Bitcoin Attestation Guide: Verify Hardware Wallets and Software in 2026
Bitcoin Attestation Guide: Verify Hardware Wallets and Software in 2026
You just received a hardware wallet in the mail. Or you just downloaded a Bitcoin wallet app. In both cases, the same question applies: how do you know what you received is authentic and unmodified?
This isn't paranoia. Supply chain attacks targeting Bitcoin users are documented and ongoing. A compromised hardware wallet could generate addresses controlled by an attacker. Fake wallet software could steal your seed phrase the moment you type it. Verification is the last line of defense before you trust a device or software with your funds.
This guide covers two categories of verification:
- Hardware wallet attestation — verifying that your physical device is genuine, unmodified, and from the legitimate manufacturer
- Software verification — confirming that downloaded Bitcoin software matches what the developers released, using GPG signatures and SHA256 checksums
Both take 10–15 minutes. Both can prevent total loss of funds.
Key Takeaways
- Supply chain attacks can compromise hardware wallets or software during manufacturing, shipping, or download
- Coldcard has a built-in attestation feature that cryptographically proves the device is genuine factory hardware
- Blockstream Jade includes supply chain verification through a server-side challenge-response at first boot
- Always buy hardware wallets directly from manufacturers — never from third-party marketplaces like Amazon or eBay
- GPG signatures prove software was signed by the actual developer's private key
- SHA256 checksums confirm your downloaded file hasn't been altered in transit
- Use both methods together for maximum assurance — each catches different attack vectors
Part 1: Hardware Wallet Attestation
Hardware wallets are high-value targets. An attacker who intercepts a device during shipping — or introduces a counterfeit into the supply chain — can compromise your funds before you ever plug the device in. Hardware wallet attestation is the process of verifying that your physical device is exactly what the manufacturer shipped.
Physical Inspection: Your First Check
Before powering on any new hardware wallet, inspect the packaging:
Check tamper-evident seals. Most hardware wallets ship with holographic stickers or tamper-evident packaging. Look for:
- Intact holographic seals on the box
- Unbroken factory seals on the device itself
- No evidence of resealing, adhesive residue, or repackaged bags
Inspect the device carefully.
- No scratches, marks, or signs of opening
- Ports and connectors look factory-fresh
- Screen activates correctly on first boot (no pre-loaded wallets)
Verify the seed phrase generation. A legitimate hardware wallet generates your seed phrase on the device itself during initial setup. If a device arrives with a pre-written seed phrase in the box, do not use it. This is a known scam. Legitimate manufacturers never pre-generate seed words.
Physical inspection alone isn't sufficient — sophisticated attacks can repackage devices cleanly. This is why cryptographic attestation exists.
Coldcard: Built-In Bag Attestation
Coldcard — manufactured by Coinkite — is the gold standard for hardware wallet security, and it includes a built-in attestation system that cryptographically proves your device is genuine factory hardware.
How Coldcard attestation works:
Every Coldcard is manufactured with a unique private key burned into the secure element during production. The corresponding public key is registered with Coinkite. When you run the attestation check, the device signs a challenge with its private key. Coinkite's server verifies the signature against their production registry.
Running attestation on Coldcard:
- Power on your Coldcard (without a SIM card or existing wallet)
- Navigate to: Advanced → Perform Bag Number Check
- The device displays a QR code and bag number
- Scan the QR code with your phone — it links to Coinkite's attestation server
- The server verifies the device's cryptographic signature
- You receive a "Genuine Coldcard" confirmation or a failure message
If attestation fails, contact Coinkite support immediately and do not use the device.
Additional Coldcard verification:
- Check that the bag number on the device matches the anti-tamper bag it shipped in
- Verify the firmware version displayed at boot matches the latest official release on coinkite.com
Coldcard is available directly from Coinkite at coldcard.com. Do not purchase from third-party marketplaces.
Blockstream Jade: Supply Chain Verification
Blockstream Jade takes a different approach to attestation: a server-side challenge-response protocol that activates at first boot.
How Jade supply chain verification works:
Jade uses an "anti-exfil" signing protocol and requires connection to Blockstream's attestation server during initial setup. The server verifies that:
- The device's hardware matches Blockstream's production records
- The firmware signature is valid and signed by Blockstream's keys
- No unauthorized modifications have been made to the firmware
Running Jade supply chain verification:
- Connect Jade to Blockstream Green (the companion app) during initial setup
- Jade automatically contacts Blockstream's attestation server
- A challenge is sent to the device; the device responds with a cryptographic proof
- The server confirms the device is genuine
- Setup proceeds only if verification passes
If you're setting up Jade in a fully air-gapped configuration (using QR codes only), the attestation process happens during the first connection — ensure you complete it before relying on the device for real funds.
