How to verify a checksum in Linux

Verifying a published checksum before extracting, installing, or copying a downloaded file confirms that the local copy still matches the release bytes that were intended to be distributed. That quick integrity check catches truncated transfers, mirror problems, and local corruption before the file enters a larger workflow.

In Linux, sha256sum reads a checksum file in the standard coreutils format and compares the recorded digest and filename with the local file in one pass. That is usually the cleanest workflow because vendor-supplied .sha256 files and larger lists such as SHA256SUMS can be checked directly without recomputing and comparing digests by eye.

A matching checksum proves that the local file matches the published digest, but it does not prove that the digest source itself is trustworthy. Compare against a value from the vendor or project release page, a signed checksum list, or another trusted release channel, and use the matching tool such as sha512sum when the publisher provides a different hash algorithm.

Related: How to check file changes in Linux
Related: How to create an ISO image from an optical disc on Linux

Steps to verify a checksum with sha256sum in Linux:

  1. Change to the directory that holds the downloaded file and the published checksum file. 
    $ cd ~/Downloads/releases

    Keeping the file and its checksum reference in the same directory avoids filename mismatches during the check.

  2. Inspect the checksum file and confirm that it records the digest and exact filename in the standard format. 
    $ cat package.tar.xz.sha256
3657abb73f1ad5bb2609acf9eb3d63fae2678d97e9ebbc87c97f01efc41fd10a  package.tar.xz

    The normal format is the digest followed by two spaces and the exact filename. If the publisher provides only a bare digest string, save it locally in that format before running the check.

    A checksum confirms byte-for-byte integrity against the published digest. A signature check confirms that the checksum list itself came from the expected publisher.

  3. Run the checksum verification against the checksum file. 
    $ sha256sum --check package.tar.xz.sha256
package.tar.xz: OK

    OK means the local file content matches the expected SHA256 digest and the filename recorded in the checksum file matches the file being checked.

  4. Add –ignore-missing when the published checksum file lists many artifacts and only some of them were downloaded locally. 
    $ sha256sum --ignore-missing --check SHA256SUMS
package.tar.xz: OK

    –ignore-missing skips entries that are not present locally, so a vendor checksum list can be checked without copying lines into a smaller file first.

  5. Stop using the file immediately if the checksum verification reports a mismatch. 
    $ sha256sum --check package.tar.xz.sha256
package.tar.xz: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match

    A mismatch means the local file bytes do not match the trusted digest. Delete the file, download it again from a trusted source, and verify it again before extracting or installing it. If the checksum value came from an untrusted page or mirror, validate the checksum source itself before trusting either result.