How to Verify a Download with SHA-256 Checksums and Code Signatures

Even an official download can be corrupted in transit, and a file from an unofficial mirror can be silently modified to bundle adware or malware. Verification answers two questions: did I get the exact file the publisher released (integrity), and was it really released by that publisher (authenticity)? A SHA-256 checksum answers the first; a digital signature answers the second. Neither requires extra software on modern systems — the tools are built in.

Many publishers list a SHA-256 checksum next to their download. To compute it for your file, open PowerShell or Command Prompt and run: certutil -hashfile "C:\path\to\installer.exe" SHA256 — or in PowerShell, Get-FileHash installer.exe. Compare the output, character for character, with the value on the publisher's page. If they match, the file is bit-for-bit identical to what the publisher released. If even one character differs, do not run it — re-download from the official source and check again.

Open Terminal and run: shasum -a 256 /path/to/installer.dmg (macOS) or sha256sum /path/to/installer (Linux). Compare the result to the publisher's published hash. To make comparison easy when a publisher provides a checksum file, you can run sha256sum -c checksums.txt and it will report OK or FAILED automatically. A FAILED result means the file does not match — treat it as untrusted.

A hash proves integrity but not who made the file. On Windows, right-click the installer → Properties → Digital Signatures tab. You should see the publisher's name (e.g. "Google LLC", "Microsoft Corporation"). Click it → Details to confirm "This digital signature is OK." If the Digital Signatures tab is missing entirely, the installer is unsigned — common for small open-source tools, but a red flag for a major commercial product that should be signed. SmartScreen warnings about an "unrecognized publisher" also point to a missing or invalid signature.

macOS: run spctl -a -vv /Applications/App.app to check Gatekeeper acceptance and the signing identity, or codesign -dvv --verbose=4 /Applications/App.app to see the Team ID. A notarized app from the real developer will show their name and an "accepted" source. Linux: open-source projects often publish a GPG signature (.asc or .sig) alongside the file. Import the project's public key, then run gpg --verify installer.tar.gz.sig installer.tar.gz — a "Good signature" line confirms authenticity. Package managers (apt, dnf) verify repository signatures automatically.

If a hash does not match or a signature is missing or invalid, stop. Do not run the file. The benign explanation is a corrupted download — so re-download from the publisher's official page and verify again. If it still fails, you may have been served a tampered file (often from a mirror or a search-ad link rather than the real site). Delete it, go directly to the publisher's domain, and verify the fresh copy. The thirty seconds verification takes is the cheapest security control you will ever run.

Verification turns "I hope this download is safe" into "I confirmed it." Compute the SHA-256 hash and match it to the publisher's value to prove integrity, then check the digital signature to prove authenticity — both use built-in tools on every platform. Make it a habit, especially for anything that installs with administrator rights, and a corrupted or tampered installer never makes it past your download folder.