Monero Wallet Download — Verifying XMR Files Before First Run
The monero wallet download step is the moment when most preventable problems happen. A wrong file, a tampered binary or a fake build can drain a wallet the first time the seed is typed in. The good news is that Monero ships hashes and signatures, and checking them is a short routine that fits into any first time setup.
monero wallet downloadverify hashgpg signature
What "Verifying a Download" Means
Two checks are useful before opening any wallet binary:
- Hash check — compare the SHA 256 hash of the file you downloaded with the one published next to the release. Equal hashes mean the bytes match.
- Signature check — verify that the published hash file itself is signed by a known release key. This catches a case where both the binary and the hash list were swapped together.
Hash check alone is enough to catch a bad transfer or a tampered mirror in most cases. Adding the signature check raises the bar to "the entire release page would have to be replaced and the key swapped" before a fake file slipped through.
Hash Check by Platform
| Platform | Command | Compare against |
|---|---|---|
| Windows | certutil -hashfile file.zip SHA256 | Published hash list |
| macOS | shasum -a 256 file.tar.bz2 | Published hash list |
| Linux | sha256sum file.tar.bz2 | Published hash list |
The output is a long hex string. It either matches the published value character for character or it does not. There is no "almost matches" — a single different character means the file is not the one that was released.
Signature Check in Short
The release ships a hash file plus a detached signature for that hash file. With a GPG client installed and the release signing key imported, the verification looks like this in spirit:
- Import the release signing key into your local GPG keyring.
- Run a verify command against the signature and the hash file.
- Read the output for a "Good signature" line that matches the expected key fingerprint.
If the verification line says "Good signature" with the expected fingerprint, the hash list is authentic. The hash inside it then becomes the value to compare against your downloaded binary.
Storing the Downloaded Files
- Keep the verified archive in a folder that is not shared over cloud sync, at least until first run is complete.
- If the archive is moved between machines, re run the hash check on the destination — file transfers can corrupt bytes silently.
- After install, the archive itself is not needed for daily use; what matters is the seed of the wallet that the binary helped create.
Red Flags During a Monero Wallet Download
| Signal | What it usually means |
|---|---|
| Hash does not match | Tampered file or broken transfer — do not open it |
| Signature key fingerprint differs | Wrong key imported or fake hash list — re check the source |
| Installer asks for the seed before any wallet is created | Phishing build — close it |
| Binary is much smaller than the published size | Likely a stub or a dropper — discard |
After the Download — First Run Checklist
- Verify hash. Then verify signature if you have GPG ready.
- Open the binary on a machine that is up to date and not shared.
- Create a new wallet, write the 25 word seed on paper, set a long password.
- Pick a node mode. Local for privacy, remote for speed.
- Send a small amount in and out before moving meaningful funds.
Where to Go Next
Pick the section that matches what you are setting up: the desktop notes for a native monero wallet, the extension notes for a browser based xmr wallet, or the download notes if you are about to verify a fresh build before first run.