File Hash Checker
Verify file integrity with SHA-1, SHA-256, SHA-384 & SHA-512
📂
Drop any file here, or click to browse
Any file type — all processing happens in your browser
🔒 No upload — your file never leaves your device. All hashing runs entirely in your browser.
Related Tools
Hash Generator
Generate SHA-1, SHA-256 and SHA-512 hashes from any text string.
Password Strength Checker
Check password entropy, estimated crack time and strength score.
Text Encrypt & Decrypt
Encrypt and decrypt text with AES-256-GCM. Runs in your browser.
Password Generator
Generate strong, secure passwords with custom character options.
What Is a File Hash?
A file hash is a short, fixed-length fingerprint of a file — typically a string of 64 or 128 hexadecimal characters — produced by feeding the file through a cryptographic hash function. The function is deterministic: the same file always produces the same hash. What makes it powerful is the avalanche effect: change even one bit anywhere in the file and the resulting hash is completely unrecognizable from the original. A 100 GB backup and a 1 KB text file both produce a 64-character SHA-256 hash of exactly the same format.
This one-way property is what makes hashes useful for integrity verification. You cannot reconstruct the original file from its hash — you can only check whether a file you have produces the same hash as a reference value. If it does, the file is provably identical. If it doesn't, something changed: a download error, a storage failure, or deliberate tampering.
Software publishers routinely post SHA-256 checksums alongside their download links for exactly this reason. Operating system images, installer packages, Docker base images, firmware updates, and compiled binaries are all commonly published with accompanying hashes. Checking the hash before executing a file is one of the most effective and simple security hygiene habits you can adopt.
How to Use the File Hash Checker
- 1.Drag any file onto the drop zone, or click to open a file browser. The tool accepts any file type and has no enforced size limit beyond what your browser's memory can hold.
- 2.SHA-1, SHA-256, SHA-384, and SHA-512 hashes are computed simultaneously using your browser's native WebCrypto API. Most files finish in under a second.
- 3.Click the Copy button next to any hash row to copy it to your clipboard.
- 4.To verify a file, paste the expected hash (from the publisher's website or a checksums file) into the Verify Hash field. The tool automatically detects which algorithm it corresponds to and shows a green match or red mismatch.
- 5.To check a different file, click anywhere on the drop zone to open the file browser again. The hashes update instantly.
SHA-1, SHA-256, SHA-384, and SHA-512 Compared
All four algorithms belong to the SHA (Secure Hash Algorithm) family, standardized by the US National Institute of Standards and Technology. They differ primarily in output size and security strength.
| Algorithm | Output (bits) | Hex chars | Status | When to use |
|---|---|---|---|---|
| SHA-1 | 160 | 40 | Deprecated | Legacy software only |
| SHA-256 | 256 | 64 | Standard | Most verification tasks |
| SHA-384 | 384 | 96 | Strong | High-security contexts |
| SHA-512 | 512 | 128 | Strong | Long-term archival |
SHA-1 was the industry standard until Google's 2017 SHAttered attack demonstrated a practical SHA-1 collision — two different PDF files with the same SHA-1 hash. Major browsers stopped accepting SHA-1 TLS certificates in 2017. It is still safe for non-security purposes like detecting accidental data corruption, but not for verifying authenticity. SHA-256 became the replacement and is now universally supported. SHA-384 and SHA-512 are part of the SHA-2 family and are cryptographically healthy by all current analysis; they are simply overkill for typical download verification but the right choice if you are building long-lived archival systems or working in regulated industries with specific compliance requirements.
Verifying Downloaded Software with SHA-256
The most practical use case for a file hash checker is verifying a software download before installing it. Here is a real example using a Linux distribution ISO.
When you visit the Ubuntu download page, alongside each ISO file you will find a link to a SHA256SUMS file and a SHA256SUMS.gpg signature. The SHA256SUMS file contains one line per release variant, like this:
a435f6f393dda581172490eda9ef42c65a13d76968e63e18d4e2a1e1e8e28cca ubuntu-24.04-desktop-amd64.iso
Download the ISO, drag it into the File Hash Checker, and compare the SHA-256 output to the first 64 characters on that line. If they match exactly, you have an authentic Ubuntu image — unmodified since Canonical built it. If they don't match, re-download; a large ISO can silently truncate on an unstable connection.
