How to verify Sparrow Wallet

When it comes to bitcoin software and firmware, it is always good practice to verify the software you are downloading was actually developed and signed by the correct developer. This prevents you from downloading firmware that scammers or attackers have uploaded onto the internet with the goal of stealing your bitcoin.

If you prefer a video guide, watch this:

Step 1: Download GPG onto your computer.

This is the software we will use to import the developers key, and verify the software was signed by these keys.

Download GPG suite for macOS: https://gpgtools.org/

Download Gpg4win for Windows: https://www.gpg4win.org/

Linux: GPG comes preinstalled.

Step 2: Open your terminal

Next, we need to import developer keys into our GPG suite.

To do this, open your terminal. You can search for it in your search bar:

Step 3: Import developer keys into GPG suite

In your terminal, copy and paste the following line:

curl https://keybase.io/craigraw/pgp_keys.asc | gpg --import

This line will import Craig Raw's key into your GPG keychain:

Ensure that Craig Raw's key matches what you see above, or what you see in his Twitter. Note: it ends in "E946 1833 4C67 4B40"

Step 4: Download Sparrow Wallet and verification files

Head over to https://sparrowwallet.com/download/ and download 3 files:

1. Sparrow Wallet for your operating system.
2. The manifest signature file.
3. The manifest file.

Ensure that these files save to your DOWNLOADS FOLDER. This will be important later.

Step 5: Verify the release

First, we need to verify the manifest file. To do this, open your terminal and tell it to look into your downloads folder. Copy and paste this into the terminal, and click the enter key:

cd Downloads

Now, terminal can see your 3 files. Verify the manifest file by pasting this into your terminal and clicking enter:

gpg --verify sparrow-1.9.1-manifest.txt.asc

You should then see this message, stating "Good signature from Craig Raw"

gpg: assuming signed data in 'sparrow-1.9.1-manifest.txt'
gpg: Signature made Mon May 13 16:10:11 2024 SAST
gpg:                using RSA key D4D0D3202FC06849A257B38DE94618334C674B40
gpg: Good signature from "Craig Raw <craig@sparrowwallet.com>" [unknown]

If you see this message, ignore it:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This message just means you have not marked the key as trusted. But, if they key matches what you see on Keybase, Twitter, and in this blog, you can be confident the signature does belong to the owner.

Step 6: Verify the actual firmware.

In the previous step, we verified the manifest file. In this step, we verify the actual firmware itself.

In terminal, paste the following line for whichever operating system you use:

macOS

shasum --check sparrow-1.9.1-manifest.txt --ignore-missing

Linux

sha256sum --check sparrow-1.9.1-manifest.txt --ignore-missing

Windows

CertUtil -hashfile Sparrow-1.9.1.exe SHA256 | findstr /v "hash"
Compare result to the appropriate value in sparrow-1.9.1-manifest.txt!

After running this line, you should see something like this:

Sparrow-1.9.1.dmg: OK

Or this:

sparrow_1.9.1-1_amd64.deb: OK

Step 7: Run the software

After seeing "OK", we know our software is signed by the correct key.

Go ahead and run the actual software file, and use Sparrow!

More Sparrow Wallet guides:

The Sparrow Wallet guides

A series of videos covering Sparrow Bitcoin Wallet. Guides for beginners and more advanced users.

Southern BitcoinerCole