Skip to main content

Verify OneKey App Packages with GPG Signatures

Updated over 2 weeks ago

This tutorial aims to help you verify the integrity and authenticity (whether it was signed and released by the OneKey team) of the OneKey App installation package you downloaded using the GPG signature verification tool.

macOS Client

(1) Check the Consistency of the Installation File

  • First, download the client installation package you wish to verify and the corresponding ASC verification file from the official OneKey GitHub repository. (The example below uses version 5.9.0)

  • Navigate to the directory where the files were downloaded, and execute the command:

    shasum -a 256 --check OneKey-Wallet-5.9.0-mac-arm64.dmg.SHA256SUMS.asc

As shown in the image above, the verification result indicates that the checksum matches the file's contents.

(2) Verify the ASC File

  • The ASC file verification is generated by the OneKey official and requires the use of the GPG tool.

  • If you have not installed GNU Privacy Guard (GPG) on your system previously, you can visit this link to download the suitable version for your system.

  • Click the link to download the ONEKEY official signing public key to your local device, then double-click the file to import the signature.

  • In the same directory, execute the following command:

gpg --verify OneKey-Wallet-5.9.0-mac-arm64.dmg.SHA256SUMS.asc

As shown in the image above, the ASC file was indeed issued and published by [email protected].


Windows Client

(1) Check the Consistency of the Installation File

  • Open the command line in the directory where the files were downloaded, and execute the command. Here, <file_path> is the address where the installation package is stored after downloading. Check the hash value of the installation file.

certutil -hashfile <file_path> SHA256

  • Use Notepad to open the previously downloaded ASC verification file and compare the hash value in the file with the one displayed above to see if they match.

(2) Verify the ASC File

  • Verify if the SHA256SUMS.asc file was generated by the OneKey official team. This step requires the use of the GPG tool. If you have not installed it previously, you can visit this link to download and install the suitable version for your system. It is recommended to choose the GnuPG installation package marked in the image.

3.png
  • Click the link to download the ONEKEY official signing public key to your local device, and import the signing public key in the GPG tool.

  • After confirming that the import was successful, use the command:

gpg --verify SHA256SUMS.asc

to verify if the downloaded ASC file was generated by OneKey official. When you see the success verification message at the bottom, it indicates that the verification has been successful.

gpg-verify-windows.png
Did this answer your question?