diff --git a/tuf/client/client.go b/tuf/client/client.go
index 4d6ad0e6c3..7da9785f84 100644
--- a/tuf/client/client.go
+++ b/tuf/client/client.go
@@ -405,9 +405,11 @@ func (c *Client) downloadSigned(role string, size int64, expectedSha256 []byte)
 	if err != nil {
 		return nil, nil, err
 	}
-	genHash := sha256.Sum256(raw)
-	if expectedSha256 != nil && !bytes.Equal(genHash[:], expectedSha256) {
-		return nil, nil, ErrChecksumMismatch{role: role}
+	if expectedSha256 != nil {
+		genHash := sha256.Sum256(raw)
+		if !bytes.Equal(genHash[:], expectedSha256) {
+			return nil, nil, ErrChecksumMismatch{role: role}
+		}
 	}
 	s := &data.Signed{}
 	err = json.Unmarshal(raw, s)