In the Linux world, ensuring that a file has not been altered is essential for both system administrators and daily users. The commandsmd5sumandsha256sumallow to calculate and compare cryptographic summaries (hashes) of files, providing a fast and reliable way to verify their integrity.
What's a hash and why is it important?
A hash is a fixed length character chain that represents in a unique way the content of a file. Even the least change in the file produces a completely different hash. This property makes it an essential tool for detecting incomplete corruption, manipulation or downloads.
Basic use ofmd5sum
The MD5 algorithm generates a summary of 128 bits (32 hexadecimal characters). Although today it is considered cryptologically weak for security purposes, it remains useful for rapid integrity checks in non-adversarial environments.
- Open a terminal.
- Sail to the directory where the file is located.
- Run:
md5sum nombre_del_archivo.iso - The command will return something like:
d41d8cd98f00b204e9800998ecf8427e nombre_del_archivo.iso - Save that value in a reference file if you need it:
md5sum nombre_del_archivo.iso > archivo.md5
Basic use ofsha256sum
SHA-256 produces a 256-bit hash (64 hexadecimal characters) and is considered safe for most current applications. Its process is identical to that of md5sum, but with greater resistance to collisions.
- In the same terminal, it runs:
sha256sum nombre_del_archivo.iso - You'll get a similar output:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 nombre_del_archivo.iso - To create a reference file:
sha256sum nombre_del_archivo.iso > archivo.sha256
Compare hash and validate integrity
Once you have the reference hash (provided by the developer, on a web page or in a .md5 / .sha256 file), it is enough to recalculate the hash of the downloaded file and compare both values.
- If the hashes match exactly, the file is intact.
- If they differ, the file has been corrupted, modified or the download was incomplete.
- To automate comparison, you can use:
md5sum -c archivo.md5orsha256sum -c archivo.sha256
Practical examples
Suppose you downloaded an ISO image from a Linux distribution and the website offers your Hash SHA-256:
# Download the ISOwget https: / / example.com / distro-latest.iso # Get the official hash (you can copy it manually) echo '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0822cd15d6c15b0f00a08 distro-latest.iso' > distro.sha256 # Verificarsha256sum -c distro.sha256
If the output indicatesdistro-latest.iso: OKThe verification is successful.
Safety advice and good practices
- It always prefers SHA-256 (or higher as SHA-3) over MD5 when safety is relevant.
- Verify the hashes by a channel other than the download (e.g. check the official project page or use PGP to sign the hash file).
- Keep your tools up to date; recent versions of choreutils include performance improvements.
- Automates verification in installation or deployment scripts to avoid human errors.
With these steps, you can trust that the files you drive on your Linux system are exactly what the author intends, protecting you against corrupt downloads or malicious manipulations.
