diff --git a/src/package.v b/src/package.v
index da3988f..b9bcae8 100644
--- a/src/package.v
+++ b/src/package.v
@@ -201,12 +201,10 @@ pub fn (pkg &Pkg) to_desc() string {
 	desc += format_entry('CSIZE', p.csize.str())
 	desc += format_entry('ISIZE', p.size.str())
 
-	md5sum, _ := pkg.checksum() or { '', '' }
+	md5sum, sha256sum := pkg.checksum() or { '', '' }
 
 	desc += format_entry('MD5SUM', md5sum)
-
-	// TODO add this
-	// desc += format_entry('SHA256SUM', sha256sum)
+	desc += format_entry('SHA256SUM', sha256sum)
 
 	// TODO add pgpsig stuff
 
diff --git a/src/util.v b/src/util.v
index 066a58d..f81a256 100644
--- a/src/util.v
+++ b/src/util.v
@@ -2,7 +2,7 @@ module util
 
 import os
 import crypto.md5
-// import crypto.sha256
+import crypto.sha256
 
 // hash_file returns the md5 & sha256 hash of a given file
 // TODO actually implement sha256
@@ -10,7 +10,7 @@ pub fn hash_file(path &string) ?(string, string) {
 	file := os.open(path) or { return error('Failed to open file.') }
 
 	mut md5sum := md5.new()
-	// mut sha256sum := sha256.new()
+	mut sha256sum := sha256.new()
 
 	buf_size := int(1_000_000)
 	mut buf := []byte{len: buf_size}
@@ -23,11 +23,12 @@ pub fn hash_file(path &string) ?(string, string) {
 
 		// For now we'll assume that this always works
 		md5sum.write(buf[..bytes_read]) or {
-			return error('Failed to update checksum. This should never happen.')
+			return error('Failed to update md5 checksum. This should never happen.')
+		}
+		sha256sum.write(buf[..bytes_read]) or {
+			return error('Failed to update sha256 checksum. This should never happen.')
 		}
-		// sha256sum.write(buf) or {}
 	}
 
-	// return md5sum.sum(buf).hex(), sha256sum.sum(buf).hex()
-	return md5sum.checksum().hex(), ''
+	return md5sum.checksum().hex(), sha256sum.checksum().hex()
 }