{"id":6,"date":"2026-06-20T09:00:00","date_gmt":"2026-06-20T09:00:00","guid":{"rendered":"http:\/\/backendside.com\/blog\/2026\/06\/20\/complete-guide-to-file-integrity-checks\/"},"modified":"2026-06-24T04:24:59","modified_gmt":"2026-06-24T04:24:59","slug":"complete-guide-to-file-integrity-checks","status":"publish","type":"post","link":"https:\/\/backendside.com\/blog\/2026\/06\/20\/complete-guide-to-file-integrity-checks\/","title":{"rendered":"The Complete Guide to File Integrity Checks"},"content":{"rendered":"<p class=\"lead\">A file integrity check is the simplest, cheapest insurance in computing: a quick way to prove that a file is <em>exactly<\/em> what it should be &mdash; bit for bit &mdash; whether it just finished downloading, sat in a backup for three years, or was copied across a flaky network. This guide explains what integrity checks are, how to run them on any platform, which algorithm to pick, and the practices that separate a real guarantee from a false sense of security.<\/p>\n<h2>What is a file integrity check?<\/h2>\n<p>A file integrity check works by computing a <strong>cryptographic hash<\/strong> &mdash; a short, fixed-size fingerprint &mdash; of a file&#8217;s contents, then comparing it against a known-good value. If the two match, the file is intact. If even a single byte differs, the fingerprints will look nothing alike, and you know the file changed.<\/p>\n<p>That fingerprint is called a <em>checksum<\/em>, <em>hash<\/em> or <em>digest<\/em>. The same input always produces the same digest, so two people on opposite sides of the world can independently confirm they hold an identical file.<\/p>\n<h2>Why file integrity matters<\/h2>\n<ul>\n<li><strong>Downloads<\/strong> can be silently corrupted in transit, or deliberately replaced on a compromised mirror. A checksum catches both.<\/li>\n<li><strong>Backups and archives<\/strong> suffer <em>bit rot<\/em> &mdash; slow, silent corruption on disks and tapes over time. Re-hashing detects it before you need the data.<\/li>\n<li><strong>Deployments<\/strong> must ship the exact artifact that was built and tested, not a truncated or swapped copy.<\/li>\n<li><strong>Forensics and compliance<\/strong> depend on being able to prove that evidence or records were never altered.<\/li>\n<\/ul>\n<h2>How it works, step by step<\/h2>\n<ol>\n<li>The publisher computes the hash of the original file.<\/li>\n<li>They publish that hash next to the download (often in a <code>SHA256SUMS<\/code> file covering many files at once).<\/li>\n<li>You download the file.<\/li>\n<li>You compute the hash of <em>your<\/em> copy.<\/li>\n<li>You compare the two values. Match = intact; mismatch = corrupted or tampered.<\/li>\n<\/ol>\n<h2>Choosing a hash algorithm<\/h2>\n<p>Not every algorithm is appropriate for every job. The key question is whether you only need to catch <em>accidental<\/em> corruption, or also defend against a <em>deliberate<\/em> attacker.<\/p>\n<table style=\"width:100%;border-collapse:collapse;margin:1rem 0;font-size:.9rem;\">\n<thead>\n<tr style=\"background:#f2f1ef;\">\n<th style=\"text-align:left;padding:.6rem .8rem;border:1px solid #e4e2de;\">Algorithm<\/th>\n<th style=\"text-align:left;padding:.6rem .8rem;border:1px solid #e4e2de;\">Good for<\/th>\n<th style=\"text-align:left;padding:.6rem .8rem;border:1px solid #e4e2de;\">Notes<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">CRC-32<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Accidental corruption only<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Fast, tiny, but not cryptographic &mdash; never for tamper detection<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">MD5 \/ SHA-1<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Legacy \/ non-adversarial checks<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\"><strong style=\"color:#b91c1c;\">Broken<\/strong> against deliberate collisions &mdash; avoid for security<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">SHA-256<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">The default choice<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\"><strong style=\"color:#1a7f5a;\">Secure<\/strong> baseline