The same pattern applies to Python installers from python.org, Node.js binaries from nodejs.org, and virtually every serious open-source project. Look for checksums, SHA256SUMS, or hashes on the download page, typically in fine print or a collapsible section.
For Windows software that does not publish its own checksums, VirusTotal uses file hashes to let you look up whether a file has been previously scanned. Searching the SHA-256 of a suspicious installer in VirusTotal can reveal whether any antivirus engines have flagged it — a two-minute check that has caught real malware.
Other Use Cases for File Hashing
Backup integrity verification. After creating a backup archive, record its SHA-256 hash. When you need to restore, recompute the hash and compare. If storage media has degraded — a phenomenon called bit rot — the hash will differ and you will know before spending hours on a failed restore.
Docker image digests. Docker pull commands support a @sha256: digest suffix for pinning to an exact image layer. You can verify a saved Docker image tar archive using this tool before loading it on an air-gapped machine.
Build artifact consistency in CI/CD. Recording the SHA-256 of compiled binaries before and after a deploy lets you confirm that nothing was modified between the build step and production. Some supply chain attacks inject changes between the build and the deploy; a hash check catches this.
File deduplication. Two files with identical SHA-256 hashes are provably identical, making hashes useful for finding duplicate files across large directories without reading every byte of every file pair.
Digital forensics. When analyzing evidence in legal or security investigations, the SHA-256 hash of a drive image or file establishes its integrity over time — if the hash matches when re-checked months later, the evidence has not changed since collection.
Common Mistakes When Checking File Hashes
Invisible whitespace in the expected hash. When copying a hash from a webpage or PDF, it is easy to accidentally include a trailing space or newline character. The Verify Hash field in this tool trims whitespace automatically, but command-line tools like sha256sum -c will fail if the reference file contains any formatting inconsistency.
Comparing hashes from different algorithms. A SHA-1 hash is 40 hex characters. A SHA-256 hash is 64. A SHA-512 hash is 128. Copying a SHA-512 hash into a tool that expects SHA-256 will always fail — not because the file is corrupt, but because the hash lengths don't match. This tool handles all four algorithms simultaneously, so any valid hash of the correct length will match against the corresponding algorithm.
Checking the wrong file variant. Many projects publish multiple downloads — a 64-bit installer, a 32-bit installer, a portable zip, and an ARM build — each with a distinct hash. Confirming the hash of the 64-bit installer against the published hash for the 32-bit installer will fail even if both files are completely authentic.
Not verifying the hash source itself. A hash is only trustworthy if it came from a source you trust. An attacker who compromises a download server can replace both the file and the published hash. Serious projects publish hashes alongside GPG signatures; verifying the GPG signature on the checksums file gives you cryptographic assurance that the hash came from the developer's private key, not just an untrusted web page.
File Hashing in Modern Development Workflows
File hashing has become deeply embedded in modern software engineering beyond the obvious download-verification use case. Understanding where hashes appear helps you work more confidently with the tools and platforms you use every day.
Git object model. Git is built entirely on SHA-1 (transitioning to SHA-256 in newer versions). Every commit, tree, blob, and tag in a git repository is identified by its cryptographic hash. When you run git log --oneline, the 7-character IDs you see are the first 7 characters of that commit's full 40-character SHA-1 hash. The entire integrity of your repository history depends on these hashes — any modification to a committed file would change its hash and break the chain back through history.
npm and package registries. When you install an npm package, the npm client checks the downloaded tarball's SHA-512 hash against the value stored in package-lock.json. If they differ — because the registry served a different version or the network corrupted the download — the install fails with an integrity check error. This protects your projects from subtly modified packages, a real attack vector known as a supply chain attack. Running npm ci instead of npm install enforces these hash checks strictly.
Subresource Integrity (SRI) in browsers. When loading JavaScript or CSS from a CDN, you can add an integrity attribute to the <script> or <link> tag containing the expected SHA-256 or SHA-384 hash of the file. The browser refuses to execute the resource if the delivered content doesn't match — protecting your users even if the CDN is compromised.
Container image digests. Docker image tags like node:20-alpine are mutable — the image they point to can change. For reproducible production deployments, pin images by their immutable SHA-256 digest: node@sha256:a435f6f…. This guarantees the exact same container image is used every time, eliminating a class of environment drift bugs and supply chain risks.