ZeroTool Workbench

File Hash Checker

Compute SHA-256, SHA-1, SHA-384, SHA-512, and MD5 checksums of any local file in your browser. No upload — verify download integrity privately and compare against an expected hash.

100% Client-Side Your data never leaves your browser Free · No Sign-Up

Drop a file, or click to choose

Any file · best up to ~1 GB · hashed in your browser

Algorithms

100% client-side — the file never leaves your browser

Related Tools

Hash Generator Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from any text. HMAC Generator Generate HMAC signatures using SHA-256, SHA-384, or SHA-512. Hex and Base64 output. Runs entirely in your browser. SSL Certificate Decoder Decode X.509 PEM certificates instantly — view Subject, Issuer, validity, SANs, public key, signature algorithm, and SHA-256/SHA-1/MD5 fingerprints. 100% client-side. Basic Auth Header Generator Generate and decode HTTP Basic Authentication headers in your browser. Copy Authorization headers, tokens, cURL snippets, and Fetch examples with no upload. Password Generator Generate cryptographically secure passwords. Customize length and character sets with entropy meter. RSA Key Pair Generator Generate RSA key pairs (2048/4096-bit) in PEM or JWK format. 100% client-side — keys never leave your browser.

How to use

  1. Drop a file into the upload zone or click to pick one.
  2. Leave SHA-256 checked, or pick additional algorithms (SHA-1, SHA-384, SHA-512, MD5).
  3. Click Compute Hashes. Each result lands in its own row with a copy button.
  4. To verify a download, paste the expected hash from the vendor into the bottom field. The tool reports which row it matches, case-insensitive.

What this checker is for

  • Download verification — confirm an ISO, installer, or release archive matches the SHA-256 the project published.
  • Build artifact integrity — check that a build output hasn’t been altered in transit through CI artifacts, S3, or a corporate proxy.
  • Cross-system file identity — quickly tell whether two copies of a binary are byte-identical.
  • Legacy compatibility — many distros still publish MD5 or SHA-1 alongside SHA-256; this tool gives you all of them in one pass.

How the hashing works

Hashing happens locally. The file is read with the File.arrayBuffer() API into a single ArrayBuffer. SHA-1, SHA-256, SHA-384, and SHA-512 are then handed to crypto.subtle.digest(), which is the browser’s native, hardware-accelerated implementation. MD5 is not exposed by Web Crypto, so a compact public-domain MD5 routine runs over the same byte array directly in JavaScript. The resulting hex digests are rendered into the result rows, never sent anywhere.

SHA-256 versus the legacy algorithms

SHA-256 is the default for a reason. It is part of the SHA-2 family, has no known practical collision attacks, and is what modern toolchains (rustup, cargo, npm, Docker registries, GitHub Releases, Linux package mirrors) publish today. SHA-1 collisions have been demonstrated since 2017 (SHAttered) and MD5 collisions are trivial to construct. They still have a place when the publisher only offers those values, but treat them as “did this download arrive intact” hints — not as proofs of authenticity.

Limits by design

This tool computes hashes of a single local file in one pass. It does not stream through multi-gigabyte files, sign or verify signatures, check GPG / PGP keys, or reach out to any server. For huge archives use sha256sum (Linux), shasum -a 256 (macOS), or certutil -hashfile (Windows). For signature verification, use gpg —verify or cosign verify against the publisher’s signing key.

FAQ

Which hash algorithms are supported?

SHA-1, SHA-256, SHA-384, and SHA-512 are computed via the browser's built-in Web Crypto API. MD5 uses a bundled public-domain JavaScript routine. SHA-256 is the default and the recommended choice for new verification flows.

Are MD5 and SHA-1 still safe to use?

No, not for cryptographic security. Both have known collision attacks. They remain useful as legacy checksums when a software vendor publishes an MD5 or SHA-1 alongside a download. Treat them as integrity hints rather than guarantees, and prefer SHA-256 when you have the choice.

Is the file uploaded anywhere?

No. The file is read into your browser as an ArrayBuffer and hashed locally. The SHA family runs on the device through Web Crypto; MD5 runs through the inline JavaScript routine bundled in this page. Nothing leaves the tab — safe for build artifacts, signed packages, and confidential downloads.

What is the practical file size limit?

Designed for files up to about 1 GB. Beyond that, browsers cap ArrayBuffer allocation near 2 GB and performance depends on available memory. For TB-scale archives use the command line: sha256sum on Linux, shasum -a 256 on macOS, or certutil -hashfile <file> SHA256 on Windows.

Why is MD5 noticeably slower on large files?

SHA-1/256/384/512 run inside the browser's native crypto subsystem, which is implemented in compiled code and benefits from hardware acceleration. MD5 here runs in pure JavaScript because Web Crypto does not implement it. For files above ~100 MB the wall-clock difference becomes obvious; stick with SHA-256 when only one algorithm is needed.