How to Verify - XMR-Miner

Why Verify?

Verifying downloads ensures:

This is especially important for security-sensitive applications like cryptocurrency software.

We provide two verification methods:

SHA256 Checksum: Verifies the file matches the expected hash
GPG Signature: Cryptographically proves the file was signed by the developer

Using both methods provides the strongest assurance.

Download SHA256SUMS from this website.

sha256sum xmr-miner-v1.0.0.apk

Get-FileHash xmr-miner-v1.0.0.apk -Algorithm SHA256

sha256sum /sdcard/Download/xmr-miner-v1.0.0.apk

The output should match the hash in the SHA256SUMS file exactly. If it doesn't match, do not install the APK.

Important: If the checksum doesn't match, the file may be corrupted or tampered with. Re-download from the official website or report the issue.

GPG verification is stronger than checksum verification because it proves the file was signed with the developer's private key.

sudo apt install gnupg  # Debian/Ubuntu
sudo dnf install gnupg  # Fedora

brew install gnupg

Download and install Gpg4win.

curl -O https://xmr-miner.com/pubkey.asc
gpg --import pubkey.asc

You should see output indicating the key was imported:

gpg: key ABCD1234: public key "XMR-Miner <[email protected]>" imported

Download signature.asc from this website.

gpg --verify signature.asc xmr-miner-v1.0.0.apk

A valid signature shows:

gpg: Good signature from "XMR-Miner <[email protected]>"

An invalid or missing signature shows:

gpg: BAD signature from "XMR-Miner <[email protected]>"

If verification fails: Do not install the APK. The file may have been tampered with.

To verify you have the correct public key, check its fingerprint:

gpg --fingerprint [email protected]

The fingerprint should be:

XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX

(Actual fingerprint will be published when the key is generated)

For maximum security, you can build the APK from source code: