How to Verify Your Bitcoin Wallet Software
Checking signatures, hashes, and reproducible builds — a practical guide so you don't run a poisoned wallet.
How to Verify Your Bitcoin Wallet Software
Running an unverified wallet is the easiest way to lose your bitcoin. A poisoned binary will sign transactions to addresses you've never seen, or leak your seed phrase to an attacker. The fix is simple, free, and takes 5 minutes per install — but most people skip it.
The three checks
Every serious wallet release ships with three things you should verify before running the binary:
- A cryptographic signature by a known developer
- A SHA-256 (or stronger) hash that should match the binary you downloaded
- A list of trusted public keys from the project
If you can verify all three, the binary you have is the binary the developer published. Skip any one, and you're trusting whoever hosted the download.
Step-by-step (Bitcoin Core example)
1. Download the release files
From the official site (bitcoincore.org/en/download), grab:
- The installer for your OS (
.dmg,.exe,.tar.gz) SHA256SUMS(the hash manifest)SHA256SUMS.asc(the signatures over the manifest)
2. Verify the hash
sha256sum bitcoin-XX.X-osx64.tar.gz
Compare to the matching line in SHA256SUMS. If they don't match, stop. Your download was tampered with or corrupted.
3. Verify the signatures
gpg --verify SHA256SUMS.asc SHA256SUMS
GPG will tell you which keys signed it and whether the signatures are valid. You should see signatures from multiple core maintainers.
4. Trust the keys
The first time, GPG will say "good signature, but the key isn't trusted." You need to:
gpg --keyserver hkps://keys.openpgp.org --recv-keys <KEY_ID>
For each maintainer key listed at bitcoincore.org/en/about/keys. Then re-verify.
For mobile wallets
Most mobile wallets distribute through app stores, which provides some integrity. But:
- Check the publisher account matches the project's official one
- Cross-reference the project's website for the correct app store link
- Watch for typosquatted wallet apps (Trust Wallet vs "Trust Wallets", Electrum vs "Electrum Pro")
For browser extensions
Treat extensions like binaries. Check:
- Publisher matches the project's website
- Permissions look reasonable
- The extension hasn't recently changed ownership
Several popular wallet extensions have been compromised after their original developers sold them. Read recent issues in the project's GitHub.
Reproducible builds
The gold standard. Some projects (Bitcoin Core, Tor, Bisq) publish reproducible builds — meaning anyone can compile from source and get the exact same binary the project shipped, with matching hashes. If you really need certainty, follow the project's reproducible build instructions.
Common mistakes
Do
- +Verify EVERY new release, including minor updates
- +Use HTTPS everywhere when downloading binaries and signature files
- +Pin a developer's GPG key once you've verified it out of band
- +If anything mismatches, ask in the project's official channels before proceeding
Don't
- −Trust a 'verified' badge on a third-party mirror site
- −Run a wallet binary you downloaded from a forum link without checking signatures
- −Skip verification for 'small' updates — that's exactly when malicious updates ship
- −Type your seed phrase into anything that wasn't verified
The 5-minute habit
This whole process becomes routine after a few times. Build the habit: download → hash → signature → key trust → run. Five minutes a release. Decades of compounded security.
Related
- Guides8 min read
The 5 Most Common Scams on Bitcointalk (And How to Spot Them)
Impersonation, fake escrow, signature campaign frauds, account selling, fake bounty pages — the patterns that catch newcomers.
May 15, 2026
- Guides7 min read
How Merit Actually Works (And How to Earn It Honestly)
Merit isn't karma. It's a quality filter built to break account farms. Here's the system in plain English.
May 12, 2026
- Guides6 min read
Reading a Bitcointalk Profile — A Newbie's Guide
Every signal on a forum profile that tells you whether to trust, ignore, or run from someone.
May 9, 2026