for tamper-evident integrity<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">SHA-512 \/ BLAKE3<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Large files, high throughput<\/td>\n<td style=\"padding:.6rem .8rem;border:1px solid #e4e2de;\">Secure and often faster on modern 64-bit hardware<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>For anything that must resist tampering, use <strong>SHA-256 or stronger<\/strong>. If you want the full story on why the older functions fell, see our companion article, <a href=\"https:\/\/backendside.com\/blog\/2026\/06\/12\/understanding-sha256-why-it-matters\/\">Understanding SHA-256: Why It Matters<\/a>.<\/p>\n<h2>Computing checksums on every platform<\/h2>\n<p>Every major operating system can do this out of the box:<\/p>\n<pre><code># Linux &mdash; hash a file, then verify against a checksum file\nsha256sum file.zip\nsha256sum -c SHA256SUMS\n\n# macOS\nshasum -a 256 file.zip\n\n# Windows (PowerShell)\nGet-FileHash file.zip -Algorithm SHA256\n\n# Windows (Command Prompt)\ncertutil -hashfile file.zip SHA256<\/code><\/pre>\n<p>The <code>SHA256SUMS<\/code> approach scales nicely: one text file lists the expected hash for every file in a release, and <code>sha256sum -c<\/code> verifies them all in a single command.<\/p>\n<div style=\"border:1px solid #c5d3f8;background:linear-gradient(135deg,#eef2fd 0%,#ffffff 72%);border-radius:14px;padding:1.5rem 1.65rem;margin:2rem 0;\">\n<div style=\"font-size:.7rem;font-weight:700;letter-spacing:.08em;text-transform:uppercase;color:#2d5be3;margin-bottom:.55rem;\">&#128295; BackendSide Tool<\/div>\n<h4 style=\"margin:0 0 .45rem;font-size:1.15rem;color:#1a1916;font-weight:700;\">HashGen &mdash; File &amp; Folder Integrity for Windows<\/h4>\n<p style=\"margin:0 0 1.05rem;color:#3d3c38;font-size:.92rem;line-height:1.65;\">Verifying one file is easy; verifying thousands is where <strong>HashGen<\/strong> shines. It generates and checks SHA-256 &mdash; plus SHA-3, BLAKE3, SHA-512 and more &mdash; for text, files and entire folders. Write and validate <code>SHA256SUMS<\/code> manifests, run keyed HMAC hashing, and hash large directory trees in parallel, all completely offline with nothing leaving your machine.<\/p>\n<p>  <a href=\"https:\/\/backendside.com\/hashgen.php\" style=\"display:inline-flex;align-items:center;gap:.4rem;background:#2d5be3;color:#ffffff;font-weight:600;font-size:.85rem;padding:.6rem 1.2rem;border-radius:6px;text-decoration:none;\">Explore HashGen &rarr;<\/a>\n<\/div>\n<h2>Verifying a download the right way<\/h2>\n<p>Computing a hash is only half the job &mdash; <em>where you get the expected value<\/em> is what makes the check trustworthy.<\/p>\n<ul>\n<li><strong>Get the expected hash from an independent, trusted channel.<\/strong> If you download the file and the checksum from the same compromised mirror, an attacker simply swaps both. Fetch the checksum over HTTPS from the official site.<\/li>\n<li><strong>Prefer signed checksums.<\/strong> Many projects publish a <code>SHA256SUMS<\/code> file with a GPG signature. Verifying the signature proves the checksum list itself is authentic &mdash; not just internally consistent.<\/li>\n<li><strong>Compare the whole string.<\/strong> Don&#8217;t eyeball only the first and last few characters; let a tool compare the full digest.<\/li>\n<\/ul>\n<h2>Beyond downloads: where integrity checks pay off<\/h2>\n<ul>\n<li><strong>Backups &amp; archives.<\/strong> Store a checksum manifest alongside each archive and re-verify it periodically to catch bit rot before a restore fails.<\/li>\n<li><strong>File transfers.<\/strong> After a large SFTP\/FTP copy or a move between drives, hash both ends to confirm nothing was truncated.<\/li>\n<li><strong>Deployment artifacts.<\/strong> Pin the expected hash of a build artifact and verify it in your pipeline so only the tested binary ships.<\/li>\n<li><strong>Forensics &amp; recovery.<\/strong> Hash evidence to prove it was untouched &mdash; and verify that files reconstructed during recovery came back whole.