Skip to content

Answers/The trust queries

How to verify a downloaded file with SHA-256 checksums, step by step

A SHA-256 checksum is a short fingerprint of a file. If you compute the fingerprint of your download and it matches the fingerprint the vendor publishes, you know the file wasn't corrupted or swapped on the way to you. It doesn't prove the vendor is honest — it proves you got what they meant to send.

On macOS

Open Terminal. Type `shasum -a 256 ` (with the trailing space), then drag the downloaded file into the terminal window. Press Enter. Compare the 64-character output to the one on the vendor's page.

On Windows

Open PowerShell. Type `Get-FileHash 'C:\path\to\file'` (or drag the file after typing `Get-FileHash `). Press Enter. Compare the Hash output to the one on the vendor's page.

On Linux

Open a terminal. Type `sha256sum /path/to/file`. Compare to the vendor's published hash.

What the check proves

It proves the file is byte-identical to the file the vendor named. It does not prove the vendor is trustworthy — that's a separate question. For Elba, the published SHA-256 is on the /verify page.

Questions people actually ask

What if the checksums don't match?
Don't run the file. Redownload it (network glitch), or check that you're comparing the right published hash for the right version.
Is SHA-256 still secure?
Yes — no practical collisions and the primary hash used in modern software distribution.

Take the island

Elba is one HTML file. It runs locally in a Chromium browser, seals a folder with AES-256-GCM, never phones home, and becomes open source on 1 January 2030.

  1. €49MMXXVI· now ·
  2. €39MMXXVII2027
  3. €29MMXXVIII2028
  4. €19MMXXIX2029
  5. FreeMMXXX2030

the price falls each year · free to all 1 jan 2030

pay once · no account · nothing leaves

Related answers