How to Verify Checksums on Linux (sha256sum & md5sum)

• →sha256sum file → hash; -c verifies against a saved list.
• →md5sum is faster but broken — use sha256sum for integrity.
• →find . -type f -print0 | xargs -0 sha256sum hashes a whole tree.
• →For real folder verification (incl. added files) use a manifest.

Hash a file

sha256sum is part of GNU coreutils and present on essentially every Linux distribution. Give it a filename and it prints the hash followed by the name:

sha256sum ubuntu.iso
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08  ubuntu.iso

The two spaces between the hash and the filename are part of the format — the first space marks text mode, and a * there would mark binary mode. Want only the digest, with no filename? Cut the first field:

sha256sum ubuntu.iso | cut -d' ' -f1

md5sum vs sha256sum

They're siblings: same interface, different algorithm. md5sum is faster and fine as a quick non-security checksum, but MD5 is cryptographically broken — a malicious file can be crafted to match a given MD5. For anything where tampering matters, use sha256sum.

md5sum ubuntu.iso
# d41d8cd98f00b204e9800998ecf8427e  ubuntu.iso   (fast, but not tamper-proof)

sha256sum ubuntu.iso
# 9f86d081...0f00a08  ubuntu.iso                 (the secure default)

The full trade-off — speed numbers, collision resistance, and when each is acceptable — is in MD5 vs SHA-256. Short version: reach for sha256sum unless you have a specific reason not to.

Verify a download with check mode (-c)

The cleanest way to confirm a download is the built-in check mode. Save the published hash and filename to a .sha256 file, then let sha256sum -c re-hash and compare:

# the published hash, saved exactly as "hash␠␠filename"
echo "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08  ubuntu.iso" > ubuntu.iso.sha256

sha256sum -c ubuntu.iso.sha256
ubuntu.iso: OK

A mismatch prints ubuntu.iso: FAILED and a warning summary. You can also skip the file and pipe the expected line straight in:

echo "9f86d081...0f00a08  ubuntu.iso" | sha256sum -c -

Checksum a whole folder

sha256sum takes many files at once, so combine it with find to hash an entire tree into a single manifest. Use -print0/-0 so paths with spaces survive:

# build a manifest of every file under ./project
find ./project -type f -print0 | xargs -0 sha256sum > project.sha256

# later, verify nothing in the manifest changed
sha256sum -c project.sha256
./project/report.pdf: OK
./project/data.csv: OK
./project/config.yml: FAILED

That's a genuine integrity check for the files you recorded — and it's reproducible and free. For many jobs it's all you need.

The gap: -c ignores added files

Here's the subtle trap. sha256sum -c only checks the lines in the manifest. It will flag a modified file (FAILED) and a deleted one (No such file or directory) — but a brand-new file dropped into the folder simply isn't in the manifest, so it's silently ignored.

For untrusted folders — anywhere an extra file is exactly what you'd worry about — that blind spot matters. Closing it means comparing the whole snapshot, not just a list of expected hashes.

Verify folders repeatably (additions included)

The FolderManifest CLI runs on Linux and treats the folder as a whole. Generate a SHA-256 baseline once:

foldermanifest generate ./project --format json --out project-baseline

Then verify against it. Because it compares the full snapshot, it catches additions, deletions, and modifications — and exits 0 for unchanged, 1 for drift, so it slots into a cron job or CI step without parsing output:

foldermanifest verify ./project --manifest project-baseline.json
echo "exit: $?"   # 0 = unchanged, 1 = something was added/removed/modified

To run it on a schedule with cron and alert only on drift, see automating folder verification. On Windows? The same idea with PowerShell Get-FileHash.