Is GIMP Safe to Download?

The short answer is yes, GIMP is perfectly safe to download and install on your computer. The slightly longer version is that it’s perfectly safe to download as long as you get your copy from the official website. It’s important to always download an official copy!

The reason for the two-part answer comes from the fact that GIMP is open-source software, which means that the code which makes up the program can be accessed and modified by any user who wants to do so. This means there are also unofficial versions of GIMP available online.

Hello! As you may have seen around the site already, my name is Thomas Boldt and I’m your guide here at TGT (The GIMP Tutorials). I’ve been trained in digital graphic design, but my love of digital image editing goes back over two decades to the very early days of consumer digital photography.

I’ve also used GIMP at various points in its evolution, starting just a few years after it was first released back in 1996. After all the different versions I’ve installed, I’ve never had a single computer issue caused by installing or using GIMP. It is absolutely safe to use on your computer.

Open Source, Maximum Security

Most computer programs that you use are probably “closed source” software. Microsoft Word, Autodesk Fusion 360, and all your video games are closed source – nobody is supposed to look under the hood and see how all the computer source code works.

At first, this seems like the best way to create software. If the source code is secret, it can be sold for a profit, and that obviously drives many (ok, almost all) business models in the software industry. 

But at soon as you realize that developers will pull software apart anyways looking for flaws, the answer changes. Suddenly it’s a far safer idea to have everyone look at your code to spot any exploitable issues as soon as possible so they can be repaired – and that’s how GIMP works.

Some Open Source Risks

Creating and improving free open-source software is one of the most altruistic and valuable contributions that a software developer can make, but unfortunately, not everyone with those software development skills falls into the altruistic category – some can even be just plain greedy. 

Because open-source software has a large following, it creates opportunities for the unscrupulous to try to make a quick buck off of well-meaning users who just want to get some work done. GIMP has also had to endure this kind of confusion in the past, at least partly.

GIMPshop was the pet project of a TV host in the mid-2000s, designed to make GIMP look function more closely to Photoshop. Because it was released for free, it was quickly picked up by a rogue developer who packaged in all kinds of nasty malware in order to make some money.

If you want to read more about the drama, I wrote up a quick article about the story as soon as I learned about what happened. It’s a useful cautionary tale, but it’s not exactly dangerous now. Just make sure to download GIMP from the official website, and you have nothing to worry about.

Verifying Your Download

If you’re deeply concerned about your computer security or even just curious, it’s possible to use a system known as a “hash sum” or “checksum” to verify that the file you’ve downloaded onto your computer is an exact copy of the file located on the official GIMP website. 

While I don’t pretend to understand the math involved in hashing – there are several reasons why I went into the arts, lol – this is the basis of how it works.

The official developer puts the official release copy of the file through an algorithm that produces a long string of letters and numbers known as a hash sum or checksum (as shown below). In this case, the official checksum for gimp-2.10.24-setup-3.exe from the official website:

When you download your copy of the file, you can run the same algorithm on your downloaded copy of the file, and you should get the same exact result as the official version. Any change in the content of the downloaded file changes the checksum, and you know something is wrong. 

If you get a mismatch, it doesn’t automatically mean that someone is trying to tamper with your GIMP installation. It could mean that there was a computer error when downloading the file, which is rare, but it does happen. Download another copy of the file and try the checksum again.

If you want to learn more about checksums and hash sums? Keep reading.

How to Check the GIMP Installer Hash Sum

The process for actually verifying the hash sum of a file is pretty simple, although it helps if you’re already familiar with using a command-line interface. Here are the steps and commands to run a check on your downloaded GIMP installation file for each major operating system.

• Windows 10
  • Press the Windows key + R to open the Run command. 
  • Type ‘cmd’ without the quotes and click Run.
  • Enter the following command:
    CertUtil -hashfile C:\file\download\location SHA256

Obviously, you have to replace ‘C:\file\download\location’ with the location and name of your downloaded GIMP installer file, as you can see in the example above.

• macOS
  • Open a Terminal window at your Downloads folder by holding down the Ctrl key, clicking the Downloads folder icon, and choosing New Terminal at Folder
  • Enter the following command: 

shasum -a 256 /file/location/path

Since we opened our Terminal window already in the Downloads folder, we can simply enter the filename directly instead of a longer more complex path (see in the example below).

Note that the hash sum is different for the macOS version of GIMP compared to the Windows version because the contents of the installer file are different. There will also be a third hash sum for the Linux version of GIMP, and future releases of GIMP will also have different hash sums.

Linux

Open your favorite terminal app, and enter: 

sha256sum /file/location/path

Once you’ve verified that the checksums match, you can rest easy knowing that your copy of GIMP is exactly the same as the official copy of GIMP.

Scanning with Antimalware

Personally, I trust the GIMP developers to be better at security than I am, so downloading from the official website is enough to satisfy me about GIMP’s safety. But if you want to go completely overboard in terms of guaranteeing your computer’s safety, there’s one last step you can take. 

Unless you’re running Linux, you probably have an antivirus or antimalware program installed on your computer. If you don’t already have one, you really should think about it! There are tons of free and paid options that can lock your computer down tightly enough to stay safe online. 

My preference for antimalware software is the free Malwarebytes, but the general process is fairly universal. Right-click or Ctrl-click on the file or folder you want to scan, and the popup menu should contain an option “Scan with Malwarebytes” or whichever program you’ve selected. 

If you don’t have a context menu option, then you can usually run a quick scan to ensure that nothing nasty is lurking on your computer. 

Staying Safe and Secure

While it’s important and beneficial to know how all these scans and hash sum processes work, it’s also important to maintain a sense of perspective about internet security. As long as you’re only downloading files from official sources, you’re not likely to ever run into a security problem.

GIMP is a very popular program with a well-established reputation in the community going back over 25 years, and the developers are extremely skilled at what they do. GIMP is absolutely safe to use, and as long as you download it from the official website, you have nothing to worry about.

Stay safe, and happy editing!

I’ve been working with digital images since the year 2000 or so, when I got my first digital camera. I've tried many image editing programs. GIMP is a free and powerful software, but not exactly user-friendly until you get comfortable with it, and I wanted to make the learning process easier for you here.