Skip to main content
Security is critical when installing software that handles your Bitcoin. Every KaleidoSwap release binary is individually GPG-signed by the developer using a hardware security key (YubiKey). The private key never leaves the hardware token. macOS builds additionally carry an Apple Developer ID signature and Apple notarization, so they install without any security warnings.

Why Verify Downloads?

Verifying a binary before installing ensures:
  • The file was produced and signed by the KaleidoSwap developers
  • The file was not tampered with or corrupted in transit
  • No malicious code was injected after the build

How It Works

After each release the CI publishes the binaries to the GitHub Releases page. The developer then runs scripts/sign-release.sh locally (with a YubiKey inserted), which:
  1. Downloads every release asset from GitHub
  2. Creates a detached GPG signature (<binary>.asc) for each one
  3. Verifies all signatures locally
  4. Uploads the .asc files back to the same release
You can find both the binaries and their .asc signatures on the Releases page.

Prerequisites

  • GPG (GNU Privacy Guard) installed on your system
  • The KaleidoSwap binary you want to verify
  • The corresponding .asc signature file from the same release
brew install gnupg

Verification Steps

1. Import the Developer’s Public Key

This is a one-time step. Import the KaleidoSwap developer’s public GPG key directly from GitHub: 
curl -s https://github.com/bitwalt.gpg | gpg --import
You can verify the key fingerprint after importing: 
gpg --fingerprint walter@kaleidoswap.com
The key ID you will see in signature output is 9EE396C0452755F0.

2. Download the Binary and Its Signature

From the Releases page, download your platform binary and the matching .asc file — both must be in the same directory.
PlatformBinarySignature
macOS Apple SiliconKaleidoSwap_<version>_aarch64.dmgKaleidoSwap_<version>_aarch64.dmg.asc
macOS IntelKaleidoSwap_<version>_x64.dmgKaleidoSwap_<version>_x64.dmg.asc
Linux (AppImage)KaleidoSwap_<version>_amd64.AppImageKaleidoSwap_<version>_amd64.AppImage.asc
Linux (DEB)KaleidoSwap_<version>_amd64.debKaleidoSwap_<version>_amd64.deb.asc
WindowsKaleidoSwap_<version>_x64-setup.msiKaleidoSwap_<version>_x64-setup.msi.asc

3. Verify the Signature

Run gpg --verify with the signature file first, then the binary: 
gpg --verify KaleidoSwap_0.3.2_aarch64.dmg.asc \
             KaleidoSwap_0.3.2_aarch64.dmg

4. Read the Output

A good verification looks like this: 
gpg: Signature made Mon 10 Nov 2025 21:30:00 UTC
gpg:                using RSA key 9EE396C0452755F0
gpg: Good signature from "Walter (Kaleidoswap Developer) <walter@kaleidoswap.com>"
If you see “BAD signature” or “No public key”, do not install the file. Download a fresh copy from the official GitHub Releases page and try again. If the problem persists, open a GitHub Issue or reach out on Telegram.
The gpg warning “This key is not certified with a trusted signature!” is expected unless you have explicitly set the trust level for this key. The Good signature line is what matters.

macOS: Additional Platform Verification

macOS builds are also code-signed with an Apple Developer ID certificate and notarized by Apple. You can verify this independently after installation: 
# Check Gatekeeper assessment
spctl --assess --verbose=4 --type install /Applications/KaleidoSwap.app

# Inspect the code signature
codesign --verify --verbose=2 /Applications/KaleidoSwap.app
A correctly signed and notarized app will show accepted from spctl and no errors from codesign.

Optional: SHA256 Checksum

For a quick integrity check without GPG, you can compare checksums. The SHA256 hash for each artifact is listed in the manifest.txt file available as a build artifact on each CI run. 
# macOS / Linux
shasum -a 256 KaleidoSwap_0.3.2_aarch64.dmg

# Windows (PowerShell)
Get-FileHash -Algorithm SHA256 KaleidoSwap_0.3.2_x64-setup.msi

Troubleshooting

ErrorCauseFix
No public keyDeveloper key not importedRun the curl … | gpg --import command
BAD signatureFile was modified or corruptedRe-download from GitHub Releases
Can't check signature: No public keyKey mismatchConfirm you imported from github.com/bitwalt.gpg
Checksum mismatchPartial download or corruptionDelete and re-download the binary
If none of the above resolves the issue, contact the team via GitHub Issues or Telegram.