Checksum does not match download

I downloaded the iso openSUSE-Leap-15.1-DVD-x86_64.iso and then I downloaded the openSUSE-Leap-15.1-DVD-x86_64.iso.sha256 file. I downloaded fciv.exe from Microsoft. I ran it and it came back with the value of: C6D3ED19FE5CC25C4667BF0B46CC86AEBCFBCA3B0073AED0A288834600CB8B97 Since I had nothing to compare that to, I downloaded sha256sum.exe and ran it in the command window as: sha256sum.exe -c openSUSE-Leap-15.1-DVD-x86_64.iso.sha256 and it came back with:
openSUSE-Leap-15.1-DVD-x86_64.iso: FAILED
sha256sum.exe: WARNING: 1 of 1 computed checksum did NOT match
I redownloaded the openSUSE-Leap-15.1-DVD-x86_64.iso and the openSUSE-Leap-15.1-DVD-x86_64.iso.sha256 and tried again, same thing.
I downloaded Raymond’s MD5 & SHA Checksum Utility and ran it on both isos that I downloaded (to separate save locations), both isos match with Raymond’s utility and the output of fciv.exe.
The first download I just clicked the download DVD Image, the second time I tried one of the mirror sites.
Is this something that I should be worried about? Did I run one of the utilities wrong? Where can I get the sha256sum number to match the download?

If you downloaded the iso from two different locations, and fciv.exe produces the same output from each, that should be sufficient to expect the downloads were both good.

I’ve never tried to use Windows to verify a download using a sha256sum, so can’t help with trying tools designed for the purpose.

I can say that I routinely download iso files and don’t bother to check them before burning. Instead, I use a downloader rather than a web browser to download them, almost always wget, rarely curl. Both are available for Windows.

Thank you for your quick reply. I am trying to get started in Linux again but this time I don’t have a boxed set and I want to make sure that there isn’t any issue with my install. I still have my boxed set of 9.2 but I have read that I should not use it, at least not on the internet as it might not be safe because it is old.
I am sure that I will have many more questions in the near future.

sha256 hash file is itself signed. Under Linux you can both verify sha256 signature and downloaded ISO using e.g.

$ LC_ALL=C gpg --verify -o - *NET*.sha256 | LC_ALL=C sha256sum -cgpg: Signature made Fri May 10 00:01:18 2019 MSK
gpg:                using RSA key B88B2FD43DBDC284
gpg: Good signature from "openSUSE Project Signing Key <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 22C0 7BA5 3417 8CD0 2EFE  22AA B88B 2FD4 3DBD C284
openSUSE-Tumbleweed-NET-x86_64-Snapshot20190509-Media.iso: OK

That actually looks correct. It’s all upper case, while the checksum file has a lower case version. But it appears to match, apart from the difference in case. So your download looks good.

I used:

echo 'C6D3ED19FE5CC25C4667BF0B46CC86AEBCFBCA3B0073AED0A288834600CB8B97' | tr '[A-Z]' '[a-z]'

to convert your sha256 checksum to lower case, to make it easier to compare.

There are various Internet articles that describe how to perform an SHA checksum.

I highly endorse using an app that automatically performs checksums, more specifically I recommend torrent clients that do this (You may have to read the fine print to be certain they perform this function). The advantages are clear… If you have an unreliable network connection, then http/https downloads can fail and you won’t know until you perform your checksum <after> you download the entire file. Do this a few times, and this can be frustrating. On the other hand, a torrent client will download the large file in small pieces and each piece as it’s downloaded is checksummed. If a tiny piece fails verification, it’s downloaded again and replaced. This all happens <as your file is downloaded so you can be ensured when the file is finally put together that it’s good.