If you download a Linux distribution or an executable file, you may see a recommendation to verify the checksum before running or installing your file. I have to be honest, the first few times I saw this recommendation it was something I didn’t understand, so I completely blew it off. (Shhh…)
In my defense, I was probably downloading Linux or VirtualBox and just wanted to get through the install to whatever task I was trying to learn at the time. I know, not much of a defense…
When I had seen it enough times to recognize that it was legit something I should do, I finally decided to learn what it was and how to do it. I was pleasantly surprised by how easy it is! And now I can feel more secure in knowing the files I’m downloading are complete and actually what I expected to download.
So what is a checksum, anyway? It’s a string (a sequence of letters and numbers) that is generated by using a cryptographic hashing algorithm on a file. Checksums are used to check data for errors. If you know the checksum of the original file, you can find the checksum on your file and compare it to the original to confirm that they are identical.
(You can read more about checksums here and here.)
How to Verify a Checksum:
The method I’m going to describe to verify a checksum uses the Terminal on a Mac or in Linux, or Command Prompt in Windows. There are a few other ways, but I like this one because it’s quick and dirty. If you’re not familiar with using the terminal or command prompt, here’s a quick video with Terminal basics, and here’s one on how to use the Command Prompt. (Because MacOS is based on Unix, Mac and Linux are very similar… so anything I describe on a Mac will be virtually identical in Linux.)
First, locate the checksum of the original file and determine its type. The main options here are SHA-512, SHA-256, SHA-1 and MD5. Each of these uses a different hashing algorithm to generate the checksum. If the site where you are downloading the file lists checksum values, it will also list the type.
Next, note the full path to your downloaded file. For example, if it’s in your Downloads folder on a Mac, your full path might be /Users/Username/Downloads/filename.extension or if it’s in your Download folder in Windows your full path might be C:\Users\Username\Downloads\filename.extension. (On a Mac, ~ signifies /Users/Username, so the path might be ~/Downloads/filename.extension.)
Now you can open up your Terminal or Command Prompt. I’m going to walk you through step by step for the SHA-256 checksum on a file in Terminal, but the method is the same for all checksum types on a Mac or a Windows computer. All applicable commands are listed below this example. (For my example, I’m using a file downloaded from https://www.osboxes.org/ubuntu/ where they have the checksum listed on the site right next to the download link.)
Type the following command at the prompt in your Terminal Window:
shasum -a 256 /full/path/file.extension
Example:
shasum -a 256 /Users/stevie/Downloads/64bit.7z
It might take some time (when I was working out this example it took about 30 seconds), but the checksum will appear in your terminal, followed by the filename.
I like to use the Diffchecker utility to check the difference between the hash listed on the download site and the hash generated on my machine. You paste the original file’s checksum into the first box and your downloaded file’s checksum in the second box, and the utility will tell you whether or not they are identical.
Here is a full list of the specific commands for each type of hash on Windows and Mac/Linux.