Download and Run Sparrow Bitcoin Wallet

Ideally, for your Bitcoin Wallet, you should use a computer that is dedicated to Bitcoin only. And it should be a fresh install of the operating system. Even though you may be using a hardware wallet, malware can trick you into sending bitcoin to an attacker’s address instead of the intended destination.

Step 1 – Download Sparrow

Go to SparrowWallet.com

If you are an experienced Linux user, click the GitHub link and compile from source code. If you are even more advanced, you can even read the code yourself and verify it is non-malicious.

For everyone else, stay on the current website and click the Download tab.

Try to download the next three files in the same directory, typically your downloads directory. Carefully read the left column to decide which package you need to download depending on your operating system.

You should also download the “Manifest” and “Manifest Signature”.

Step 2 – Verify the Release

To make sure the software has not been tampered with since the author has released it, you should verify his/her signature. Learn to do this, it’s an important life skill, especially if you are a Bitcoiner. For Mac, you’ll need to install GPG Suite, and for Windows, you’ll need GPG4Win. Both of these will give you command line tools for the following step. For more details see this article.

Open Terminal in Mac/Linux or CMD in Windows. Copy and paste this command and hit enter. This will import the author’s public key into your computer’s “key ring”.

curl https://keybase.io/craigraw/pgp_keys.asc | gpg --import

Next, navigate to the Downloads directory (case sensitive in Mac/Linux) by typing “cd Downloads”.

Then copy and paste this:

gpg --verify sparrow-1.4.3-manifest.txt.asc

After you hit <enter> it should say “good signature from Craig Raw” somewhere in the output. Down below that it will give you a warning which is safe to ignore. (It just refers to the fact that you have not met Craig in person, confirmed his public key is indeed his, and then edited your key ring to say the public key is safe to use.)

A note about the above command. There are 3 elements to it, separated by a space. The first is gpg. That’s the program. Then it’s a double dash and “verify”. That’s the option for the program. The third is the file name of the signature. Usually, it is nearly identical to the release file apart from the “.asc” at the end. If it is different, the computer gets confused. You need to then either change the file names so they match, or, add a 4th element to the command. That would be the file name of the release itself.

In this instance, the author, Craig, didn’t sign the release. In fact, he signed a file called “manifest”. So we have simply verified that “manifest” is genuine. This file contains the SHA256 hashes of the releases. I am not sure why this two-step method is chosen by some software developers.

What we need to do next is to hash the release, and compare that the output we get is identical to the output specified in the manifest text file. Let’s do that now…

On a Mac or Linux, navigate to the directory where the release is (probably Downloads).

Then type:

shasum -a 256 xxxxxxxxxx

Replace xxxxxxxxxx with the filename of the Sparrow release download. Hit <enter>. The computer will think for a bit, and give you a hash output. Compare it with what is listed in the manifest text file and make sure it is identical.

For Windows, navigate to the directory where the release is (probably downloads).

Then type:

certutil -hashfile xxxxxxxxxx SHA256

Replace xxxxxxxxxx with the filename of the Sparrow release download. Hit <enter>. The computer will think for a bit, and give you a hash output. Compare it with what is listed in the manifest text file and make sure it is identical.

Step 3 – Run Sparrow

For Windows, extract the zip file, and run the executable. There is no installation.

For Mac, double click the .dmg file and “install” the usual way for Macs

For Linux, you’re on your own 🤣

Next Guide – Connect Sparrow to a Bitcoin Core node

See this guide

%d bloggers like this: