Using SHA256 hashes to maintain data integrity on Linux and MacOS

Have you ever downloaded a Linux ISO or transferred files to a USB stick, only to wonder if they got corrupted?

Hashing, while often linked to encryption, primarily ensures data integrity by verifying files are unaltered during transfer.

In this tutorial, we'll show how to use SHA-256 hashes and attach a hash file alongside your main files.

🔎 Note: Basic Linux or MacOS terminal knowledge is required.

This tutorial is based on my personal experience and demonstrates how to use SHA‑256 hashes to maintain the integrity of your files. It is not an official or professional guideline. Please read the LEGAL NOTES / DISCLAIMER carefully — any accidental data loss resulting from applying these instructions is your responsibility and cannot be attributed to the author.

📑 Table of Contents

• 1. What is a Hash?
• 2. Calculating the Hash of a Single File
• 3. Stopping a Running Hash Process
• 4. Manually Verify a Single File
• 5. Create a Hash File (.sha256.txt)
• 6. Automatically Verifying a File Against its Hash File
• 7. Generate a Manifest Without Subfolders
• 8. Why not just create a ZIP archive?
• 9. Should you store the hash file in the same folder?

1. What is a Hash?

A hash is like a digital fingerprint of a file. It is a fixed-length string generated by an algorithm that represents a file.

• Each file produces a unique hash.
• Even a small change produces a completely different hash.
• Perfect for checking that files are intact.
• Fixed size hash: SHA-256 always produces a 256-bit hash (64-character hex string), no matter the size of the file. This makes it a compact, reliable digital fingerprint.
• Collision: A collision occurs when two different files produce the same hash. This is possible with old algorithm, like MD5 but extremely unlikely with SHA-256.

2. Calculating the Hash of a Single File

A very common scenario is verifying the integrity of a freshly downloaded Linux distribution ISO file. This method works on Ubuntu, its derivatives, and MacOS. Suppose you have just downloaded the latest Ubuntu 22.04 ISO into your Downloads folder and want to make sure the file was not corrupted during the download.

In Ubuntu / Linux: open the folder where you saved the ISO, right-click inside it, and choose “Open in Terminal” (or a similar option).

In MacOS: open the folder containing the ISO with Finder. Make sure the path bar is visible (usually at the bottom of the Finder window). If it is not, enable it via the menu: View → Show Path Bar. In the path bar, Ctrl+click (or right-click) the folder name and select "Open in Terminal" (or a similar option).

Both methods will start a terminal with its current directory set to the folder containing your ISO file.
More advanced users can also navigate to the ISO folder directly from the terminal if they prefer.

You can now run the hash command. Using the TAB key for autocompletion is very helpful for long filenames and speeds up typing.

For example, to compute the SHA‑256 hash of ubuntu-22.04.5-desktop-amd64.iso:

Ubuntu / Linux:

sha256sum ubuntu-22.04.5-desktop-amd64.iso

MacOS:

shasum -a 256 ubuntu-22.04.5-desktop-amd64.iso

The process may take some time, depending on your system and the size of the file. Once complete, the terminal will display a hash string, for example:

bfd1cee02bc4f35db939e69b934ba49a39a378797ce9aee20f6e3e3e728fefbf  ubuntu-22.04.5-desktop-amd64.iso

Note: hashing large files like ISO images may take several minutes. Please be patient.

3. Stopping a Running Hash Process

On both macOS and Linux, hashing commands (sha256sum, shasum, etc.) run in the foreground in the terminal. If you need to stop the process before it finishes, there are two main ways to do it:

Standard method:

Press Ctrl + C in the terminal while the hash is running.

This sends a SIGINT signal to the process, which interrupts it immediately.

Works with:

• sha256sum
• shasum -a 256
• Essentially any running CLI command

Alternative method (if the hashing terminal is unresponsive)

You can manually terminate the process using its PID (Process ID). Open a new terminal and follow these steps:

1. Find the PID:

In the new window terminal type:

ps aux | grep sha256

Explanation for non-experts:

ps aux lists all running processes in a formatted table with the following headers:

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

The symbol | is called a pipe. It takes the output of the first command (ps aux) and passes it as input to the next command grep then searches for text in that input.

• grep sha256 filters the output and shows only the lines containing "sha256".
• This way, you see only the hashing processes instead of all processes running on your system.

Example filtered output:

bugdroid  4321  0.0  0.1  24560  1232 pts/0    S+   14:12   0:00 sha256sum bigfile.iso

In this line, the second column (4321) is the PID — the number you will use to stop the process.

