What is a file checksum and why does it matter?

A checksum is a fixed-length fingerprint derived from a file's exact bytes. If even one bit changes, the checksum changes completely. Publishers post checksums so you can confirm a download arrived intact and was not corrupted or tampered with in transit.

Which hash should I use to verify a download?

Use the same algorithm the publisher published. Most projects list SHA-256 today; some still show MD5 or SHA-1. This tool computes all four at once, so whichever value the publisher gives you, you can match it without re-running anything.

Are MD5 and SHA-1 still safe?

For integrity checks against accidental corruption they are fine and fast. For security against a deliberate attacker they are broken — both have practical collision attacks — so prefer SHA-256 or SHA-512 when an adversary could have altered the file.

Does my file get uploaded anywhere?

No. The file is read with the browser's FileReader and hashed locally — SHA via the built-in Web Crypto API and MD5 via a small in-browser routine. No network request is made, so the tool works offline and is safe for confidential files.

Why is MD5 not done with Web Crypto like the others?

The browser's crypto.subtle.digest supports SHA-1, SHA-256 and SHA-512 but deliberately omits MD5 because it is obsolete for cryptography. To still offer MD5 for legacy verification, this tool computes it with a compact pure-JavaScript implementation in the same private, offline way.

How big a file can I hash?

The tool reads the whole file into memory, so the practical limit is your device's available RAM and the browser tab. Files up to a few hundred megabytes hash comfortably on most machines; multi-gigabyte files may be slow or hit memory limits.

File Hash & Checksum Tool

A fast, private file hash and checksum tool that computes MD5, SHA-1, SHA-256 and SHA-512 for any file you drop in — and verifies that file against an expected checksum in one step. It is built for anyone downloading software, sharing large files, or confirming a backup is intact: the people who need to answer the question “did this file arrive exactly as the author intended?”

A checksum is a short, fixed-length fingerprint calculated from every byte of a file. Change a single bit anywhere and the fingerprint changes completely, which is what makes it useful: a publisher posts the checksum of a release, you compute the checksum of your copy, and if the two match you know the download is byte-for-byte identical to the original. If they differ, the file was corrupted in transit, truncated, or tampered with — and you should not trust it.

How it works

Drop a file onto the zone or click to choose one. The browser reads it locally with FileReader, then computes each selected hash. SHA-1, SHA-256 and SHA-512 use the built-in Web Crypto API (crypto.subtle.digest), the same audited primitives your browser uses for HTTPS. MD5 is computed with a small in-browser routine because Web Crypto deliberately omits MD5 as obsolete — so you still get it for legacy checks without anything leaving your machine. Every hash is rendered as lowercase hexadecimal, the conventional format checksum tools print.

To verify, paste the value a download page published into the verify box. The tool normalises common formats — it strips a leading sha256: prefix, ignores a trailing filename, and lowercases everything — then compares it against every computed hash. A green tick marks the algorithm that matched; a red cross means none did. You can also export all the checksums to a .txt file, copy any single value, and the last several files you hashed are remembered in this browser for quick re-reference.

Example

Suppose a project’s release page lists this SHA-256 for its installer:

9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

Drop your downloaded installer in, enable SHA-256, and paste that string into the verify box. If your copy is intact you see a green match and can install with confidence. If you instead see a red mismatch, re-download from the official source — the file you have is not the file the author shipped. Because the work is local, you can do this offline and with sensitive files that must never be uploaded to a third-party service.

Every calculation runs in your browser. No file, hash, or checksum is ever sent to a server.