Verify Downloads

Don't trust downloads blindly. Before running any QryptCoin binary, verify the checksum and signature to ensure integrity and authenticity.

Security

Why Verification Matters

Cryptographic verification protects you from tampered or malicious binaries. Always verify before you run.

Integrity Check

SHA256 checksums ensure the file you downloaded matches the official release byte-for-byte.

Authenticity Proof

GPG signatures prove the checksum file was signed by the official QryptCoin release key.

Tamper Detection

Any modification to the binary will cause the checksum to mismatch, alerting you immediately.

Release Contents

What You Should Expect

Every QryptCoin release includes these verification files.

  • 1
    SHA256SUMS

    Contains checksums for every published artifact in the release.

  • 2
    SHA256SUMS.asc

    A detached GPG signature for the checksum file (recommended for full verification).

  • 3
    qryptcoin-release-key.asc

    The official GPG public key used to sign releases.

  • 4
    Release Notes

    Version information, compatibility notes, and known issues.

Release Key

GPG Signing Key

Import and verify the official QryptCoin release signing key.

  • Key ID: 4F063EA8
  • Fingerprint: 1398 1DE2 606C F6EB 2A79 004A 29A3 A6F3 4F06 3EA8
  • Public Key: qryptcoin-release-key.asc
  • Distribution: Project website + Git tag notes (avoid trusting random keyservers)
Instructions

Step-by-Step Verification

Follow these commands to verify your download on any platform.

Windows (PowerShell)

PowerShell
PS> # Step 1: Compute the SHA256 hash of your downloaded file
PS> Get-FileHash QryptCoin-0.3.0-win64.exe -Algorithm SHA256
PS> # Step 2: Compare the output hash with the one in SHA256SUMS
PS> Get-Content SHA256SUMS | Select-String "QryptCoin-0.3.0"
PS> # Step 3 (Optional): Verify GPG signature with gpg4win
PS> gpg --verify SHA256SUMS.asc SHA256SUMS

macOS / Linux (Terminal)

Terminal
$ # Step 1: Compute the SHA256 hash (macOS)
$ shasum -a 256 <downloaded-file>
$ # Step 1 (Alternative): Compute the SHA256 hash (Linux)
$ sha256sum <downloaded-file>
$ # Step 2: Compare with SHA256SUMS file
$ cat SHA256SUMS
$ # Step 3: Verify GPG signature
$ gpg --verify SHA256SUMS.asc SHA256SUMS
Troubleshooting

When Something Doesn't Match

If verification fails, do not run the binary. Follow these guidelines instead.

Signature Mismatch

Stop. Re-download from the canonical HTTPS origin and confirm you're using the correct release key fingerprint.

Checksum Mismatch

Stop. Do not run the binary. Re-download and verify again. If it still mismatches, report it to support@qryptcoin.org.

Verification Successful

If both the checksum and signature verify correctly, you can safely proceed with installation.

Report Issues

Security Reporting

Found a security vulnerability? Report it responsibly.

For security vulnerabilities, follow SECURITY.md in the repository and email security@qryptcoin.org with "SECURITY" in the subject line. Do not disclose vulnerabilities publicly before they are addressed.

Do Include
  • Detailed description of the issue
  • Steps to reproduce
  • Affected versions
  • Potential impact assessment
Don't Do
  • Post publicly before disclosure
  • Exploit against mainnet
  • Share with third parties
  • Demand payment for disclosure
Report Security Issue