2. Terminate the process:

In window terminal type:

kill PID

Replace PID with the actual number from the previous step.

3. Force terminate if necessary:

Type

kill -9 PID

Use this only if the process does not stop with the standard kill. This forcibly ends the process.

(Manual termination is rarely needed, but can be useful if the process is stuck — for example, when hashing files on slow or faulty external devices.)

4. Manually Verify a Single File

Once you have generated the hash of your ISO file in Step 2, the next step is to verify that it matches the official value. You can do this in two ways:

1. Check the official Ubuntu release page:
   Open the release page in your browser and look for the SHA-256 hashes for the ISO you downloaded. Make sure the page is HTTPS and from the official Ubuntu website.
2. Use the SHA256SUMS file:
   Download the accompanying SHA256SUMS file from the official Ubuntu release page. This file contains all reference hashes for the release. You can open it in a text editor or browser to find the hash corresponding to your ISO.

Select and copy the hash value (the long alphanumeric string) from the terminal output of Step 2. In this example:

bfd1cee02bc4f35db939e69b934ba49a39a378797ce9aee20f6e3e3e728fefbf

To speed up the check, use the search function (usually Edit → Find) in your text editor or browser, and paste the copied hash to locate it among the official values.

• ✅ If the hash is found → your ISO is intact.
• ❌ If the hash is not present → the file may be corrupted or tampered with.

Note: Always obtain the reference hashes from a trusted source (official website, HTTPS page). Avoid copying hashes from untrusted mirrors or random websites.

💡 Note: Hashing large files (such as ISO images) may take some time depending on file size and disk speed, so be patient.

5. Create a Hash File (.sha256.txt)

In the above example, we verified the integrity of an Ubuntu ISO, but the same approach applies to any type of file — such as compressed archives, documents, or executables. Whenever you store a file on a portable medium (e.g., a USB drive) or plan to transfer it over the internet, it is recommended to also save a small text file containing the hash and the name of the algorithm used (e.g., SHA-256). For instance, alongside myfile.zip you could include a text file named myfile.zip.sha256.txt containing the SHA-256 hash output. You can name the file as you like, but adding the algorithm name to the filename makes it clear how the hash was generated. Later, anyone can verify the file by running the same hashing command on myfile.zip and comparing the result with the saved reference value.

You can create this hash file directly using the sha256sum command on Ubuntu/Linux or the shasum command on MacOS. For example:

Ubuntu/Linux:

sha256sum myfile.zip > myfile.zip.sha256.txt

MacOS:

shasum -a 256 myfile.zip > myfile.zip.sha256.txt

In the commands above, the > symbol is called a "redirection operator". It tells the shell to send the output of the command (the SHA-256 hash) into a file instead of displaying it on the terminal. For example, in

sha256sum myfile.zip > myfile.zip.sha256.txt

the hash output of myfile.zip is written into myfile.zip.sha256.txt. If the file already exists, it will be overwritten. This allows you to save the hash for later verification.

Note that the hash files created on Ubuntu/Linux with sha256sum and on macOS with shasum -a 256 are compatible. Both commands produce a text file with lines in the format:

<hash> <filename>

This means you can generate a hash file on one operating system and verify it on the other using sha256sum -c (Linux) or shasum -a 256 -c (MacOS) without issues.

6. Automatically Verifying a File Against its Hash File

So far, we’ve looked at manually verifying the hash of a single file. In this section, we’ll show how to automate the verification using the hash file, assuming it has already been created.

Generic command for automatic verification:

Ubuntu / Linux:

sha256sum -c <hash-file>

macOS:

shasum -a 256 -c <hash-file>

Replace <hash-file> with your hash file (e.g., myfile.zip.sha256.txt).

Examples:

Ubuntu / Linux:

sha256sum -c myfile.zip.sha256.txt

macOS:

shasum -a 256 -c myfile.zip.sha256.txt

Note: In some macOS versions, the -c option may not be available. In that case, you can manually compare hashes using the search method described earlier.

If the -c option is supported, the typical output is:

myfile.zip: OK

If the hash does not match, you will see:

myfile.zip: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match

If the file to check is missing, the output will be:

sha256sum: myfile.zip: No such file or directory
myfile.zip: FAILED open or read
sha256sum: WARNING: 1 listed file could not be read

Tip: Hashing large files (such as ISO images) may take some time depending on file size and disk speed. Be patient!

7. Generate a Manifest Without Subfolders

7. Generate a Manifest Without Subfolders

If you need to verify the integrity of multiple files, manually creating a list of all their hashes and checking each one individually quickly becomes tedious and error-prone.

