Checksum vs GPG signature: what’s the difference?
They sound similar and people conflate them, but they prove different things. Here’s the distinction in plain terms.
Security Guides · 5 min · Updated Jun 2026
When verifying a download you'll see two things offered: a checksum (often SHA-256) and a GPG signature. They're related but not the same — and knowing the difference tells you how much trust you actually have.
A checksum proves integrity
A SHA-256 checksum is a unique fingerprint of a file. If your download's hash matches the published hash, the file wasn't altered or corrupted in transit. That's integrity. The catch: if an attacker can change the file, they might also change the published hash on the same page.
A GPG signature proves authenticity
A GPG signature is created with the developer's private key and verified with their public key. It proves not just that the file is intact, but that this specific developer produced it. That's authenticity — and it's much harder to forge, because the attacker would need the developer's private key.
When is a checksum enough?
- Checksum alone: fine for catching corrupted downloads and mismatches, especially when you get the hash from a trusted, separate source.
- Signature too: best for high-value software like wallets, where you want proof of the publisher's identity. Wallets like Electrum and Sparrow publish GPG signatures.
How to do both
Compute the SHA-256 with the WalletGuard in-browser verifier, then verify the GPG signature with gpg --verify file.sig file after importing the developer's key. Step-by-step in our wallet verification guide.
Frequently asked questions
What’s the difference between a checksum and a GPG signature?
A checksum (like SHA-256) proves a file wasn’t altered (integrity). A GPG signature proves who published it (authenticity), because it is made with the developer’s private key.
Is a SHA-256 checksum enough to verify a wallet?
It is enough to confirm the file matches a published value, especially if you get the hash from a trusted separate source. For high-value software, also verifying a GPG signature is stronger.
Do I need special tools to verify a GPG signature?
You need GPG installed and the developer’s public key. Then run gpg --verify on the signature and file, and confirm the key fingerprint matches the developer’s official one.