search
WebsiteBlogJoin The Community

Download & Verify

This guide explains how to download pre-built binaries and verify their integrity using SHA256 checksums and PGP signatures.

hashtag
Release Artifacts

Each GitHub release includes these assets:

  • Platform-specific binaries named by release tag and OS/arch, for example clementine-cli-<RELEASE_TAG>-<OS>-<ARCH> or clementine-cli-<RELEASE_TAG>-<OS>-<ARCH>.exe.

  • SHA256SUMS file with checksums for all release binaries.

  • SHA256SUMS.asc which is the PGP-signed checksum file.

Download the latest release binary for your platform from the Releasesarrow-up-right page.

Whenever you see placeholders like <RELEASE_TAG>-<OS>-<ARCH> in the commands below, replace them with the values for your download. Example values:

  • <RELEASE_TAG>: v0.1.0-rc.1

  • <OS>: darwin, linux, or windows

  • <ARCH>: aarch64 or x86_64

Example filename: clementine-cli-v0.1.0-rc.1-darwin-aarch64

hashtag
Download

  • Download the release binary for your platform.

Download verification is optional but strongly recommended. These steps ensure the binaries and checksum files you downloaded are authentic and unmodified.

  • Download SHA256SUMS.

  • Download SHA256SUMS.asc.

  • Keep all three files together in the folder where the release artifacts were downloaded.

hashtag
Import the Release Signing Key

Only trust a key after validating the full fingerprint out-of-band.

If GPG is not installed, install it before proceeding:

circle-info

Windows users: the GPG executable path shown in this guide assumes Gpg4win is installed under C:\Program Files\GnuPG\bin\gpg.exe. If your installation uses a different path, update the commands to match your actual location.

References:

hashtag
macOS/Linux

hashtag
From a keyserver

Use the fingerprint or key ID with no spaces in the recv-keys command.

Expected output:

  • gpg reports the key was retrieved/imported.

  • The gpg --fingerprint line shows the full fingerprint and matches FINGERPRINTS.md.

hashtag
From the public key repository

Select a trusted signer from the clementine-cli-builder directory and use that filename as <KEY_FILENAME>. For stronger assurance, verify against multiple trusted signers and compare fingerprints before trusting a key.

Expected output:

  • gpg reports the key was imported.

  • The gpg --fingerprint line shows the full fingerprint and matches FINGERPRINTS.md.

hashtag
Import all signer keys (optional)

Expected output:

  • gpg reports each key import.

  • The fingerprints you intend to trust match FINGERPRINTS.md.

hashtag
Windows (PowerShell)

hashtag
From a keyserver

Command Prompt:

Use the fingerprint or key ID with no spaces in the recv-keys command.

Expected output:

  • gpg reports the key was retrieved/imported.

  • The gpg --fingerprint line shows the full fingerprint and matches FINGERPRINTS.md.

hashtag
From the public key repository

Select a trusted signer from the clementine-cli-builder directory and use that filename as <KEY_FILENAME>. For stronger assurance, verify against multiple trusted signers and compare fingerprints before trusting a key.

Command Prompt:

Expected output:

  • gpg reports the key was imported.

  • The gpg --fingerprint line shows the full fingerprint and matches FINGERPRINTS.md.

Replace <KEY_FILENAME> with the specific signer key file (for example, ahmet-oguz-engin.pgp) to avoid ambiguity.

hashtag
Import all signer keys (optional)

Command Prompt:

Expected output:

  • gpg reports each key import.

  • The fingerprints you intend to trust match FINGERPRINTS.md.

The public key repository should contain:

  • Individual .pgp key files under clementine-cli-builder/

  • FINGERPRINTS.md to cross-check expected fingerprints

hashtag
Verify the Checksum Signature

hashtag
macOS/Linux

  • Run these commands from the folder where the release artifacts were downloaded.

  • Ensure the trusted signer keys are imported and the fingerprints match FINGERPRINTS.md.

  • Verify the checksum signature:

hashtag
Windows (PowerShell)

  • Run these commands from the folder where the release artifacts were downloaded:

    • PowerShell: cd $env:USERPROFILE\Downloads

    • Command Prompt: cd %UserProfile%\Downloads

  • Ensure the trusted signer keys are imported and the fingerprints match FINGERPRINTS.md.

  • Verify the checksum signature:

Command Prompt:

Expected output:

  • A line that starts with: gpg: Good signature

  • A fingerprint line that matches one of the trusted fingerprints in FINGERPRINTS.md

circle-info

Depending on your OS and GPG version, you might not see a Primary key fingerprint: line. Some builds print the fingerprint without a label.

The fingerprint shown by GPG must match one of the trusted fingerprints you validated from FINGERPRINTS.mdarrow-up-right. If the signer differs from your trusted set, treat it as untrusted and stop.

You may also see warnings:

  • gpg: Can't check signature: No public key means GPG could not verify that signer's signature. If this appears for a signer you already imported, stop and fix the key import. Your download is only verified when you see at least one gpg: Good signature from a trusted signer whose fingerprint matches FINGERPRINTS.mdarrow-up-right.

  • gpg: WARNING: This key is not certified with a trusted signature! or WARNING: The key's User ID is not certified with a trusted signature! means GPG cannot establish trust. Confirm the fingerprint matches a trusted signer before proceeding.

Proceed only if the signature is valid and the fingerprint matches your trusted key record.

hashtag
Verify the Binary Checksum

Use the checksum file to verify the binary you downloaded. Follow the section for your OS.

hashtag
macOS/Linux

From the folder where the release artifacts were downloaded, run:

Expected output:

  • The line for your downloaded file ends with OK (for example: clementine-cli-v0.1.0-rc.1-darwin-aarch64: OK).

To compute a hash directly for auditing or tooling and compare it to the matching line in SHA256SUMS:

Expected output:

  • A single SHA256 hash and filename; it must match the corresponding line in SHA256SUMS.

hashtag
Windows (PowerShell)

From the folder where the release artifacts were downloaded, run:

Expected output:

  • True when the checksum matches.

hashtag
Windows (Command Prompt)

From the folder where the release artifacts were downloaded, run:

Expected output:

  • The SHA256 value from certutil matches the corresponding line in SHA256SUMS (compare every character).

hashtag
Windows (PowerShell) - Direct Hash

To compute a hash directly for auditing or tooling and compare it to the matching line in SHA256SUMS:

Expected output:

  • The Hash value matches the corresponding line in SHA256SUMS.

hashtag
Rename and Run

For easier usage, rename the binary to clementine-cli and ensure it is executable. On macOS/Linux, use ./ because the current directory is not in PATH by default, or add the directory containing the binary to your PATH for global access.

hashtag
macOS/Linux

hashtag
Windows (PowerShell)

hashtag
Windows (Command Prompt)

PreviousClementine CLINextWallet Operations

Last updated

Was this helpful?