File Hash Checker
Calculate MD5, SHA-1, and SHA-256 hashes in your browser and verify file integrity by checksum comparison. Ideal for detecting tampering in downloaded files.
Last updated:
How to Use
Expand how to useCollapse how to use
- 1
Select files
Drag and drop files or click the "Select Files" button to add files.
- 2
Check hash values
MD5, SHA-1, and SHA-256 hash values are automatically calculated for each file.
- 3
Verify checksum
Optionally enter an expected hash value to verify file integrity.
Drag and drop files or click to select
About File Hash Checker
File Hash Checker computes MD5, SHA-1, and SHA-256 hashes for any file directly in your browser using the Web Crypto API. Drag and drop a downloaded package, ISO image, firmware binary, or software installer to verify its checksum against the official value published by the distributor. This is essential for detecting tampered downloads, corrupted transfers, and supply chain attacks. You can calculate hashes for multiple files simultaneously and compare results with expected checksums using the built-in verification feature. An uppercase/lowercase toggle matches the format of the reference hash.
Key Features
- Support for 3 hash algorithms (MD5, SHA-1, SHA-256)
- Drag and drop file upload
- Simultaneous hash calculation for multiple files
- Checksum verification (compare with expected values)
- Uppercase/lowercase toggle
- Client-side processing via Web Crypto API (SubtleCrypto.digest)
Common Use Cases
- Verify SHA-256 checksums of downloaded npm packages or GitHub releases
- Validate ISO images (Ubuntu, Debian) against official checksums
- Check Docker image tarballs or Helm chart archives for integrity
- Verify file integrity after S3 or SCP transfers
Frequently Asked Questions
Are files sent to a server?
No. The Web Crypto API reads and hashes file bytes locally using the browser's SubtleCrypto.digest() method. Files are processed in memory and never uploaded anywhere, which makes this tool suitable for confidential documents, proprietary software, or firmware binaries.
Can I hash multiple files at once?
Yes. You can drag and drop multiple files onto the dropzone or select them together with the file picker. Each file is hashed independently, and all three algorithms (MD5, SHA-1, SHA-256) are computed for each file simultaneously. This is useful when verifying a batch of downloaded files against a SHA256SUMS manifest.
Is there a file size limit?
There is no fixed limit enforced by the tool, but practical limits depend on your browser's available memory. Files up to several hundred megabytes are typically processed without issues. Very large files — ISO images exceeding 4 GB, for example — may take longer or cause the browser tab to run low on memory depending on your system.
How do I use checksum verification?
Paste the expected hash value (e.g., from the project's release page or SHA256SUMS file) into the "Checksum Verification" field. The tool automatically compares it against the calculated hashes for each file. A green "Match" indicator means the file is intact; a red "Mismatch" means the file differs from what the publisher distributed, which could indicate corruption or tampering.
What types of files can I hash?
Any file type is supported — executables, archives (.zip, .tar.gz), disk images (.iso), documents, firmware binaries, or plain text files. The hash function operates on raw bytes, so the format does not matter. There is no restriction on file extension or MIME type.
Which algorithm should I use?
SHA-256 is the recommended choice and is most widely published by open source projects and software vendors. MD5 or SHA-1 may be needed for compatibility with older release pages, but both are vulnerable to collision attacks and should not be relied upon for security assurance. When an official SHA-256 checksum is available, always prefer it over MD5 or SHA-1.
What does a checksum mismatch mean?
A mismatch means the file's contents differ from what was used to generate the reference hash. Possible causes include a corrupted download (network error, incomplete transfer), a modified file (tampering or supply chain attack), or a simple mistake such as comparing hashes from different file versions. In any case, do not use the file until you can obtain a clean copy and verify it matches the official checksum.