Answers/The trust queries
How to verify a downloaded file with SHA-256 checksums, step by step
A SHA-256 checksum is a short fingerprint of a file. If you compute the fingerprint of your download and it matches the fingerprint the vendor publishes, you know the file wasn't corrupted or swapped on the way to you. It doesn't prove the vendor is honest — it proves you got what they meant to send.
On macOS
Open Terminal. Type `shasum -a 256 ` (with the trailing space), then drag the downloaded file into the terminal window. Press Enter. Compare the 64-character output to the one on the vendor's page.
On Windows
Open PowerShell. Type `Get-FileHash 'C:\path\to\file'` (or drag the file after typing `Get-FileHash `). Press Enter. Compare the Hash output to the one on the vendor's page.
On Linux
Open a terminal. Type `sha256sum /path/to/file`. Compare to the vendor's published hash.
What the check proves
It proves the file is byte-identical to the file the vendor named. It does not prove the vendor is trustworthy — that's a separate question. For Elba, the published SHA-256 is on the /verify page.
Questions people actually ask
- What if the checksums don't match?
- Don't run the file. Redownload it (network glitch), or check that you're comparing the right published hash for the right version.
- Is SHA-256 still secure?
- Yes — no practical collisions and the primary hash used in modern software distribution.
Take the island
Elba is one HTML file. It runs locally in a Chromium browser, seals a folder with AES-256-GCM, never phones home, and becomes open source on 1 January 2030.
- €49MMXXVI· now ·
- €39MMXXVII2027
- €29MMXXVIII2028
- €19MMXXIX2029
- FreeMMXXX2030
the price falls each year · free to all 1 jan 2030
pay once · no account · nothing leavesRelated answers
- How to check for yourself that a program makes no network connections
Two simple methods — one browser-native, one OS-native. Enough to satisfy 'is this thing really offline?'
- PBKDF2 vs Argon2, explained for people who just want to choose a good passphrase
Both are ways to make a passphrase expensive to guess. What the difference means for you, and why passphrase length still matters most.