Jade is available directly from Blockstream at blockstream.com. Note: Jade is the only hardware wallet in this price range with built-in supply chain verification.
Other Hardware Wallets: What to Check
For hardware wallets without built-in attestation (Trezor, Ledger, Foundation Passport, etc.), verification focuses on:
Firmware signature verification:
- Before or during setup, verify the device's installed firmware against the manufacturer's official signed release
- Trezor Suite and Ledger Live perform automatic firmware signature checks
- Foundation Passport verifies firmware signatures on every boot using keys stored in the device
Official channels only:
- Buy directly from the manufacturer's website
- If buying from an authorized reseller, verify they appear on the manufacturer's official reseller list
- Never buy from Amazon, eBay, Facebook Marketplace, or other third-party platforms — even "sealed" listings can be compromised
First boot behavior:
- Device should require you to create a new wallet or restore from seed
- No pre-existing wallet should be present
- Seed phrase generation should happen on the device, not be provided pre-printed
Read our full hardware wallet reviews to understand which verification features each device offers: Best Bitcoin Hardware Wallets 2026.
Part 2: Software Verification (GPG and SHA256)
Software verification confirms that the Bitcoin wallet or node software you downloaded matches exactly what the developers released. Two methods work together:
- SHA256 checksums verify the file hasn't been modified during download or distribution
- GPG signatures verify the checksum file was signed by the actual developer's key
Use both. Checksums catch accidental corruption and server-side tampering. GPG signatures catch cases where an attacker has compromised the distribution server and replaced both the software and the checksum.
Installing GPG
Windows: Download Gpg4win from gpg4win.org — this includes GPG and a graphical interface (Kleopatra)
macOS: Install via Homebrew: brew install gnupg
Linux: GPG is usually pre-installed. If not: sudo apt install gnupg (Debian/Ubuntu)
Practical Walkthrough: Verifying Sparrow Wallet
Sparrow Wallet is one of the most recommended Bitcoin wallets for intermediate to advanced users. Here's how to verify it:
Step 1: Download the required files
From sparrowwallet.com/download, download:
- The wallet installer for your operating system
- The manifest file (e.g.,
sparrow-2.1.0-manifest.txt) - The manifest signature file (e.g.,
sparrow-2.1.0-manifest.txt.asc)
Step 2: Import the developer's public key
Sparrow's developer (Craig Raw) publishes his GPG key. Import it:
Or download from Sparrow's website and import manually:
Step 3: Verify the manifest signature
Look for:
If you see "Good signature," the manifest is authentic. If you see "BAD signature," stop immediately — the file may have been tampered with.
Step 4: Verify the SHA256 checksum
The signed manifest contains SHA256 checksums for each installer file. Generate the checksum for your downloaded installer and compare:
Windows (PowerShell):
macOS/Linux:
The automated command reports "OK" or "FAILED" for each file listed in the manifest. If your installer shows "OK," you're verified.
Practical Walkthrough: Verifying Bitcoin Core
Bitcoin Core, the reference node implementation, is signed by multiple developers for added assurance.
Step 1: Download from official source
From bitcoincore.org/en/download/, download:
- The Bitcoin Core installer for your OS
SHA256SUMSSHA256SUMS.asc
Step 2: Import signing keys
Bitcoin Core releases are signed by multiple known developers. Import keys from at least 2–3 known signers:
A full list of signing keys is maintained in the Bitcoin Core repository. Importing multiple keys increases your confidence — an attacker would need to compromise several independent developers to forge multiple valid signatures.
Step 3: Verify the signatures
You want to see "Good signature" from at least one trusted developer. Multiple valid signatures provide stronger assurance.
Step 4: Verify your download
This checks only the file(s) you've downloaded against the verified checksum list.
Understanding GPG Output
GPG output can be confusing if you haven't seen it before. Here's what the key messages mean:
| Output | Meaning | Action |
|---|---|---|
| **"Good signature"** | File is authentic and unmodified | Proceed |
| **"BAD signature"** | File has been tampered with or wrong key used | Stop. Do not use. |
| **"WARNING: This key is not certified"** | You haven't personally verified the key owner's identity | Normal — signature is still valid |
| **"gpg: Can't check signature: No public key"** | You haven't imported the developer's key yet | Import the key and retry |
The "not certified" warning is standard and expected for most users. It means you haven't gone through a formal key verification process (the GPG "web of trust") with the developer. The signature is still cryptographically valid — GPG is just noting you haven't personally confirmed who holds the key.
