an integrity attribute to the <script> or <link> tag containing the expected SHA-256 or SHA-384 hash of the file. The browser refuses to execute the resource if the delivered content doesn't match — protecting your users even if the CDN is compromised.

Container image digests. Docker image tags like node:20-alpine are mutable — the image they point to can change. For reproducible production deployments, pin images by their immutable SHA-256 digest: node@sha256:a435f6f…. This guarantees the exact same container image is used every time, eliminating a class of environment drift bugs and supply chain risks.

Frequently Asked Questions

What is a file hash and why should I check it?+
A file hash is a fixed-length string of hexadecimal characters generated by running a file through a cryptographic hash function such as SHA-256. No matter how large the file, the output is always the same length — 64 characters for SHA-256. Even a single-bit change anywhere in the file produces a completely different hash. This property makes hashes ideal for verifying file integrity: if the hash you compute matches the one published by the software developer, the file arrived intact and was not tampered with in transit or modified by malware.
What is the difference between SHA-1, SHA-256, SHA-384, and SHA-512?+
SHA-1 produces a 40-character (160-bit) hash and is now considered cryptographically weak against collision attacks — meaning two different files can theoretically be engineered to produce the same hash. It should not be used for new security-critical applications, though it still appears in older software distributions. SHA-256 is the current standard for most software verification tasks, producing a 64-character (256-bit) hash. SHA-384 and SHA-512 produce 96- and 128-character hashes respectively and offer higher security margins for long-term archival or high-security contexts, though SHA-256 is sufficient for nearly all practical verification needs.
How do I verify a downloaded file using SHA-256?+
First, locate the SHA-256 checksum published on the software's official download page — it usually appears next to the download link or in a separate .sha256 or checksums.txt file. Download the file. Open this File Hash Checker and drag the downloaded file onto the drop zone. The SHA-256 hash is computed instantly in your browser. Copy it, then paste it into the Verify Hash field along with the expected hash. A green checkmark means the file is identical to what the publisher signed — safe to install. A red mismatch means the file differs from the published hash, which could indicate a corrupted download or a file modified by an attacker.
Does this tool upload my file to a server?+
No. This tool runs entirely inside your browser using the WebCrypto API, which is a standard built into every modern browser. Your file is read directly from your device's memory into the browser's JavaScript engine — it is never transmitted over the network, never stored on a server, and never visible to anyone other than you. You can verify this yourself by opening your browser's DevTools Network tab while using the tool: you will see zero network requests triggered by the file processing.
What does it mean if the hash check fails?+
If the computed hash does not match the published hash, there are three possible explanations. First, the file may have been corrupted during download — try re-downloading and checking again. Second, you may be comparing hashes from the wrong algorithm — SHA-256 hashes are 64 characters long while SHA-512 hashes are 128 characters long, so pasting the wrong expected hash will always fail. Third, in rare cases the file may have been tampered with — either by an attacker intercepting the download or by a compromised distribution server. Do not use or execute a file whose hash does not match until you can obtain a fresh verified download.
Which file hash algorithm should I use?+
For verifying software downloads, use SHA-256 — it is the most widely published algorithm and offers strong security. For general integrity checking of backups or archived files, SHA-256 is also the practical choice. SHA-512 provides a higher security margin and is worth using when storing hashes long-term for archival purposes or when working in regulated environments. Avoid SHA-1 for new work — while it is still commonly seen in legacy systems, it has known weaknesses and should not be trusted for security-critical verification. MD5 is even weaker than SHA-1 and should only be used for detecting accidental file corruption, not for security purposes.