notzero ← Home

Verify your download

Confirm the notzero you downloaded is the real one — by checking its fingerprint against a record we committed to the Bitcoin blockchain itself.

Every release, we publish a SHA256SUMS file listing the exact SHA-256 hash (a unique fingerprint) of each download, and we timestamp that file onto the Bitcoin blockchain with OpenTimestamps. That gives you two things you can check yourself:

Where the risk actually is: your first download

Nearly all of the risk sits in one place — the very first copy you install. That's the one moment you're trusting bytes pulled off the internet, so it's the moment worth verifying. The steps below take about a minute.

After that, the trust is largely behind you. Every update is automatically integrity-checked before it installs, and notzero is moving to verify each update against your own Bitcoin node — so once you hold a genuine copy, you never have to trust our servers again. Get the first download right, and the rest takes care of itself.

The two files you'll need (always fetch these from us, over HTTPS):

dl.getnotzero.com/SHA256SUMS — the checksum list
dl.getnotzero.com/SHA256SUMS.ots — its Bitcoin timestamp proof

1. Check the fingerprint (30 seconds, no tools to install)

Compute the SHA-256 of the file you downloaded, then make sure it appears in SHA256SUMS. Run the line for your system in the folder where the download landed:

macOS
shasum -a 256 notzero-mac.dmg
Windows (PowerShell)
Get-FileHash notzero-win.exe -Algorithm SHA256
Linux
sha256sum notzero-linux.AppImage

Open SHA256SUMS and confirm the hash you got matches the one next to your filename. If they match, the bytes you have are exactly the bytes we published. On Linux/macOS you can also let the tool do the compare for you (with SHA256SUMS saved next to the download):

sha256sum -c SHA256SUMS      # Linux
shasum -a 256 -c SHA256SUMS  # macOS

✓ A matching hash means your download wasn't corrupted or swapped in transit.

2. Verify it against the Bitcoin blockchain

Step 1 proves your file matches the SHA256SUMS we serve. This step proves that SHA256SUMS is the one we actually published at release time — because its hash is timestamped in a Bitcoin block that nobody can rewrite. Install the OpenTimestamps client once:

pip install opentimestamps-client

Then, with SHA256SUMS and SHA256SUMS.ots in the same folder:

ots verify SHA256SUMS.ots

It reports the Bitcoin block and date the checksums were stamped into. That timestamp lives on the blockchain, independent of this website — so even if our servers were compromised, the on-chain record of the real release can't be forged.

Just released? For the first few hours a fresh proof reads as a pending calendar attestation while it's being batched into a Bitcoin transaction; ots verify resolves it automatically once the block confirms.

3. Trust no one — verify with your own node

This is the part we're proudest of. If you run a Bitcoin node — including the one notzero runs for youots verify checks the proof against your node's own copy of the blockchain, which your node independently validated. No block explorer, no third party. Your node becomes the judge.

And because the proof only needs block headers, an ordinary pruned node (like notzero's) is enough — you don't need a full archival copy of the chain.

notzero will soon do this automatically, in-app: check each build against your node before trusting it, and gate updates on that check. This page is the manual version of the same idea.

What this does and doesn't protect

This is tamper-evidence and independent verification — it lets you (and your node) confirm a download matches an immutable on-chain record. It's a genuine, honest signal, not a magic guarantee: