How to generate a per-file sha-256 checksum manifest online for free
- Step 1Open the Checksum Generator — Go to /archive-tools/checksum-generator. No account is needed for the free tier. The page loads the fflate and libarchive WASM engines on demand the first time you process a file.
- Step 2Drop your archive — Drag one archive onto the dropzone (ZIP, TAR, GZ, 7z, RAR, BZ2, XZ, or ISO). This tool reads a single archive at a time — it is not a batch tool. The file size is checked against your tier before processing starts.
- Step 3Pick the hash algorithm — Use the Algorithm dropdown to choose
SHA-256(default),SHA-1, orMD5. SHA-256 and SHA-1 run on hardware-accelerated Web Crypto; MD5 uses a pure-JS implementation (correct, but slower on large entries) because browsers don't expose MD5 through Web Crypto. - Step 4Add a password if the ZIP is encrypted — If your archive is an encrypted ZIP (AES-256 or ZipCrypto), type the password in the optional Password field so zip.js can decrypt each entry before hashing. Leave it blank for unencrypted archives. Encrypted 7z/RAR cannot be opened in-browser — see the edge cases below.
- Step 5Click Process — Press Process. The tool extracts every file entry, hashes its decompressed bytes, and shows a preview of the CSV (truncated at 4,000 characters on screen) plus metric chips: Algorithm, Files (entry count), and the Sums-file name.
- Step 6Download both manifest files — Click Download CSV. Two files are saved:
<archive>-<algo>.csv(the spreadsheet manifest) and<archive>.<algo>sums(the GNU-format verification file). Store the.sha256sumsnext to the archive so anyone can later runsha256sum -c <archive>.sha256sumsto confirm integrity.
What the Checksum Generator actually outputs
Both files are generated on every run and downloaded as two separate files (not bundled in a zip). The algorithm token in filenames and headers is lowercased; in the .sums extension the hyphen is removed.
| Output | Filename pattern | Format | Use it for |
|---|---|---|---|
| CSV manifest | <archive>-sha256.csv | Header name,size,sha256; one row per file entry; commas/quotes/newlines in names are CSV-escaped | Audits, spreadsheets, diffing two manifests, importing into a tracking system |
| Sums file | <archive>.sha256sums | GNU coreutils format: <hex> <name> (two spaces) per line, trailing newline | sha256sum -c <archive>.sha256sums on Linux/macOS to verify after extraction |
| Screen preview | (not downloaded) | First 4,000 characters of the CSV rendered in a code block | Sanity-checking the entry list before you download |
| Metric chips | (not downloaded) | Algorithm, Files (entry count), Sums-file name | Confirming the algorithm and how many entries were hashed |
Algorithm options (the Algorithm dropdown)
These are the only three algorithm choices in the UI. SHA-256 is the default and the recommended choice for tamper detection.
| Value | Engine | Hash length | When to choose it |
|---|---|---|---|
SHA-256 (default) | Web Crypto crypto.subtle.digest (hardware-accelerated) | 64 hex chars (256-bit) | Tamper-evident manifests, release verification, anything new |
SHA-1 | Web Crypto crypto.subtle.digest | 40 hex chars (160-bit) | Matching legacy Git object hashes or older vendor checksums (not collision-safe) |
MD5 | Pure-JS RFC 1321 (no Web Crypto MD5) | 32 hex chars (128-bit) | Reproducing old .md5 manifests from mirrors/CDNs; slower on big files |
Tier limits (archive family)
Per-archive limits enforced for this tool. File size is checked at upload time; the entry-count cap is the documented per-archive limit for your plan.
| Tier | Max archive size | Max entries | Archives per job |
|---|---|---|---|
| Free | 50 MB | 500 | 1 |
| Pro | 500 MB | 50,000 | 20 |
| Pro-Media | 2 GB | 500,000 | 100 |
| Developer | 2 GB | 500,000 | Unlimited |
Cookbook
Five common ways people use a per-file checksum manifest. Each shows the input archive and the exact output rows the tool produces.
Hash a release ZIP with SHA-256
Default settings. Drop a release ZIP, leave Algorithm on SHA-256, click Process.
Input: myapp-1.4.0.zip (3 files) myapp-1.4.0-sha256.csv: name,size,sha256 bin/myapp,4823104,9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 README.md,2418,2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae LICENSE,1071,fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9 myapp-1.4.0.sha256sums: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 bin/myapp 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae README.md fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9 LICENSE
Verify the manifest later on Linux/macOS
Extract the archive, put the .sha256sums file alongside it, and run the standard coreutils check.
$ unzip myapp-1.4.0.zip $ sha256sum -c myapp-1.4.0.sha256sums bin/myapp: OK README.md: OK LICENSE: OK
Reproduce an old MD5 manifest from a mirror
Some download mirrors still publish .md5 files. Switch the Algorithm dropdown to MD5 to match them.
Input: packages.tar.gz Algorithm: MD5 packages-md5.csv: name,size,md5 libfoo.so,204800,098f6bcd4621d373cade4e832627b4f6 libbar.so,153600,5d41402abc4b2a76b9719d911017c592 packages.md5sums: 098f6bcd4621d373cade4e832627b4f6 libfoo.so 5d41402abc4b2a76b9719d911017c592 libbar.so
Hash entries inside an encrypted ZIP
Type the password so zip.js can decrypt each entry before hashing. The hashes are of the DECRYPTED file contents.
