How to Verify that Your Exodus Download is Authentic

Security and trust is one of Exodus' top concerns, and perhaps the most key issue in the world of crypto-currencies.

Frequent phishing websites permeate the crypto-community. Fraudulent copies of well-known and established wallet services have begun to surface. These phoney duplicate programs are made to look exactly like their authentic counterparts, and will prompt the user to enter their 12 word phrase, or password, and use this information to steal user funds. 

We want to make sure our users know they are downloading a legitimate and untampered copy of Exodus, so we digitally sign each installer package with our official developer signature. 

We also publish PGP signed hashes of each installer for every new version of Exodus that is released, so our advanced users can verify that the hashes we publish came from us. 

A hash is a unique signature of a file's contents - Verifying your hash matches our hash proves that the file was not tampered with between our server and your computer. 

OS specific instructions can be found below the videos:

This video provides an in-depth explanation of cryptographic hashes:

You can find our release hashes on our download page, here:

Windows

Here's how to double check Exodus' developer signature on the install package:

1. Open the properties menu of the installer:

2. Go to the "Digital Signatures" tab and verify that the signature is from "Exodus Movement Inc"

Mac OS

Mac OS X users benefit from a built-in app-signature-verifying system called Gatekeeper. Whenever you open a Mac OS X application, Gatekeeper automatically verifies the authenticity of an application's developer signature. Unless one has gone to the trouble of intentionally disabling the Mac OSX Gatekeeper in System Preferences, Mac users should not need to verify your downloads, as Apple's software already does it for you whenever you open the Exodus application.

If Mac OS prompts you, when opening Exodus, that the application is from an 'uncertified developer', then you should not open it. You may have downloaded an unsigned or illegitimate copy of Exodus.

For users who would rather verify your Exodus installation manually, you can open the Mac OS X Terminal application located here:

/Applications/Utilities/Terminal.app

And enter this command: 

codesign -dv --verbose=4 /Path/To/Exodus/.dmg/File

Hit return, and Terminal should print out the developer certification information. Look specifically for these lines:

Authority=Developer ID Application: Exodus Movement Inc (VK5Q293EVL)
Authority=Developer ID Certification Authority
Authority=Apple Root CA

To verify the SHA256 checksum, in Terminal enter the following:

openssl dgst -sha256 /Path/To/Exodus/.dmg/File

You can match up the checksum to the View Release Hashes on our download page

Linux

Linux users with GnuPG and Curl installed (most Linux distributions have GPG installed by default) can verify the authenticity of a downloaded Exodus package with a simple two line script. You must include the URL to the current version's published release hashes, which can be found at  https://www.exodus.io/releases/

A member of our team has made a handy, interactive shell script to perform this verification for Linux, and uploaded it to Github for public use: 

https://github.com/kklash/exodus_tools/blob/master/verifyLinux.sh

To run that script, simply execute:

sh <(curl -s https://raw.githubusercontent.com/kklash/exodus_tools/master/verifyLinux.sh)

on a terminal. For those who would prefer to manually execute this script, here's how: 

curl -s https://keybase.io/jprichardson/pgp_keys.asc?fingerprint=12408650e2192febe4e7024c9d959455325b781a | gpg --import -q

curl -s ***URL-TO-RELEASE-HASHES*** | gpg --verify

Executing the above lines should produce:

~$ curl -s https://keybase.io/jprichardson/pgp_keys.asc?fingerprint=12408650e2192febe4e7024c9d959455325b781a | gpg --import -q
~$ curl -s ***URL-TO-RELEASE-HASHES*** | gpg --verify
gpg: Signature made Thu 14 Sep 2017 09:43:29 PM PDT using RSA key ID 325B781A
gpg: Good signature from "JP Richardson <jprichardson@gmail.com>"
gpg: aka "JP Richardson <jp@exodus.io>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1240 8650 E219 2FEB E4E7  024C 9D95 9455 325B 781A

Especially note the "Primary key fingerprint" signature and the "RSA key ID" number. If these signatures match, you know that the checksums on the page are authentic. 

Now, to verify the downloaded package hasn't been tampered with, verify its checksum against the checksum published on our website:

curl -s ****URL-TO-RELEASE-HASHES**** | grep linux ; shasum -a 256 ~/Downloads/exodus-linux*