A hash in case your not aware, does not conform a file has been unhampered when you download it. Part of the reason for this is if you ask where did you get the hash to compare in the first place ? Its almost always from the same site you download it from, so if the file is compromised the hash likely is as well.
You see md5 hash's a lot on linux iso's and similar things, the only reason they exist is for checking your file wasn't corrupt in download.
if you run linux its super simple. Download the file and hash and run (if its md5): md5sum -c <hash file>
It will calculate the hash of the download file and compare it to the hash file for you.
On windows you'll need a program.
PGP signing is more useful to ensure the file hasn't been compromised. Assuming the persons PGP key isnt compromised. These are used on some Linux package managers if i remember right.