In the Linux world, ensuring that a file has not been altered is fundamental for both system administrators and everyday users. The commands md5sum and sha256sum allow calculating and comparing cryptographic checksums (hashes) of files, providing a quick and reliable way to verify their integrity.
What is a hash and why is it important?
A hash is a fixed-length string of characters that uniquely represents the content of a file. Even the slightest change in the file produces a completely different hash. This property makes it an essential tool for detecting corruption, tampering, or incomplete downloads.
Basic usage of md5sum
The MD5 algorithm generates a 128-bit (32 hexadecimal characters) digest. Although today it is considered cryptographically weak for security purposes, it remains useful for quick integrity checks in non-adversarial environments.
- Open a terminal.
- Navigate to the directory where the file is located.
- Run:
md5sum filename.iso - The command will return something like:
d41d8cd98f00b204e9800998ecf8427e filename.iso - Save that value to a reference file if needed:
md5sum filename.iso > filename.md5
Basic usage of sha256sum
SHA‑256 produces a 256-bit (64 hexadecimal characters) hash and is considered secure for most current applications. Its process is identical to that of md5sum, but with greater resistance to collisions.
- In the same terminal, run:
sha256sum filename.iso - You will get an output similar to:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 filename.iso - To create a reference file:
sha256sum filename.iso > filename.sha256
Comparing hashes and validating integrity
Once you have the reference hash (provided by the developer, on a web page, or in a .md5/.sha256 file), you just need to recompute the hash of the downloaded file and compare the two values.
- If the hashes match exactly, the file is intact.
- If they differ, the file has been corrupted, modified, or the download was incomplete.
- To automate the comparison, you can use:
md5sum -c filename.md5orsha256sum -c filename.sha256
Practical examples
Suppose you downloaded a Linux distribution ISO image and the website provides its SHA‑256 hash:
# Download the ISO wget https://example.com/distro-latest.iso # Get the official hash (you can copy it manually) echo '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 distro-latest.iso' > distro.sha256 # Verify sha256sum -c distro.sha256
If the output indicates distro-latest.iso: OK, the verification is successful.
Security tips and best practices
- Always prefer SHA‑256 (or higher like SHA‑3) over MD5 when security matters.
- Verify hashes via a channel different from the download (e.g., check the project’s official page or use PGP to sign the hash file).
- Keep your tools updated; recent versions of coreutils include performance improvements.
- Automate verification in installation or deployment scripts to avoid human error.
With these steps, you can trust that the files you handle on your Linux system are exactly what the author intended, protecting you against corrupt downloads or malicious tampering.
This post is also available in ESPAÑOL.