How to Compare and Verify Hashes: A Practical Guide

16 Jun 2026 686 words

How to Compare and Verify Hashes

Comparing and verifying hashes is how you confirm that a file has not been corrupted or tampered with. When you download software, receive a file, or store critical data, comparing its hash against a known good value gives you mathematical proof of integrity.

Hash verification works because even a single-bit change in a file produces a completely different hash. If the computed hash matches the expected hash, you can be certain the file is identical to the original.

When to Verify Hashes

Software downloads — Linux distributions, Docker images, and many open-source projects publish checksums alongside their downloads. Verifying the hash confirms you received the authentic file.

Data backups — after backing up files, generate and store their hashes. When restoring, recompute hashes to detect corruption.

File transfers — for critical file transfers over unreliable networks, compare hashes before and after transfer.

Forensic evidence — hash verification proves that digital evidence has not been altered during investigation.

How Hash Verification Works

A publisher computes the hash of a file and publishes both the file and the hash. You download the file, compute the hash yourself, and compare it to the published hash.

Published hash:  9e107d9d372bb6826bd81d3542a419d6
Your computed:   9e107d9d372bb6826bd81d3542a419d6
Match: ✓ File is authentic

Published hash:  9e107d9d372bb6826bd81d3542a419d6
Your computed:   a4b8c9e1f3d2c5b7a8e9f0d1c2b3a4b5
Mismatch: ✗ File is corrupted or tampered

Verifying Hashes on the Command Line

Linux / macOS

# SHA256
sha256sum filename.iso

# SHA1
sha1sum filename.iso

# MD5
md5sum filename.iso

# macOS-specific (use shasum)
shasum -a 256 filename.iso
shasum -a 1 filename.iso

Windows (PowerShell)

# SHA256
Get-FileHash filename.iso -Algorithm SHA256

# SHA1
Get-FileHash filename.iso -Algorithm SHA1

# MD5
Get-FileHash filename.iso -Algorithm MD5

Verifying Hashes in Code

PHP

$expected = '9e107d9d372bb6826bd81d3542a419d6';
$computed = hash_file('sha256', '/path/to/file.iso');

if (hash_equals($expected, $computed)) {
    echo 'File is authentic';
} else {
    echo 'File has been modified!';
}

The hash_equals() function performs a constant-time comparison, preventing timing attacks.

Python

import hashlib

def verify_hash(filepath, expected_hash, algorithm='sha256'):
    h = hashlib.new(algorithm)
    with open(filepath, 'rb') as f:
        for chunk in iter(lambda: f.read(8192), b''):
            h.update(chunk)
    computed = h.hexdigest()
    return computed == expected_hash

expected = '9e107d9d372bb6826bd81d3542a419d6'
if verify_hash('file.iso', expected):
    print('File is authentic')
else:
    print('File has been modified!')

JavaScript (Node.js)

const crypto = require('crypto');
const fs = require('fs');

function verifyHash(filepath, expectedHash, algorithm = 'sha256') {
    return new Promise((resolve) => {
        const hash = crypto.createHash(algorithm);
        const stream = fs.createReadStream(filepath);
        stream.on('data', chunk => hash.update(chunk));
        stream.on('end', () => {
            resolve(hash.digest('hex') === expectedHash);
        });
    });
}

verifyHash('file.iso', '9e107d9d372bb6826bd81d3542a419d6')
    .then(match => console.log(match ? 'Authentic' : 'Modified'));

Common Hash Verification Mistakes

Comparing with == instead of a constant-time function. In PHP, hash_equals() prevents timing attacks. In Python, use comparison without short-circuiting for security-critical applications.

Using MD5 or SHA1 for security-critical verification. Both are cryptographically broken. Attackers can create different files with the same MD5 or SHA1 hash. Use SHA256 or SHA512 for security verification.

Verifying the wrong file. Always verify that you are comparing the hash of the exact file you downloaded. A hash of a different version or a partial download will not match.

Ignoring hash mismatch warnings. If a hash does not match, do not use the file. Re-download it from the official source.

The Hash Checker Tool

The Hash Checker tool on Help2Code compares your computed hash against an expected hash. Paste both values and the tool tells you whether they match. You can also use the Multiple Hash Generator to compute hashes in multiple algorithms simultaneously.

Complete Verification Workflow

  1. Download the file from the official source
  2. Locate the published checksum (often in a .sha256 or .sha256sum file)
  3. Compute the hash of your downloaded file
  4. Compare the computed hash against the published hash
  5. If they match, the file is safe to use
  6. If they do not match, delete the file and download again

Conclusion

Hash verification is a simple but powerful technique for ensuring file integrity. Always verify downloaded software against published checksums, especially for security-critical tools. Use SHA256 for verification and a Hash Checker for quick comparisons.

About this article

Learn how to compare and verify cryptographic hashes to check file integrity, validate downloads, and detect data tampering.

Related Articles

Related Tools

Hash Checker File Hash Checker Sha256 Hash Generator
Help2Code Logo
Menu
Blog
Encoder & Decoder
Utility
General
Image Tools
PDF Tools
Minifier
Web Dev
Laravel
Tailwind