This tutorial guides users on how to verify the integrity and authenticity of OneKey App client installation packages on macOS and Windows using checksum and GPG signature verification. The supported installation package platforms for verification are as follows:
Desktop Client | Mobile App |
macOS Silicon macOS Intel Windows Linux |
Android APK |
Verify with your Operating System
- First, download the OneKey App client installation package you wish to verify to your local machine.
-
Based on the version number of the client installation package you downloaded, find the corresponding GPG information verification file in the GitHub Release and click the file name to download it (the image below shows the location of the GPG file for v3.3.0).
-
Navigate to the directory where the files were downloaded and execute the command:
shasum -a 256 --check SHA256SUMS.asc
- Locate the downloaded installation package (in this case, we downloaded version v3.3.0-mac-arm64) and verify that its checksum matches the contents of the file.
- The SHA256SUMS file contains checksums for all versions of the installation packages, so you might see warnings for files that are not present. These warnings do not affect the verification result. Just ensure that the checksum for the downloaded package is OK.
-
The SHA256SUMS.asc file is generated by OneKey and needs to be verified using GPG tools. If you haven't installed GNU Privacy Guard (GPG) on your system, you can download it from here. https://www.gnupg.org/download/index.en.html#binary
-
After installing GPG, execute the command to import the public key:
gpg --keyserver keys.openpgp.org --recv-keys EB68AE544F1FDD8CD264624FB369A67A90BF387B
-
Once the key is imported, run the following command in the same directory to verify the signature of the SHA256SUMS.asc file:
-
This will confirm that the SHA256SUMS file was indeed signed by dev@onekey.so.
gpg --verify SHA256SUMS.asc
-
First, download the Windows installation package to your local machine.
-
Based on the version number of the client installation package you downloaded, find the corresponding GPG information verification file in the GitHub Release and click the file name to download it (the image below shows the location of the GPG file for v3.3.0).
-
Open the Command Prompt and execute the command (Replace <file_path> with the path to the downloaded installation package.)
certutil -hashfile <file_path> SHA256
-
Compare the SHA256 result from the command with the corresponding entry in the SHA256SUMS.asc file. You can open the SHA256SUMS.asc file with a text editor to find the matching entry.
-
To ensure the SHA256SUMS.asc file is generated by OneKey, you need to use GPG tools. If you haven't installed GPG, download it from here. https://www.gnupg.org/download/index.en.html#binary
-
Note: It is recommended to choose the GnuPG installer marked in the image below.
-
- After installation, navigate to the directory where GPG is installed (e.g., C:\Program Files (x86)\GnuPG\bin) and locate the gpg.exe executable. Drag this executable into the Command Prompt to run it.
-
Execute the command to import the public key:
gpg --keyserver keys.openpgp.org --recv-keys EB68AE544F1FDD8CD264624FB369A67A90BF387B
- After successfully importing the key, execute the command
gpg --verify SHA256SUMS.asc
- A successful verification message at the bottom will confirm that the SHA256SUMS.asc file was generated by OneKey.