Security

How we verify a download, step by step

Jul 12, 2026 · 6 min read

Every app page on Altapp carries a Trust Report, and every Trust Report starts the same way: we go to the developer's official release channel and download the build ourselves. Not a mirror, not an aggregator — the source.

The binary is then checked in three passes. First, the code signature: is it signed by the developer, and does the certificate chain validate? On macOS we also verify notarization; on Windows, the Authenticode signature.

Second, the checksum. If the developer publishes a SHA-256, we compare it against our download. If they don't, we compute and publish one ourselves, so future downloads can be verified against a known-good value.

Third, the scan. The file goes through a multi-engine malware scan, and the result — including the engine count — is recorded in the report with a date. A report is never evergreen: each check carries a freshness window, and expired checks are re-run before the page shows them as current.

Back to blog ›