> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kaleidoswap.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify Binary Downloads

> How to verify the authenticity of KaleidoSwap Desktop App binaries using GPG detached signatures

Security is critical when installing software that handles your Bitcoin. Every KaleidoSwap release binary is individually GPG-signed by the developer using a hardware security key (YubiKey). The private key never leaves the hardware token.

macOS builds additionally carry an **Apple Developer ID signature and Apple notarization**, so they install without any security warnings.

## Why Verify Downloads?

Verifying a binary before installing ensures:

* The file was produced and signed by the KaleidoSwap developers
* The file was not tampered with or corrupted in transit
* No malicious code was injected after the build

## How It Works

After each release the CI publishes the binaries to the GitHub Releases page. The developer then runs `scripts/sign-release.sh` locally (with a YubiKey inserted), which:

1. Downloads every release asset from GitHub
2. Creates a detached GPG signature (`<binary>.asc`) for each one
3. Verifies all signatures locally
4. Uploads the `.asc` files back to the same release

You can find both the binaries and their `.asc` signatures on the [Releases page](https://github.com/kaleidoswap/desktop-app/releases).

## Prerequisites

* **GPG** (GNU Privacy Guard) installed on your system
* The KaleidoSwap binary you want to verify
* The corresponding `.asc` signature file from the same release

<CodeGroup>
  ```sh macOS (Homebrew) theme={null}
  brew install gnupg
  ```

  ```sh Debian / Ubuntu theme={null}
  sudo apt install gnupg
  ```

  ```sh Windows (Gpg4win) theme={null}
  # Download from https://gpg4win.org
  ```
</CodeGroup>

## Verification Steps

### 1. Import the Developer's Public Key

This is a one-time step. Import the KaleidoSwap developer's public GPG key directly from GitHub:

```sh theme={null}
curl -s https://github.com/bitwalt.gpg | gpg --import
```

You can verify the key fingerprint after importing:

```sh theme={null}
gpg --fingerprint walter@kaleidoswap.com
```

The key ID you will see in signature output is `9EE396C0452755F0`.

### 2. Download the Binary and Its Signature

From the [Releases page](https://github.com/kaleidoswap/desktop-app/releases), download your platform binary **and** the matching `.asc` file — both must be in the same directory.

| Platform            | Binary                                 | Signature                                  |
| ------------------- | -------------------------------------- | ------------------------------------------ |
| macOS Apple Silicon | `KaleidoSwap_<version>_aarch64.dmg`    | `KaleidoSwap_<version>_aarch64.dmg.asc`    |
| macOS Intel         | `KaleidoSwap_<version>_x64.dmg`        | `KaleidoSwap_<version>_x64.dmg.asc`        |
| Linux (AppImage)    | `KaleidoSwap_<version>_amd64.AppImage` | `KaleidoSwap_<version>_amd64.AppImage.asc` |
| Linux (DEB)         | `KaleidoSwap_<version>_amd64.deb`      | `KaleidoSwap_<version>_amd64.deb.asc`      |
| Windows             | `KaleidoSwap_<version>_x64-setup.msi`  | `KaleidoSwap_<version>_x64-setup.msi.asc`  |

### 3. Verify the Signature

Run `gpg --verify` with the signature file first, then the binary:

<CodeGroup>
  ```sh macOS (Apple Silicon) theme={null}
  gpg --verify KaleidoSwap_0.3.2_aarch64.dmg.asc \
               KaleidoSwap_0.3.2_aarch64.dmg
  ```

  ```sh macOS (Intel) theme={null}
  gpg --verify KaleidoSwap_0.3.2_x64.dmg.asc \
               KaleidoSwap_0.3.2_x64.dmg
  ```

  ```sh Linux theme={null}
  gpg --verify KaleidoSwap_0.3.2_amd64.AppImage.asc \
               KaleidoSwap_0.3.2_amd64.AppImage
  ```

  ```sh Windows theme={null}
  gpg --verify KaleidoSwap_0.3.2_x64-setup.msi.asc `
               KaleidoSwap_0.3.2_x64-setup.msi
  ```
</CodeGroup>

### 4. Read the Output

A **good** verification looks like this:

```
gpg: Signature made Mon 10 Nov 2025 21:30:00 UTC
gpg:                using RSA key 9EE396C0452755F0
gpg: Good signature from "Walter (Kaleidoswap Developer) <walter@kaleidoswap.com>"
```

<Warning>
  If you see **"BAD signature"** or **"No public key"**, do not install the file. Download a fresh copy from the official [GitHub Releases](https://github.com/kaleidoswap/desktop-app/releases) page and try again. If the problem persists, open a [GitHub Issue](https://github.com/kaleidoswap/desktop-app/issues) or reach out on [Telegram](https://t.me/kaleidoswap).
</Warning>

The `gpg` warning *"This key is not certified with a trusted signature!"* is expected unless you have explicitly set the trust level for this key. The `Good signature` line is what matters.

## macOS: Additional Platform Verification

macOS builds are also code-signed with an Apple Developer ID certificate and notarized by Apple. You can verify this independently after installation:

```sh theme={null}
# Check Gatekeeper assessment
spctl --assess --verbose=4 --type install /Applications/KaleidoSwap.app

# Inspect the code signature
codesign --verify --verbose=2 /Applications/KaleidoSwap.app
```

A correctly signed and notarized app will show `accepted` from `spctl` and no errors from `codesign`.

## Optional: SHA256 Checksum

For a quick integrity check without GPG, you can compare checksums. The SHA256 hash for each artifact is listed in the `manifest.txt` file available as a build artifact on each CI run.

```sh theme={null}
# macOS / Linux
shasum -a 256 KaleidoSwap_0.3.2_aarch64.dmg
```

```powershell theme={null}
# Windows (PowerShell)
Get-FileHash -Algorithm SHA256 KaleidoSwap_0.3.2_x64-setup.msi
```

## Troubleshooting

| Error                                  | Cause                          | Fix                                                |
| -------------------------------------- | ------------------------------ | -------------------------------------------------- |
| `No public key`                        | Developer key not imported     | Run the `curl … \| gpg --import` command           |
| `BAD signature`                        | File was modified or corrupted | Re-download from GitHub Releases                   |
| `Can't check signature: No public key` | Key mismatch                   | Confirm you imported from `github.com/bitwalt.gpg` |
| Checksum mismatch                      | Partial download or corruption | Delete and re-download the binary                  |

If none of the above resolves the issue, contact the team via [GitHub Issues](https://github.com/kaleidoswap/desktop-app/issues) or [Telegram](https://t.me/kaleidoswap).
