Verification Guide
About
This guide lets you confirm that your deployed build is authentic and untampered:
- A checksum (SHA-256) proves the files weren’t altered.
- A digital signature (ECDSA secp256k1) proves the checksum was issued by the original author.
- Compute a checksum over the core build files.
- Compare it with the expected checksum published with the release.
- Optionally verify the author’s signature over that checksum.
Files involved
public/build.manifest.json- the manifest file with the ordered list of core asset paths.
The checksum is computed by concatenating the bytes of files in the order listed in coreBuildFiles.json. Don’t reorder this list.
Quick verification (browser console)
1. Open Developer Tools
- Windows/Linux:
Ctrl+Shift+J - macOS:
Cmd+Option+J
2. Compute the Checksum
- Copy and paste the following script into the console:
async function computeChecksum() {
const coreBuildFiles = /* paste file paths here */;
const buildPath = "/build.manifest.json";
const responses = await Promise.all(coreBuildFiles.map((file) => fetch(file)));
let totalLength = 0;
const fileBuffers = await Promise.all(
responses.map(async (response) => {
const fileBuffer = await response.arrayBuffer();
const bytes = new Uint8Array(fileBuffer);
totalLength += bytes.length;
return bytes;
})
);
const concatenated = new Uint8Array(totalLength);
let offset = 0;
for (const fileBuffer of fileBuffers) {
concatenated.set(fileBuffer, offset);
offset += fileBuffer.length;
}
const hashBuffer = await crypto.subtle.digest('SHA-256', concatenated);
const checksum = Array.from(new Uint8Array(hashBuffer))
.map((b) => b.toString(16).padStart(2, '0'))
.join('');
const buildManifest = await (await fetch(buildPath)).json();
if (buildManifest) {
if (checksum !== buildManifest.checksum) {
alert("Checksum integrity check failed");
const header = document.createElement('h1');
header.textContent = 'Critical integrity check failed';
header.classList.add('text-text-error-1', 'text-3xl', 'font-normal', 'leading-9', 'text-center', 'mt-10');
document.body.replaceChildren(header);
return;
}
}
console.log(checksum);
alert("Checksum integrity check successful");
}
computeChecksum();
-
Copy the content from the
online manifest file, which includes all the core assets paths. -
Replace the
/* paste file paths here */placeholder in the script above with the copied content. -
Press Enter
3. Wait for the Result
The script will fetch all files and compute the checksum.
4. Interpret the result
You can look at the expected checksum in in the checksum field of the build.manifest.json file:
- ✅ If the result matches, your copy is authentic.
- ❌ If it does not match, see Troubleshooting below.
Optional: verify the author’s signature
This confirms that the published checksum was signed by the original author.
-
Open a secp256k1 ECDSA verification tool (e.g., any offline verifier you trust).
-
Curve: secp256k1.
-
Provide:
- Message: the
checksumfrombuild.manifest.jsonfile - Signature: the
signaturefrombuild.manifest.jsonfile - Public key:
bc24...(author’s public key)
- Message: the
-
Click Verify.
- ✅ Valid — checksum was signed by the author.
- ❌ Invalid — do not trust the build.
Troubleshooting
-
Mismatch
- Ensure you’re on the official domain over HTTPS.
- Hard refresh (Ctrl/Cmd+Shift+R) to bypass cache.
- Temporarily disable extensions/proxies/VPN that may rewrite responses.
- Clear browser cache and retry.
- Make sure the
coreBuildFiles.jsoncontent hasn’t changed and the order is intact.
-
Service Worker interference
- Open DevTools → Application → Service Workers → Update/Unregister, then reload.
Security notes
- Only run verification on the official site.
- The script reads assets and computes a hash; it does not exfiltrate secrets.
- The checksum alone proves integrity, while the signature proves authenticity of the publisher.
Developer Info
- Built and maintained by the Extra Wallet team.
- Source: Extra Wallet