This tutorial aims to help you verify the integrity and authenticity (whether it was signed and released by the OneKey team) of the OneKey App installation package you downloaded using the GPG signature verification tool.
macOS Client
(1) Check the Consistency of the Installation File
First, download the client installation package you wish to verify and the corresponding ASC verification file from the official OneKey GitHub repository. (The example below uses version 5.9.0)
Navigate to the directory where the files were downloaded, and execute the command:
shasum -a 256 --check OneKey-Wallet-5.9.0-mac-arm64.dmg.SHA256SUMS.asc
As shown in the image above, the verification result indicates that the checksum matches the file's contents.
(2) Verify the ASC File
The ASC file verification is generated by the OneKey official and requires the use of the GPG tool.
If you have not installed GNU Privacy Guard (GPG) on your system previously, you can visit this link to download the suitable version for your system.
Click the link to download the ONEKEY official signing public key to your local device, then double-click the file to import the signature.
In the same directory, execute the following command:
gpg --verify OneKey-Wallet-5.9.0-mac-arm64.dmg.SHA256SUMS.asc
As shown in the image above, the ASC file was indeed issued and published by [email protected].
Windows Client
(1) Check the Consistency of the Installation File
First, download the Windows installation package and the corresponding version's GPG verification file from the official OneKey GitHub repository (using version 5.9.0 as an example).
Open the command line in the directory where the files were downloaded, and execute the command. Here, <file_path> is the address where the installation package is stored after downloading. Check the hash value of the installation file.
certutil -hashfile <file_path> SHA256
Use Notepad to open the previously downloaded ASC verification file and compare the hash value in the file with the one displayed above to see if they match.
(2) Verify the ASC File
Verify if the SHA256SUMS.asc file was generated by the OneKey official team. This step requires the use of the GPG tool. If you have not installed it previously, you can visit this link to download and install the suitable version for your system. It is recommended to choose the GnuPG installation package marked in the image.
Click the link to download the ONEKEY official signing public key to your local device, and import the signing public key in the GPG tool.
After confirming that the import was successful, use the command:
gpg --verify SHA256SUMS.asc
to verify if the downloaded ASC file was generated by OneKey official. When you see the success verification message at the bottom, it indicates that the verification has been successful.