Safely Verify Software Downloads: Best Practices for 2026
Learn how to verify software downloads in 2026 using official sources, SHA-256 checksums, PGP signatures, antivirus scanning, and practical safety checks.
Why Verification Still Matters in 2026
You'd think by now we'd have this solved. Software distribution should be secure, verifiable, and straightforward. And in some cases it is — app stores handle a lot of the heavy lifting. But the moment you download an installer from a website, you're back to trusting the chain between the publisher and your hard drive.
Supply-chain attacks got more sophisticated in 2025. We saw compromised build pipelines, malicious updates pushed through legitimate channels, and AI-generated phishing sites that looked indistinguishable from the real thing. The old advice still works — it just needs updating for the current threat landscape.
If you've read our evergreen download safety guide, consider this the 2026 companion. Same principles, but with updated tooling and new risks to watch for.
The Verification Checklist
Here's the short version — the quick checks you should run on every download:
- Confirm the source. Are you on the publisher's actual domain? Check the URL carefully — typosquatting is rampant.
- Look for HTTPS. No padlock, no download. Period.
- Verify the checksum. SHA-256 is the standard. If the publisher provides one, use it.
- Check the digital signature. On Windows, right-click → Properties → Digital Signatures. On macOS,
codesign --verify. - Scan before running. Even with everything else checked, run it through your antivirus. Belt and suspenders.
SHA-256 Verification: The 2026 Way
The mechanics haven't changed, but the tooling has improved. Here's what you need for each platform:
Windows (PowerShell 7+)
Get-FileHash .\installer.exe -Algorithm SHA256 | Format-ListWindows Terminal ships with PowerShell 7 on most new machines now. If you're still on Windows PowerShell 5.1, the command works the same.
macOS (Terminal)
shasum -a 256 ~/Downloads/installer.pkgLinux
sha256sum ~/Downloads/installer.tar.gzCompare the output character by character against what the publisher posted. Tools like VirusTotal can also compute and cross-reference hashes against known malware databases.
PGP Signatures: When Checksums Aren't Enough
A checksum proves the file wasn't corrupted in transit. But what if the publisher's download page itself was compromised? An attacker could replace both the file and the checksum.
That's where PGP (or GPG) signatures come in. The publisher signs the file with their private key. You verify it with their public key, which you obtained independently (from a keyserver, their GitHub, or a trusted third party).
gpg --verify installer.sig installer.tar.gzIf the signature checks out, you know the file came from someone who holds the private key. It's not bulletproof — key management is its own discipline — but it's a significant step up from checksums alone.
What's New in 2026: Sigstore and Software Bills of Materials
Two developments are worth knowing about:
- Sigstore makes code signing easier by eliminating the need to manage long-lived keys. It's seeing adoption in the open-source ecosystem — if a project uses Sigstore, you can verify provenance through a transparency log.
- SBOMs (Software Bills of Materials) are becoming standard. They list every dependency in a package. If a known-vulnerable library is in the SBOM, you know before installing. Tools like
syftandgrypefrom Anchore make this practical.
Red Flags That Haven't Changed
Some things never go out of style. Still walk away if you see:
- Multiple "Download" buttons (ad-supported download wrappers)
- "Free" versions of paid software on third-party sites
- Installers that demand admin rights for software that shouldn't need them
- No official checksums or signatures published anywhere
- Download URLs with unfamiliar CDN domains and no publisher confirmation
Practical Decision Framework
| Scenario | Minimum Verification | Recommended |
|---|---|---|
| App store install | Trust the store's signing | Check reviews, publisher identity |
| Official website download | HTTPS + checksum | Checksum + digital signature |
| Open-source from GitHub | Checksum from release page | PGP/Sigstore + SBOM review |
| Third-party mirror | Compare hash to official | Don't use mirrors if you can avoid it |
| Shared by colleague | Re-download from official source | Always re-download from official source |
Browser Extensions That Help
A few browser tools make verification easier:
- uBlock Origin — blocks malicious ad redirects that lead to fake download sites
- HTTPS Everywhere — less needed now that most browsers enforce HTTPS, but still useful on older setups
- Web of Trust (WOT) — community-based site reputation scores (take with a grain of salt)
What to Do When Verification Fails
If a checksum doesn't match or a signature fails:
- Do not run the file.
- Delete it immediately.
- Re-download from the official source.
- If the new download also fails verification, contact the publisher.
- Check VirusTotal for the hash — someone else may have flagged it.
Related Resources
- Software Download Safety (Evergreen Guide) — our foundational guide to safe downloading
- Downloads — files we host with verification info
- Téléchargement — French-language download section