SHA-256 outputs 256 bits, written as 64 hexadecimal characters. Like any hash, the same input always gives the same output, and any change to the input changes the output completely. The 256 in the name is the length of the result in bits, which is what makes collisions astronomically unlikely.
Unlike MD5 and SHA-1, no one has found a practical way to create two different files that produce the same SHA-256. That property is what lets it be used where security matters:
Both take a file and return a fingerprint. The difference is trust and speed. MD5 is faster but broken for security, so a determined attacker can fake a match. SHA-256 is slower to compute but safe against that. For finding accidental duplicates on your own drive, MD5 is fine. For anything that must prove a file was not altered by someone, use SHA-256.
To verify a download, compute the SHA-256 of your file and compare it character for character with the one the source published. On a Mac you can run shasum -a 256 filename in Terminal for a single file. To hash a whole folder and keep the results as a column you can search and export, a file cataloging tool does it in one pass.
Compute SHA-256 and other hashes across a folder on Mac, then verify and compare. Runs on-device. · macOS