Checksums vs. GPG Signatures: What Each Catches
| Threat | SHA256 Checksum | GPG Signature |
|---|---|---|
| File corrupted during download | ✅ Detects | — |
| File altered on distribution server | ✅ Detects (if checksum unchanged) | ✅ Detects (if attacker lacks key) |
| Attacker replaced both file AND checksum | ❌ Misses | ✅ Detects |
| Attacker has developer's private key | ❌ Misses | ❌ Misses |
The combination of both methods catches every realistic attack vector except the nearly impossible case of a developer's private key being compromised.
Building Good Verification Habits
Always verify before first run. Don't install, open, or run Bitcoin software without checking it first — especially anything that will handle private keys or seed phrases.
Verify updates too. Don't assume an update is safe because the initial install was verified. Each release requires fresh verification.
Bookmark official download pages. Don't rely on search engines to find download links. A sponsored result could point to a malicious lookalike site. Save the official URL directly.
Cross-reference public keys. Check the developer's GPG key fingerprint from multiple sources — their official website, GitHub, Nostr profile. An attacker would need to compromise all of them simultaneously to mislead you.
For hardware wallets: Always buy directly from the manufacturer. No matter how good the price looks on a secondary marketplace, the security risk is not worth it.
Frequently Asked Questions
What is attestation in the context of Bitcoin hardware wallets? Attestation is a cryptographic process that proves a hardware wallet is genuine factory hardware and hasn't been modified. Coldcard has a built-in attestation system that challenges the device to sign with a manufacturer-registered private key. Jade uses a supply chain verification protocol that communicates with Blockstream's attestation server during initial setup. Other wallets rely on firmware signature verification and physical inspection.
Does the Coldcard attestation actually work if someone intercepted the device? Yes — that's precisely what it's designed to catch. The attestation key is burned into the secure element during manufacture and cannot be copied without physical access to the chip. If someone replaces the internal hardware or installs modified firmware, the attestation check fails.
Is buying a hardware wallet from Amazon safe? Generally no. Hardware wallets sold through Amazon — even by third-party sellers claiming to sell new, sealed devices — have been documented as attack vectors. A compromised device can look perfectly sealed. Always buy directly from the manufacturer's official website.
What's the difference between a SHA256 checksum and a GPG signature? A SHA256 checksum verifies that your downloaded file is byte-for-byte identical to the published version — it catches corruption and server-side file tampering. A GPG signature verifies that the checksum file itself was created by the actual developer (not someone who compromised the distribution server). Together they provide defense-in-depth: checksums catch modifications; GPG signatures authenticate the source.
How do I know if the GPG key I imported actually belongs to the developer? Cross-reference the key fingerprint from multiple independent sources: the developer's official website, their GitHub profile, their Nostr or social media presence, and ideally from the software's own documentation. If the fingerprint matches across several independent sources, you have high confidence it's authentic.
My hardware wallet arrived with a pre-written seed phrase. What should I do? Do not use it. This is a well-documented scam. Legitimate hardware wallet manufacturers never include or pre-generate seed phrases. A pre-written seed phrase means someone else knows your keys — any funds you send will be stolen. Contact the seller and the manufacturer immediately.
Does Sparrow Wallet have GPG-verified releases? Yes. Sparrow Wallet releases are GPG-signed by the developer (Craig Raw). Follow the verification steps in this guide — it takes about 5 minutes and is strongly recommended before using Sparrow with real funds.
What should I do if software verification fails? Stop immediately. Do not proceed with installation. Contact the developer through official channels (their GitHub, official website contact page) to report the discrepancy. Download the file again from the official source and repeat verification. If verification continues to fail, the distribution may have been compromised.
What's Next?
Verification is foundational to Bitcoin security — but it's one piece of a larger practice:
- Understand common security mistakes before they happen: Bitcoin Security Mistakes
- Set up proper self-custody with your verified hardware wallet: Self-Custody Guide
- Learn why running your own node matters for verifying transactions: Bitcoin Nodes Explained
- Compare verified hardware wallets side by side: Best Bitcoin Hardware Wallets 2026
Ready to choose a hardware wallet you can trust? Coldcard is available at coldcard.com. Blockstream Jade is available at blockstream.com. Both ship directly from the manufacturer with built-in supply chain verification.
Verification takes 15 minutes. Losing your bitcoin to a supply chain attack takes zero minutes to recover from, because you can't.