<\/li>\n<\/ul>\n<div style=\"border:1px solid #c5d3f8;background:linear-gradient(135deg,#eef2fd 0%,#ffffff 72%);border-radius:14px;padding:1.5rem 1.65rem;margin:2rem 0;\">\n<div style=\"font-size:.7rem;font-weight:700;letter-spacing:.08em;text-transform:uppercase;color:#2d5be3;margin-bottom:.55rem;\">&#128295; BackendSide Tool<\/div>\n<h4 style=\"margin:0 0 .45rem;font-size:1.15rem;color:#1a1916;font-weight:700;\">DeepRecoveryDesk &mdash; Integrity-Verified File Recovery<\/h4>\n<p style=\"margin:0 0 1.05rem;color:#3d3c38;font-size:.92rem;line-height:1.65;\">When you recover deleted files, you need to know they came back whole. <strong>DeepRecoveryDesk<\/strong> reconstructs files from the Recycle Bin, NTFS, FAT32 and exFAT drives &mdash; and via deep signature carving after a format &mdash; then verifies <em>every<\/em> recovered file with a SHA-256 checksum. It reads your drives strictly read-only and sends no telemetry, so recovery never costs you more data.<\/p>\n<p>  <a href=\"https:\/\/backendside.com\/deeprecoverydesk.php\" style=\"display:inline-flex;align-items:center;gap:.4rem;background:#2d5be3;color:#ffffff;font-weight:600;font-size:.85rem;padding:.6rem 1.2rem;border-radius:6px;text-decoration:none;\">Explore DeepRecoveryDesk &rarr;<\/a>\n<\/div>\n<h2>Integrity vs authenticity vs confidentiality<\/h2>\n<p>These three are easy to conflate but solve different problems:<\/p>\n<ul>\n<li><strong>Integrity<\/strong> &mdash; the file has not changed. A plain checksum gives you this against <em>accidental<\/em> corruption.<\/li>\n<li><strong>Authenticity<\/strong> &mdash; the file genuinely comes from who you think. This needs a <strong>digital signature<\/strong> or <strong>HMAC<\/strong>, because a determined attacker could otherwise alter both the file and its checksum.<\/li>\n<li><strong>Confidentiality<\/strong> &mdash; the file stays secret. That is the job of <strong>encryption<\/strong>, not hashing.<\/li>\n<\/ul>\n<p>In short: a bare checksum proves integrity; pair it with a signature when you also need to trust the source.<\/p>\n<h2>Best-practice checklist<\/h2>\n<ul>\n<li>Use <strong>SHA-256 or stronger<\/strong> for anything security-relevant.<\/li>\n<li>Always obtain the expected hash from a <strong>trusted, independent<\/strong> source.<\/li>\n<li>Verify <strong>after<\/strong> downloads, transfers, and restores &mdash; not just once at creation.<\/li>\n<li>For many files, use a <strong>checksum manifest<\/strong> (e.g. <code>SHA256SUMS<\/code>) and verify in one pass.<\/li>\n<li>Prefer <strong>signed<\/strong> checksums when the source could be attacked.<\/li>\n<li><strong>Automate<\/strong> integrity checks in backups and deployment pipelines so they actually happen.<\/li>\n<\/ul>\n<h2>Key takeaways<\/h2>\n<p>File integrity checks turn &#8220;I think this file is fine&#8221; into &#8220;I can prove it.&#8221; They cost milliseconds, work on every platform, and catch everything from a dropped packet to a malicious swap. Pick a strong algorithm, verify against a trusted value, and bake the habit into your downloads, backups and deployments &mdash; and a whole class of silent failures simply stops being able to hurt you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A practical, end-to-end guide to file integrity checks: what they are, how to compute and verify checksums on every platform, which hash algorithm to choose, and the best practices that turn a checksum into a real guarantee.<\/p>\n","protected":false},"author":1,"featured_media":18,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-6","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts\/6","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/comments?post=6"}],"version-history":[{"count":1,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts\/6\/revisions"}],"predecessor-version":[{"id":17,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/posts\/6\/revisions\/17"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/media\/18"}],"wp:attachment":[{"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/media?parent=6"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/categories?post=6"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/backendside.com\/blog\/wp-json\/wp\/v2\/tags?post=6"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}