Input: evidence.zip (AES-256) Password: •••••••• evidence-sha256.csv: name,size,sha256 capture-01.pcap,9912320,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 notes.txt,612,a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
Names with commas are CSV-escaped
If a filename contains a comma, quote, or newline, the CSV column is quoted per RFC 4180 so the manifest stays parseable.
Input: reports.zip reports-sha256.csv: name,size,sha256 "Q3 sales, final.xlsx",48211,3a7bd3e2360a3d29eea436fcfb7e44c735d117c42d1c1835420b6b9942dd4f1b plan.md,1204,18ac3e7343f016890c510e93f935261169d9e3f565436429830faf0934f4f8e4
Edge cases and what actually happens
Archive has more than 500 entries (free tier)
Tier limitThe free tier documents a 500-entry-per-archive cap. Large multi-file archives are a Pro use case (50,000 entries) — upgrade or split the archive first with Archive Splitter.
Archive larger than your tier's size cap
RejectedThe size is checked before processing. You'll see File "…" exceeds the <tier> tier per-job limit (50 MB). Upgrade for larger files. Free is 50 MB, Pro 500 MB, Pro-Media and Developer 2 GB.
Encrypted ZIP with no password supplied
Errorzip.js throws Archive contains encrypted entries (e.g. "file"). Provide a password to extract. Enter the password in the optional field and re-run.
Encrypted 7z or RAR
Unsupportedlibarchive WASM (the engine for 7z/RAR/BZ2/XZ) does not accept passwords in the browser. The tool reports this and suggests decrypting locally with 7-Zip/WinRAR, or re-archiving as an encrypted ZIP via Encrypted ZIP Creator (the ZIP path supports AES-256).
Directory entries in the archive
By designFolder entries (names ending in /) are skipped — only files are hashed. The Files metric and CSV row count reflect file entries only, so they may be lower than your file manager's total.
Hashes don't match a vendor's published checksum
ExpectedThis tool hashes the decompressed contents of each entry, not the archive blob. If a vendor published a hash of the whole .zip file, that's a different value — hash the container with a single-file tool instead, or compare per-entry hashes against their per-entry manifest.
MD5 on a very large entry feels slow
ExpectedSHA-256/SHA-1 use hardware-accelerated Web Crypto; MD5 runs in pure JavaScript because browsers don't expose MD5. For speed on big archives, prefer SHA-256 unless you specifically need to match an MD5 manifest.
Renamed file (a .rar saved as .zip)
DetectedFormat is detected from magic bytes, not the extension, so a mislabeled file is read by the correct engine. If detection still fails, confirm the true type with Auto Format Detector.
Corrupt central directory
ErrorIf the ZIP's central directory is damaged, extraction fails before hashing. Recover what's salvageable with Corrupted ZIP Repair, then re-run the manifest on the repaired archive.
Frequently asked questions
Does the Checksum Generator upload my files?
No. Extraction and hashing both run in WebAssembly and Web Crypto inside your browser tab. Open DevTools → Network during processing — there are zero outbound requests for the input data.
What exactly do I get back?
Two files: a CSV manifest (<archive>-<algo>.csv) with a name,size,<algo> row per file entry, and a GNU-format sums file (<archive>.<algo>sums) you can verify with sha256sum -c. Both download as separate files.
Which algorithms can I choose?
SHA-256 (default), SHA-1, and MD5, from the Algorithm dropdown. SHA-256 and SHA-1 use hardware-accelerated Web Crypto; MD5 uses a pure-JS implementation because browsers don't expose MD5.
Does it hash the archive file or the files inside it?
The files inside it. Each entry is extracted and its decompressed bytes are hashed — you get a per-entry manifest, not a single digest of the container.
How do I verify a manifest later?
Extract the archive, put the .sha256sums file alongside the extracted tree, and run sha256sum -c <archive>.sha256sums on Linux/macOS. On Windows, use Get-FileHash and compare. Any mismatched file is flagged.
Can it read 7z, RAR, TAR and GZ, not just ZIP?
Yes. ZIP, TAR and GZ are read with fflate; 7z, RAR, BZ2, XZ and ISO are read via libarchive WASM. The format is detected from the file's magic bytes.
What's the maximum file size and entry count?
Free: 50 MB and 500 entries. Pro: 500 MB and 50,000 entries. Pro-Media and Developer: 2 GB and 500,000 entries. This tool processes one archive at a time.
Can I hash an encrypted archive?
Encrypted ZIPs: yes — enter the password and zip.js decrypts each entry before hashing. Encrypted 7z/RAR: no — libarchive WASM can't accept passwords in-browser; decrypt locally or re-archive as an encrypted ZIP first.
Why is the entry count lower than my file count?
Directory entries are skipped — only files are hashed. The count reflects file entries, so it can be lower than what a file manager shows for the same archive.
Is SHA-256 better than CRC32 for this?
For tamper detection, yes. CRC32 only catches accidental corruption and is trivial to forge; SHA-256 is cryptographically infeasible to collide. Use Archive Integrity Tester when you just need to confirm an archive isn't corrupt.
Which browsers work?
Any browser with WebAssembly and Web Crypto — Chrome, Edge, Firefox, Safari, Brave, Opera, plus mobile Chrome/Safari. Very large archives may exceed mobile device memory.
Is there a CLI or API?
Not yet — the tool is a standalone browser page. The closest local equivalents are sha256sum / Get-FileHash after extraction. For comparing manifests of two archives, see Archive Diff.
Privacy first
Every JAD Archive tool runs entirely in your browser using fflate, @zip.js/zip.js, and the libarchive WASM bridge. Your archives never leave your device — verified by zero outbound network requests during processing.