Latest release: 1.2.0 Previous releases and changelog
|Windows Installer (7+)||Sparrow-1.2.0.exe|
|Windows Standalone (7+)||Sparrow-1.2.0.zip|
Verifying the Release
For Bitcoin wallets, it’s particularly important to verify the release. In order to do so, you’ll need to have gpg or gpg2 installed on your system. Once you’ve obtained gpg, you’ll first need to import the keys that have signed this release (if you haven’t done so already):
curl https://keybase.io/craigraw/pgp_keys.asc | gpg --import
Once you have the required PGP keys, you can verify the release. Download sparrow-1.2.0-manifest.txt and sparrow-1.2.0-manifest.txt.asc from the table above to the same directory. Then verify the manifest file with:
gpg --verify sparrow-1.2.0-manifest.txt.asc
You should see the following if the verification was successful:
gpg: assuming signed data in 'sparrow-1.2.0-manifest.txt' gpg: Signature made Thu Feb 25 12:42:26 2021 SAST gpg: using RSA key D4D0D3202FC06849A257B38DE94618334C674B40 gpg: Good signature from "Craig Raw <email@example.com>" [ultimate]
Note that you may get a message similar to the following:
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
This simply means that you have not explicitly marked the public key as trusted in your own instance of GPG. In this case it is good practice to check the key against other sources, for example https://keybase.io/craigraw (click on the link next to the key icon to see the full public key). You can read more about validating keys in the GnuPG Privacy Handbook.
You have now verified the signature of the manifest file, which ensures integrity and authenticity of the manifest file - not the binaries! Next, depending on your operating system, you must re-compute the sha256 hash of the archive with
shasum -a 256 <filename>, compare it with the corresponding one in the manifest file, and ensure they match exactly.
> shasum --check sparrow-1.2.0-manifest.txt Sparrow-1.2.0.dmg: OK ... (ignore missing files)
> sha256sum --check sparrow-1.2.0-manifest.txt --ignore-missing sparrow_1.2.0-1_amd64.deb: OK
> CertUtil -hashfile Sparrow-1.2.0.exe SHA256 | findstr /v "hash" Compare result to the appropriate value in sparrow-1.2.0-manifest.txt!
With all these steps complete you can be certain of the integrity of your download and can proceed to install!
Sparrow should be installed as normal for your operating system.
Note that on QubesOS, you will need to run the following command first:
sudo mkdir /usr/share/desktop-directories/