Rhombus Project Wiki Rhombus Project Wiki
Rhombus Wiki / Tutorials & Howtos / Security / Verify integrity of downloads Edit this page

Verify integrity of downloads

Validating downloads makes sure you have what the developers released – and not installing any fake or malware-infected software

About checksums

While compiling from source is the recommended and most secure way to build the Rhombus platform, the team realizes this is an advanced technique that a large number of users aren’t comfortable with. For most users, each release is distributed with source code and pre-compiled distributions for Windows, Mac & Linux.

To ensure the highest level of security, the Rhombus Project team provides sha256sums for all of these releases.

Each checksum is a hash of the download file that verifies that nothing has been added or taken away either in-transit or by a third party. By using sha256 encryption with these sums every computer will generate the same hash unless the file has been compromised, which in response, will generate a different hash.

It is recommended to always validate the Rhombus build releases with the provided sha256sums.

Validating checksums

There are a number of hash generators online, this tutorial will highlight Hash Online Convert:

  1. Download preferred Rhombus release from GitHub e.g. Windows client
  2. Visit Hash Online Convert
  3. Find Or upload and generate a SHA-256 checksum of a file: section
  4. Select Choose File button
  5. Find downloaded Rhombus release file
  6. Select Open button
  7. Select Convert file button
  8. Hash converter: File gets submitted to the website and loads a new page showing “Your hash has been successfully generated." This page shows the hash of the uploaded file in a variety of hash outputs; hex, HEX, h:e:x & base64 – value to look for: hex
659567323348e7240642629ea6356ded7246589acb37d3d02f8eade3f2e2d15e

Most Linux distributions come with the sha256sum by default (beginner hint – only copy code after “$"):

  1. Download latest Linux release from Github (replace “0.14.2.1” with current version number, if newer):
$ cd Downloads ~/Downloads
$ wget https://github.com/rhombus-project/rhombus-core/releases/download/v0.20.99.1/rhombus-0.20.99.1-x86_64-linux-gnu.tar.gz
  1. Run sha256sum on downloaded file:
~/Downloads$ sha256sum rhombus-0.20.99.1-x86_64-linux-gnu.tar.gz
sha256sum hash result: 5545cb7f2364ab773f3228ea1f0283fd389cc2ea43a886eb27d114f96ac54762

Compare checksums

When you found out the hash of your downloaded file, visit release page of your downloaded Rhombus wallet on Github:

Find the version you’ve downloaded and compare the checksum on your PC with the one published on GitHub.

Ensure both checksums are identical before installing software!

If the checksums aren’t matching, you have a bad/malicious download and you shouldn’t install the wallet!
If this happens, make absolutely sure, you’re checking the right versions and correct variant for your OS.

Updated