Checksum Verifier

🛡️ Checksum Verifier – Verify File & Text Integrity

A checksum (or hash digest) is a fixed-length fingerprint computed from any input — a file, a string of text, or even raw bytes. The Checksum Verifier tool computes this fingerprint using industry-standard algorithms and optionally compares it against an expected value so you can instantly confirm whether data is intact or has been altered.

What Is Checksum Verification?

When software publishers distribute packages, they also publish a checksum alongside the download link (e.g., SHA-256: a948904f…). After you download the file, you compute its checksum locally and compare it to the published value. If they match, the file reached your device unchanged. If they differ, the file may have been corrupted during transfer or — more seriously — tampered with by a third party.

This verification workflow is essential for OS images, software installers, firmware updates, and any artifact where integrity matters.

Supported Algorithms

Key Features

• Text & File modes — Hash any typed text, paste JSON/hex strings, or drag-and-drop any file directly into the browser for client-side hashing.
• Multi-Algorithm mode — Compute all six algorithms in one click and view a side-by-side table, useful for identifying which algorithm an unknown hash was produced with.
• HMAC support — Toggle HMAC mode and provide a secret key to produce a keyed digest, ideal for verifying API webhook signatures (e.g., Stripe, GitHub, Shopify).
• Instant match/mismatch feedback — Paste any expected checksum and the tool shows a prominent green ✅ MATCH or red ❌ MISMATCH banner immediately.
• Case-insensitive comparison — Hash strings are case-normalized before comparison so A3B2 and a3b2 are treated as identical.
• Fully private — All computation uses the browser's built-in Web Crypto API and CryptoJS. No file or text data is ever sent to a server.

How HMAC Works

HMAC (Hash-based Message Authentication Code) wraps a standard hash function with a secret key. The output depends on both the message and the key, so an attacker who does not know the key cannot forge a valid HMAC even if they can see the message. This is the mechanism behind webhook signature headers like X-Hub-Signature-256 and Stripe-Signature.

HMAC-SHA256(secret_key, message) → digest

Understanding Hash Lengths

Every algorithm produces a fixed-length output regardless of input size. A single character and a multi-gigabyte file produce equally-sized hashes. If the expected checksum you receive does not match the expected length for the claimed algorithm (e.g., 64 hex characters for SHA-256), there is likely a truncation or copy-paste error.

Practical Examples

Verifying a Linux ISO download

1. Download the ISO file and locate its official SHA-256 checksum on the publisher's site.
2. Switch to File Upload mode, select SHA-256, and drag the ISO file into the drop zone.
3. Paste the published checksum into the Expected Checksum field.
4. Click Compute Checksum — a ✅ MATCH confirms an untampered download.

Verifying an API webhook signature

1. Enable HMAC Mode and enter your webhook secret in the HMAC Key field.
2. Paste the raw request body into the text input.
3. Select SHA-256 and paste the signature from the webhook header into the Expected Checksum field.
4. Click Compute Checksum to verify the signature.

Privacy & Security

The Checksum Verifier runs entirely in your browser. File bytes and text strings are never transmitted over the network. The tool uses the Web Crypto API (SHA-256, SHA-384, SHA-512, HMAC) and CryptoJS (MD5, SHA-1) for all computations. You can safely hash sensitive documents, proprietary configuration files, and private keys without any data leaving your device.