Skip to content
← Blog
Guides6 min readApril 27, 2026

How to Verify Your Bitcoin Wallet Software

Checking signatures, hashes, and reproducible builds — a practical guide so you don't run a poisoned wallet.

How to Verify Your Bitcoin Wallet Software

Running an unverified wallet is the easiest way to lose your bitcoin. A poisoned binary will sign transactions to addresses you've never seen, or leak your seed phrase to an attacker. The fix is simple, free, and takes 5 minutes per install — but most people skip it.

The three checks

Every serious wallet release ships with three things you should verify before running the binary:

  1. A cryptographic signature by a known developer
  2. A SHA-256 (or stronger) hash that should match the binary you downloaded
  3. A list of trusted public keys from the project

If you can verify all three, the binary you have is the binary the developer published. Skip any one, and you're trusting whoever hosted the download.

Step-by-step (Bitcoin Core example)

1. Download the release files

From the official site (bitcoincore.org/en/download), grab:

  • The installer for your OS (.dmg, .exe, .tar.gz)
  • SHA256SUMS (the hash manifest)
  • SHA256SUMS.asc (the signatures over the manifest)

2. Verify the hash

sha256sum bitcoin-XX.X-osx64.tar.gz

Compare to the matching line in SHA256SUMS. If they don't match, stop. Your download was tampered with or corrupted.

3. Verify the signatures

gpg --verify SHA256SUMS.asc SHA256SUMS

GPG will tell you which keys signed it and whether the signatures are valid. You should see signatures from multiple core maintainers.

4. Trust the keys

The first time, GPG will say "good signature, but the key isn't trusted." You need to:

gpg --keyserver hkps://keys.openpgp.org --recv-keys <KEY_ID>

For each maintainer key listed at bitcoincore.org/en/about/keys. Then re-verify.

For mobile wallets

Most mobile wallets distribute through app stores, which provides some integrity. But:

  • Check the publisher account matches the project's official one
  • Cross-reference the project's website for the correct app store link
  • Watch for typosquatted wallet apps (Trust Wallet vs "Trust Wallets", Electrum vs "Electrum Pro")

For browser extensions

Treat extensions like binaries. Check:

  • Publisher matches the project's website
  • Permissions look reasonable
  • The extension hasn't recently changed ownership

Several popular wallet extensions have been compromised after their original developers sold them. Read recent issues in the project's GitHub.

Reproducible builds

The gold standard. Some projects (Bitcoin Core, Tor, Bisq) publish reproducible builds — meaning anyone can compile from source and get the exact same binary the project shipped, with matching hashes. If you really need certainty, follow the project's reproducible build instructions.

Common mistakes

Do

  • +Verify EVERY new release, including minor updates
  • +Use HTTPS everywhere when downloading binaries and signature files
  • +Pin a developer's GPG key once you've verified it out of band
  • +If anything mismatches, ask in the project's official channels before proceeding

Don't

  • Trust a 'verified' badge on a third-party mirror site
  • Run a wallet binary you downloaded from a forum link without checking signatures
  • Skip verification for 'small' updates — that's exactly when malicious updates ship
  • Type your seed phrase into anything that wasn't verified

The 5-minute habit

This whole process becomes routine after a few times. Build the habit: download → hash → signature → key trust → run. Five minutes a release. Decades of compounded security.

Tags:securitywalletsbitcoin

Related