What is the difference between a checksum and a GPG signature?

A checksum proves the file matches a published value (integrity). A GPG signature additionally proves who published it (authenticity), because it is created with the developer's private key and verified with their public key.

How to Verify a Wallet Download: SHA-256 & GPG Guide

Q: What is a SHA-256 checksum?

SHA-256 is a cryptographic hash that produces a unique 64-character fingerprint of a file. If even one byte changes, the entire hash changes, so matching hashes prove a file was not altered or tampered with.

Q: Do I have to upload my file to verify it?

No. WalletGuard's verifier computes the SHA-256 hash entirely in your browser using the Web Crypto API. The file never leaves your device.

Downloading a wallet from the right place is step one. Verifying that the bytes on your disk are the exact bytes the developer signed is step two — and it's the step almost everyone skips. This guide shows you both checks: the SHA-256 checksum (integrity) and the GPG signature (authenticity).

Why verification matters

A compromised mirror, a man-in-the-middle on an open network, or a corrupted download can all hand you a file that looks right but isn't. Verification turns "I hope this is genuine" into "I have cryptographic proof." It takes about 30 seconds.

Step 1 — Find the official hash

Get the published SHA-256 value from the developer's official site or their signed GitHub release page — never from the same random page you downloaded the file from. Every wallet hub on WalletGuard links to the authoritative source for that wallet.

Step 2 — Compute your file's hash

Windows (PowerShell)

Get-FileHash .\wallet-installer.exe -Algorithm SHA256

macOS / Linux

shasum -a 256 wallet-installer.dmg
# or
sha256sum wallet-installer.AppImage

The easy way

Skip the terminal entirely: open the WalletGuard in-browser verifier, drag your file in, and it computes the SHA-256 locally — nothing is uploaded.

Step 3 — Compare

Match the two strings. Identical → the file is authentic, install it. Different by even one character → delete it and re-download from the official source. Don't "try it anyway."

Verifying MetaMask specifically? See our step-by-step guide to downloading MetaMask safely.

Going further — GPG signatures

A checksum proves integrity; a GPG signature also proves who signed it. Wallets like Electrum and Sparrow publish detached signatures:

gpg --import developer-public-key.asc
gpg --verify wallet-installer.sig wallet-installer

Look for "Good signature from …" with the expected key fingerprint. A "Good signature" from an unknown key is meaningless — always confirm the fingerprint against the developer's official channels.

Frequently asked questions

What is a SHA-256 checksum?

A unique 64-character fingerprint of a file. Change one byte and the whole hash changes, so matching hashes prove the file wasn't altered.

Checksum vs GPG signature — what's the difference?

A checksum proves the file matches a published value (integrity). A GPG signature also proves the publisher's identity (authenticity) via their private key.

Do I have to upload my file to verify it?

No. The WalletGuard verifier hashes the file in your browser with the Web Crypto API; it never leaves your device.

Open the SHA-256 verifier

How to verify a wallet download (SHA-256 & GPG)