It’s there to verify that the file has been downloaded correctly. That is, you download the file, calculate the checksum of that downloaded file and check it against the checksum posted on the site. If it matches then the file was likely downloaded correctly. If not then the file was corrupted during the download.

It’s not a secret, or an encryption technique that needs to be hidden. It’s just there to help verify you completely downloaded the correct file. It can’t be spoofed, because the checksum isn’t assigned. It is generated using the file itself. So, even if someone somehow did manage to replace the file you really wanted, it can’t generate the same checksum (I mean, *technically* it could be done, but it would be way too damned much work and pretty obvious)

Do you mean checksum as /u/nmxt is saying or do you mean cryptographic hash like SHA1 or MD5SUM or something? Are you worried that someone might put up a fake website with a fake download and the hash of that fake download?

Checksum functions go through every bit (as in subset of byte) of a file and include it in a calculation. If a single bit is off, the final number will be hugely different; if your checksum calculation is different from the posted one, then something happened to one (or more) of the bits while the file was being transferred and the file has been “corrupted”, which can cause errors of different levels depending on just what the corruption is.

Checksums are posted next to where a file can be downloaded because they are extremely small in comparison to the file. So if somebody is unsure about a file’s integrity, they can just run a local checksum function and compare it to a single number (which will be smaller than even the page hosting it) instead of downloading the entire file again (which can be arbitrarily large).

Edit: there is also purpose in using checksums to ensure a file is actually what it says it is; renaming a file to make it look like something desired while actually being a virus is a classic malware attack. It is extremely difficult to change an average file without changing its checksum, so checksum verification is also used to reduce trojan horse type file changes.

(checksums are also used locally by programs to make sure files haven’t been tampered with; if a game doesn’t want its users to cheat by editing save files, they can use a checksum and only load save files that are verified, as an example)

A lot of people aren’t getting the crux of your question. As you say the checksum and the file often come from the same site, this does nothing for increasing trust. However there are situations where you might retrieve the checksum from a trusted source and the file from elsewhere. If the file is big you could go get it via BitTorrent then download just the checksum from the trusted site to check the file wasn’t tampered with. But yes if you don’t trust the source of the checksum it means little for you.

It confirms that the file you have matches the one the website says you *should* have.

That doesn’t prove that it’s a nice file or the one you *want*, of course. If you download from a malicious website you’re going to get a harmful file. It just establishes that the file hasn’t been tampered with or corrupted during the download. Or if you got the file from someone or somewhere else, you can check that it matches what the original website says it should be.

Imagine a box that’s able to take a computer program and turn it into a math problem. You put the program in one end of the box, and a big complicated answer comes out the other end.

The important parts are that if you put the *same program* into the box multiple times, you will always get the *same checksum*, and if you make even a single change to the program you’ll get a *different* checksum.

So: whoever made the program is telling you what the checksum *should be*. If you download the program and then use a checksum calculator, the checksum that you get should be exactly the same as the checksum that the creator got – this tells you that the program is exactly the same too. If you get a *different* checksum, then someone else has altered the program and it’s also *different* than what the creator originally made.

The idea is that if you downloaded the file from somewhere else rather than the official website you can check that it is still the same as the one on the website by comparing the checksum.

The checksum is something you get from doing math on the original file.

You can put the file you downloaded through an algorithm to see what it’s checksum is and if it is the same as posted online it is likely genuine.

If you change the input, in this case the original file you change the output, in this case the checksum.

Creating a new file with the same checksum is possible, but doing so that it still resembles the original enough to get mistaken for it, is quite hard.

There are multiple ‘practical’ reasons for a checksum

1. To verify the file downloaded correctly. This is your question. Where the checksum is posted on the same website as the download. The internet doesn’t work perfectly. As data is sent to you, things can get corrupted. Think of it like a friend reading you a long book and you write it down as you hear it. You might write things down wrong. I’ll give an actual. I had to download a ps4 flash file one time. It was pretty big. I kept trying to download it and the ps4 kept rejecting it saying the file is corrupt. I tried it a few times and the same result. I then tried to directly download the file using an ethernet cable. It worked fine. Apparently when I was trying to download it via WIFI, it was being corrupted.
2. To make sure the file you download is the one you want. This is very useful if you are downloaded a file from a another site. You get the checksum from the ‘official’ site and then download it from the other site and make sure it has the correct checksum. This generally is done to make sure the other site isn’t hosting malware or a virus or a different version or something.

You do indeed have to trust the checksum itself.

But that can still sort of protect against some attacks. For example, a third-party intercepting your download and swapping it with another file without either side knowing.

Or it can be useful to make sure something didn’t go wrong accidentally with the download, such as a mysterious bitflip, or problems with your hard drive.