Wallet installer SHA-256 verifier (Ledger, Trezor, Sparrow)

Why verifying your download matters

In April 2026 a counterfeit Ledger Live app on the Apple App Store drained roughly $9.5 million in crypto from users who thought they had downloaded the official app. The fake had Ledger’s logo, Ledger’s name, and a polished onboarding flow — the only way to spot it before it took your seed was to verify the file you’d downloaded against the cryptographic hash that the real Ledger publishes alongside every release.

This is not a theoretical attack. Counterfeit installers, malicious app-store look-alikes, and supply-chain compromises of legitimate software are the most common way self-custodians lose coins in 2026. Your hardware wallet only protects you if the software talking to it is the real software, signed by the real vendor. The two-minute habit of verifying every installer against the vendor’s published hash is the single most cost-effective security control you can adopt.

What the tool does

You drag any wallet installer — .dmg for macOS, .exe or .msi for Windows, .AppImage or .deb or .rpm for Linux, .apk for Android, or .dfu / .bin for hardware-wallet firmware — into the drop zone, and the page computes its SHA-256 and SHA-512 hash directly in your browser using the Web Crypto API. The file never leaves your device. There is no upload. There is no telemetry. The page is static HTML + a small piece of client-side JavaScript whose source is visible if you view-source the rendered page.

The tool also tries to recognise your filename and, if it matches a known vendor, points you at the page where that vendor publishes their official hashes — so you can compare your computed value against the vendor’s value side-by-side. If the filename pattern doesn’t match anything we’ve seen, the tool shows the full vendor list and lets you pick.

How to verify manually (terminal)

If you’d rather not paste a file into a web tool — and that’s a reasonable thing to want — here are the equivalent commands per operating system. Each one outputs the same SHA-256 hash that this page would compute, ready for you to compare against the vendor’s published value:

macOS / Linux:

shasum -a 256 'Ledger Live-3.5.2.dmg'

Windows (PowerShell):

Get-FileHash 'Ledger Live-3.5.2.exe' -Algorithm SHA256

The output is a 64-character hexadecimal string. Compare it character-by-character against the value the vendor publishes (usually under “Verify your download” or in the release notes). If even a single character differs, do not run the file — re-download from the official source.

Going further: verifying the PGP signature

Hash matching tells you the file is byte-identical to what the vendor published, but it doesn’t tell you that the vendor’s announcement of the hash is authentic — a sophisticated attacker who controlled the vendor’s website could publish a fake hash alongside a fake binary and you’d “verify” successfully. The next layer of paranoia is to check that the SHA-256 hash itself is signed with the vendor’s PGP key, and that you trust that PGP key independently of the vendor’s website (e.g. from a key server, a Bitcoin-developer keychain, or the vendor’s GitHub).

Each major Bitcoin wallet vendor has documented this process; the links below point you at theirs:

• Bitcoin Core: bitcoincore.org / verify-your-download
• Sparrow Wallet: sparrowwallet.com / download and Craig Raw’s Keybase
• Trezor Suite: trezor.io / check-trezor-suite-signatures
• Electrum: electrum.readthedocs.io / gpg-check
• Specter Desktop: docs.specter.solutions / install
• Ledger Live: support.ledger.com / 115005165269
• Coldcard: coldcard.com / docs / upgrade

PGP verification is one extra step but it’s the level of paranoia that catches a website-compromise scenario. For Bitcoin Core in particular, the project’s build-aware-of-the-binaries-and-do-it-yourself approach means a sophisticated user can verify reproducibly that the binary they’re running was built from the source they reviewed. That’s the gold standard.

Frequently asked questions

The hash my file produced doesn’t match anything in the vendor’s release notes — what do I do? First, double-check that the version of your file matches the version of the release notes (a 3.5.2 file won’t hash to the published value of 3.5.1). Second, double-check that you’re looking at the correct platform (macOS .dmg and Windows .exe for the same release have different hashes). If the version and platform match and the hash still doesn’t, do not run the file. Treat it as compromised, delete it, re-download from the official URL, and verify again.

Why both SHA-256 and SHA-512? Different vendors publish different hashes. Sparrow publishes SHA-256 only; Bitcoin Core publishes SHA-256 in SHA256SUMS; some vendors publish both. Computing both means you have whichever one you need without re-running the tool.

Does the tool need internet access? The hash computation does not. The vendor links shown alongside the result do require the page to load, but the actual file → hash step happens in the Web Crypto API on your CPU, no network roundtrip. You could in principle save this page to disk and run it offline.

Is the source code auditable? Yes. The component lives at src/components/islands/WalletVerify.tsx in the site’s repository. The hashing is a thin wrapper around crypto.subtle.digest() — there is no clever code, by design.

Related reading

• Wallet drainer red flags — 2026 verification checklist — the broader picture of how fake installers, sponsored ads, and malicious dApps fit together, and the five-second verification habit that catches them.
• Address validator — verify a Bitcoin address before sending to it; complements the binary-hash check this tool does for installers.
• Lightning address verifier — same idea for LNURL / Lightning addresses.