You can generate a manifest — a file that contains a list of file names and their corresponding hashes — in just one step.

Example: My_Important_Documents folder

Imagine you have a folder containing important personal or work files. Over time, silent corruption can occur due to storage aging, unsafe shutdowns, or simple wear. By generating and saving a .sha256.txt manifest for all files in the folder, you can later run a single verification command to detect if any file has changed or become corrupted.

My_Important_Documents/
├── passport_scan.jpg
├── tax_return_2024.pdf
├── resume.docx
└── personal_notes.txt

Generate a manifest for all files in the folder (excluding subfolders) by opening a terminal inside it:

Ubuntu / Linux:

sha256sum * > files.sha256.txt

macOS:

shasum -a 256 * > files.sha256.txt

This creates a file named files.sha256.txt containing the SHA-256 hash of each item in the folder.

Note: The * symbol is a wildcard that represents all files in the current folder. This means the command will automatically calculate hashes for every file in that directory without needing to type each filename manually. It does not include subfolders.

The content of files.sha256.txt will look similar to:

2f1a2b3c4d...  passport_scan.jpg
9a8b7c6d5e...  tax_return_2024.pdf
3d4c5b6a7e...  resume.docx
4e3d2c1b0a...  personal_notes.txt

Later, you can check that all files are still intact. On Ubuntu/Linux:

sha256sum -c files.sha256.txt

On macOS:

shasum -a 256 -c files.sha256.txt

If all hashes match, you’ll get:

passport_scan.jpg: OK
tax_return_2024.pdf: OK
resume.docx: OK
personal_notes.txt: OK

If any file has been modified, altered, corrupted, or renamed since the manifest was created, the command will warn you with:

resume.docx: FAILED
shasum: WARNING: 1 computed checksum did NOT match

Tip: Store the manifest file files.sha256.txt in the same folder as your documents. This allows you to easily verify their integrity at any time — even years later — just by running the same check command.

For extra safety, consider copying the hash file to another storage location (for example, on your computer or cloud drive) in case the original folder becomes unreadable.

Note: if you add, modify, or delete files, the simplest approach is to regenerate the manifest. For many or large files, this may take some time.

Advanced users may perform selective updates of the manifest — adding or removing only the changed files. If you are interested in this advanced workflow, leave a comment below or use the contact form. I will create a dedicated article explaining advanced hash usage and provide scripts to automate many tasks related to hashes.

8. Why not just create a ZIP archive?

You might consider compressing everything into a single .zip or .tar.gz archive and then hashing that archive. This method is perfectly fine — and even recommended — when you need to transmit or share data, because it simplifies verification: just one checksum to check.

However, there are several cases where hashing individual files directly is the better choice:

• Speed: Hashing files directly is faster because you avoid compression and decompression overhead, especially on slower systems.
• Transparency: You can instantly see which specific file has changed without rebuilding or re-extracting the entire archive.
• Incremental updates: If you modify or add just one file, you only need to rehash that file instead of recreating the whole archive.
• Data longevity: Archives can become corrupted over time, potentially making all contents inaccessible, while individual files and hashes remain verifiable one by one.
• Automation: Separate hash files integrate more easily with scripts that monitor directories or perform incremental backups.

9. Should you store the hash file in the same folder?

Good question — and the answer is: yes, it makes sense… but it depends on your purpose.

When it makes sense to keep it in the same folder

Ideal for personal use, local backups, USB drives and offline archives. Keeping the manifest file (for example files.sha256.txt) inside the same folder is convenient because:

• It’s self-contained — moving or copying the folder moves the hash file too.
• It’s easy to verify: open a terminal in the folder and run sha256sum -c files.sha256.txt.
• It supports periodic checks to detect silent corruption over time.

When you should NOT store it in the same folder

If you plan to share files, upload them to cloud storage, or need to prove authenticity, keeping the hash file together with the data is not sufficient by itself:

• An attacker who can modify the files can also regenerate a fake manifest.
• If the storage medium fails, you risk losing both the files and the manifest.

Better options in these cases:

• Keep a copy of the hash file in a separate location (your computer, a different drive, or cloud storage).
• Publish the hash via an independent channel (your website, or a signed message using GPG) to prove authenticity.

🔒 Summary

Purpose	Where to store the hash file
Personal backups, USB drives, offline archives	✅ In the same folder (practical and self-contained)
File sharing, authenticity verification	⚠️ Separate location or digitally signed
Critical archives	✅ + Keep a redundant copy elsewhere

If you find this guide useful — or if you have suggestions or disagree with any part — feel free to share your thoughts in the comments below!

Safe file transfer and long-term data integrity!