Skip to content
Latchkey

What Is a Checksum? Verifying Data Integrity Explained

A checksum is a short value computed from a block of data that lets you verify the data was not corrupted or altered.

A checksum is a fingerprint for data. You compute it from a file, and anyone who later recomputes it can confirm the file is byte-for-byte identical. Checksums are the backbone of integrity in CI: they verify downloads, validate caches, and detect when an artifact has been tampered with or corrupted in transit.

What a checksum is

A checksum is a fixed-size value derived from input data by a defined algorithm. Change even one byte of the input and the checksum changes. By comparing a freshly computed checksum to a known-good one, you verify the data is intact without inspecting it directly.

Integrity versus security

Simple checksums (like CRC32) catch accidental corruption but are easy to forge, so they protect against transmission errors, not attackers. Cryptographic hashes like SHA-256 are designed so an attacker cannot craft different data with the same checksum, which is what you need for security.

How checksums are used

A publisher computes a checksum of a release and posts it alongside the file. After downloading, you recompute the checksum and compare. If they match, the file arrived intact and unaltered. Package managers and lockfiles automate this for every dependency you install.

Checksums in CI

CI leans on checksums everywhere: verifying a downloaded tool before running it, deriving a cache key from the hash of a lockfile so the cache invalidates when dependencies change, and confirming a built artifact matches what was published. A mismatch should fail the build loudly.

A checksum-based cache key
# Cache key from a lockfile checksum in GitHub Actions
steps:
  - uses: actions/cache@v4
    with:
      path: ~/.npm
      key: npm-${{ hashFiles('package-lock.json') }}

Latchkey note

Latchkey caching uses content hashes to key and validate cache entries, so a cache restore only succeeds when the stored bytes match the expected checksum - the same integrity principle, applied to keep warm builds correct.

Key takeaways

  • A checksum is a fingerprint computed from data that reveals any change to it.
  • Simple checksums catch accidental corruption; cryptographic hashes resist deliberate tampering.
  • CI uses checksums to verify downloads, key caches off lockfiles, and confirm artifact integrity.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →