What Is an MD5 Checksum and How Do You Verify One?
An MD5 checksum is a 32-character hexadecimal string generated from a file using the MD5 hash algorithm. It acts as a fingerprint: if a downloaded file's checksum matches the one published by the source, the file is intact and untampered. If even one byte differs, the checksum changes completely.
Checksums are how you answer the question "did this file arrive exactly as the author intended?" Here's how MD5 checksums work and how to verify them.
What an MD5 Checksum Looks Like
Run MD5 over any file or string and you always get 32 hex characters (128 bits):
MD5("hello") = 5d41402abc4b2a76b9719d911017c592
MD5("hello.") = 243c4c0a39608500f5c2dca5b34a8a07
Adding a single period changes the entire output — that's the avalanche effect, and it's why checksums catch corruption. A truncated download, a flipped bit, or a tampered installer all produce a different checksum.
Checksum vs Hash vs Digest
These terms overlap:
- Hash / digest — the raw output of a hash function over any input.
- Checksum — a hash used specifically to verify integrity of a file or message.
So an MD5 checksum is just an MD5 hash being used for verification. (For the bigger picture, see What Is a Hash Function?.)
How to Generate an MD5 Checksum
From the command line:
# Linux
md5sum ubuntu.iso
# macOS
md5 ubuntu.iso
# Windows (PowerShell)
Get-FileHash ubuntu.iso -Algorithm MD5
To checksum a piece of text rather than a file, paste it into our MD5 Hash Generator for an instant result.
How to Verify an MD5 Checksum
Verification is a simple comparison: compute the checksum of your copy and compare it to the published value from the source.
# Compare manually
md5sum downloaded-file.iso
# 8f21b... ← does this match the value on the download page?
# Or verify automatically against a checksum file
md5sum -c checksums.md5
# downloaded-file.iso: OK
If the two values match exactly, the file is intact. If they differ, do not use the file — re-download it. A mismatch means corruption or tampering.
When MD5 Checksums Are (and Aren't) Safe
This is the critical caveat. MD5 is broken for security — attackers can craft two different files with the same MD5 hash (a collision). So:
- ✅ Safe for catching accidental corruption (network glitches, bad disks). A random error won't produce a matching hash.
- ❌ Unsafe as proof a file wasn't maliciously altered. A determined attacker could substitute a malicious file with a matching MD5.
For security-sensitive verification, use a SHA-256 checksum instead. Many projects now publish both. Generate one with our SHA-256 Hash Generator, or compare algorithms in SHA-1 vs SHA-256 vs SHA-512.
Frequently Asked Questions
What is an MD5 checksum? A 32-character hexadecimal fingerprint of a file produced by the MD5 algorithm, used to verify the file downloaded or transferred without corruption.
How do I verify an MD5 checksum? Compute the MD5 of your downloaded file and compare it to the value published by the source. Matching values mean the file is intact.
What does an MD5 checksum look like?
A 32-character string of hex digits, for example 5d41402abc4b2a76b9719d911017c592.
Is an MD5 checksum the same as an MD5 hash? Yes — "checksum" just describes an MD5 hash being used to verify integrity.
Is MD5 safe for verifying downloads? It's fine for detecting accidental corruption but not malicious tampering. Use SHA-256 when security matters.
Related Reading
Bottom line: MD5 checksums are a quick, reliable way to confirm a file copied correctly — just reach for SHA-256 whenever an attacker, not just a network hiccup, is part of your threat model.