Verify installation package

This tutorial applies to the verification of the following installation packages:

Desktop Client Mobile App

macOS Silicon

macOS Intel



Android APK


👉 If you want to authenticate with macOS

Make sure you have already downloaded the install package to your mac.



- Then download GPG file


-  Open the command line tool and switch to the directory where the download file is located, e.g.

cd Downloads/

- Use the checksum tool to calculate the shasum value

shasum -a 256 --check SHA256SUMS.asc


-  Check the result; make sure the status of the DMG file you downloaded shows OK

-  If you have not previously installed GNU Privacy Guard (GPG) on your system, install

-  Get the Onekey signature public key

 gpg --keyserver --recv-keys EB68AE544F1FDD8CD264624FB369A67A90BF387B

-  Verify the checksum file

gpg --verify SHA256SUMS.asc

- Verify the checksum result

👉 If you want to authenticate with Windows


- First download the windows installation package

- Then download the desktop client installation package GPG information verification file

- Open the CMD and execute the commandcertutil -hashfile file path SHA256 where the file path is the address where the installation package is stored after download


- At this time, the command line prompts the current installation package sha256 results, and the second step to download the SHA256SUMS.asc file comparison, use notepad file to open this file, find the corresponding downloaded file to see if the comparison results are consistent


- Verify that the SHA256SUMS.asc file, is generated by the official OneKey team, this step requires the use of the gpg tool, if not previously installed, you will need to go to to install it, it is recommended that you select the GnuPG installer marked in the image to install it.


- After the installation is complete, there will be a gpg.exe executable command line file in the corresponding installation directory (the target disk \ Program Files (x86)\ GnuPG \ bin), drag and drop this command line file into the command line, you can directly execute.


- Execute gpg --keyserver --recv-keys EB68AE544F1FDD8CD264624FB369A67A90BF387Bto get the public key information


- After confirming the successful import, use the command gpg --verify SHA256SUMS.asc to verify whether SHA256SUMS.asc is generated by onekey, and when you see the verification success message at the bottom, it proves that the verification is successful.


Was this article helpful?
3 out of 8 found this helpful