Optional but recommended — this confirms the file is exactly what we shipped, not a corrupted or tampered copy. The long character string above (called a SHA-256 checksum) works like a unique fingerprint of the file: change a single byte and the fingerprint changes too.
Step 1 — open a terminal:
- On a headless Raspberry Pi (no monitor attached): open Terminal on your Mac and run
ssh <username>@<hostname>.local — replace <username> with the account you created when flashing the SD card, and <hostname> with the hostname you set (defaults to raspberrypi, so raspberrypi.local if you left it as-is). You'll be prompted for that account's password. (If .local doesn't resolve on your network, use the Pi's IP address instead — find it on your router's admin page.) - On a Raspberry Pi with a monitor: press Ctrl+Alt+T, or open Terminal from the Pi's app menu.
- On macOS: press ⌘+Space, type
Terminal, press Enter.
Step 2 — go to the file and check it: navigate to where the file landed (usually cd ~/Downloads), then run shasum -a 256 <filename> on macOS or sha256sum <filename> on Linux / Raspberry Pi — replacing <filename> with the actual file name. The output should match the SHA-256 above character for character. If it doesn't, delete the file and download again — don't run anything from a file whose checksum doesn't match.
The embedded Ed25519 public key that signs licenses can also be independently verified — see /security.
