How to verify an installer's SHA-256
SHA-256 is a "fingerprint" computed from a file's contents. Change even one byte and the fingerprint changes completely. Spend a few seconds matching your download's fingerprint to the official published value and you confirm the file is complete and hasn't been tampered with or swapped.
Commands per OS
- Windows:
certutil -hashfile filename SHA256 - macOS:
shasum -a 256 filename - Linux:
sha256sum filename
How to compare
Match the hex string the command prints against the SHA-256 the official page provides (or paste it into a text search). Exactly equal means the file is fine; if a single digit differs, don't install — re-download from the official source.
Beyond the checksum
Reputable desktop apps add stronger protection: Windows installers are code-signed, the macOS app is Apple-notarized and checked by Gatekeeper, and Linux packages are GPG-signed. These complement SHA-256 to ensure you install a genuine, complete file. Always download from official channels.
- SHA-256 is a file fingerprint — match it to be safe.
- Use certutil (Windows), shasum (macOS), sha256sum (Linux).
- Combine with signing/notarization/GPG; download officially.
Download from official channels and check the checksum before installing.
Download the desktop app, free