Authoritative hash registry

Releases & Verification

SHA-256 hashes of every NovaMoney binary published at dl.novamoney.site. This page is the second source of truth — cross-verify against the file in R2 before executing any release.

Why two sources?

Binaries and their hash file (SHA256SUMS) both live in Cloudflare R2. If an attacker compromises the R2 token, they could replace both files at once and the verification would still pass. By publishing the same hashes on this independent page (served from a different infrastructure), an attacker would need to compromise both systems to deceive operators.

How to verify a release

# 1. Download from R2
curl -fsSL -O https://dl.novamoney.site/latest/novamoney-linux-x64.xz
curl -fsSL -O https://dl.novamoney.site/latest/SHA256SUMS
curl -fsSL -O https://dl.novamoney.site/latest/VERSION

# 2. Verify the SHA-256 in SHA256SUMS matches the entry below for the same version
cat VERSION                   # shows the version tag
cat SHA256SUMS                # shows the hashes from R2
# Manually compare against the row in this page for that version

# 3. Verify the downloaded file integrity
sha256sum -c SHA256SUMS --ignore-missing
# novamoney-linux-x64.xz: OK

# 4. Decompress and re-verify
xz -d novamoney-linux-x64.xz
sha256sum -c SHA256SUMS --ignore-missing
# novamoney-linux-x64: OK

# 5. Install and run
chmod +x novamoney-linux-x64
mv novamoney-linux-x64 ~/node/novamoney

If hashes don't match between R2 and this page

Do not execute the binary. Either there's tampering on R2 or this page is out of date. Contact Daniel via Telegram @novamoney_releases or open an issue at the GitHub repo. Until verified, the binary should be treated as untrusted.

Published releases

Version Date / Commit SHA-256 Downloads
v0.1.0
2026-05-05
73506ff6a034d0c05a0a73b98b9fe8684314d7e4
.xz74514e076217826fd10e3f429b0bf3804c3f851259eff6017f4a505a9fad3350
bind8fe32dc7f7757681f1b1e2814ade4efb71df67f8ec879d079e87090d65662fc
 .xz bin SHA256SUMS VERSION

Reproducible builds

To independently reproduce a build and verify the binary you'll run was compiled from a specific commit:

git clone https://github.com/SucrePro/redcripto.git
cd redcripto
git checkout <git_commit_from_table>
cargo build --release
strip target/release/redcripto
sha256sum target/release/redcripto    # compare against bin hash above

Note: small differences are possible due to compiler non-determinism (timestamps, absolute paths in residual debug info). The strip step removes most but not all sources of non-determinism. For exact bit-for-bit reproducibility, additional flags would be needed in Cargo.toml.