Verify your download
Verify the Doxwell installer
Every release ships with a SHA-256 checksum and a detached minisign signature. Check both before running the installer — this is the only way to be sure the file on your disk is the one we built.
Why verify?
A download can be tampered with in transit — by a compromised mirror, a malicious CDN, or a machine-in-the-middle on your own network. A matching SHA-256 proves the bytes on disk are the bytes we published. A matching minisign signature proves those bytes were signed with our private key.
If either check fails, do not run the installer. Report it to security@l-lopa.de and redownload from doxwell.ai.
Our minisign public key
Key ID 47FBF9C48E930910. Save this as minisign.pub next to the installer.
untrusted comment: minisign public key 47FBF9C48E930910
RWQQCZOOxPn7R/cOJEQFYqYZcVH5IHuaoSOTQ2DVZaKhO3sKlcGXUXcHLinux
sha256sum -c doxwell-v1.0.0-linux.AppImage.sha256
minisign -V -p minisign.pub \
-m doxwell-v1.0.0-linux.AppImage \
-x doxwell-v1.0.0-linux.AppImage.minisigmacOS
shasum -a 256 -c doxwell-v1.0.0-macos.dmg.sha256
minisign -V -p minisign.pub \
-m doxwell-v1.0.0-macos.dmg \
-x doxwell-v1.0.0-macos.dmg.minisigWindows
On Windows the simplest path is WSL (Windows Subsystem for Linux) — the Linux recipe above works as-is. If you cannot use WSL, use Get-FileHash in PowerShell for the SHA-256, then install minisign (choco install minisign or the binary from the minisign releases page) and run the signature check.
$expected = (Get-Content .\doxwell-v1.0.0-windows-setup.exe.sha256 -Raw).Split(' ')[0]
$actual = (Get-FileHash -Algorithm SHA256 .\doxwell-v1.0.0-windows-setup.exe).Hash.ToLower()
if ($expected -ne $actual) { Write-Error "SHA-256 mismatch" }
# minisign for Windows — install via `choco install minisign` or download
# from the minisign releases page, then:
minisign -V -p .\minisign.pub `
-m .\doxwell-v1.0.0-windows-setup.exe `
-x .\doxwell-v1.0.0-windows-setup.exe.minisigIf verification fails
A mismatch on either check is a trust failure. Do not run the installer. Delete it, email security@l-lopa.de, and download again from doxwell.ai over a fresh connection.