How can I verify that my Exodus download is authentic?

Security and trust are some of Exodus' top concerns and key issues in the world of crypto-currencies.

Frequent phishing websites permeate the crypto-community. Fraudulent copies of well-known and established wallet services have begun to surface. These phony duplicate programs are made to look exactly like their authentic counterparts and will prompt the user to enter their 12-word phrase or password then use this information to steal user funds. 

We want to make sure our users know they are downloading a legitimate and un-tampered copy of Exodus, so we digitally sign each installer package with our official developer signature. 

We also publish PGP signed hashes of each installer for every new version of Exodus that is released, so our advanced users can verify that the hashes we publish came from us. 

A hash is a unique signature of a file's contents - Verifying your hash matches our hash proves that the file was not tampered with between our server and your computer. 

OS-specific instructions can be found below the videos:

This video provides an in-depth explanation of cryptographic hashes:

You can find our release hashes on our download page, here:

Windows

Here's how to double check Exodus' developer signature on the install package:

1. Open the properties menu of the installer:

2. Go to the "Digital Signatures" tab and verify that the signature is from "Exodus Movement Inc"

Mac OS

Mac OS X users benefit from a built-in app-signature-verifying system called Gatekeeper. Whenever you open a Mac OS X application, Gatekeeper automatically verifies the authenticity of an application's developer signature. Unless one has gone to the trouble of intentionally disabling the Mac OS X Gatekeeper in System Preferences, Mac users should not need to verify your downloads, as Apple's software already does it for you whenever you open the Exodus application.

If Mac OS prompts you, when opening Exodus, that the application is from an 'uncertified developer', then you should not open it. You may have downloaded an unsigned or illegitimate copy of Exodus.

For users who would rather verify their Exodus installation manually: You can open the Mac OS X Terminal application located here:

/Applications/Utilities/Terminal.app

And enter this command: 

codesign -dv --verbose=4

*Remember to include the space at the end. Then, click and drag the downloaded .dmg installer file into the terminal window - this will automatically populate the file path of the installer into the console.

Hit return and Terminal should print out the developer certification information. Look specifically for these lines and make sure they match:

Authority=Developer ID Application: Exodus Movement Inc (VK5Q293EVL)
Authority=Developer ID Certification Authority
Authority=Apple Root CA

To verify the SHA256 checksum, in Terminal enter the following:

openssl dgst -sha256

*Remember to include the space at the end. Then, click and drag the downloaded .dmg installer file into the terminal window - Once more, this will automatically populate the file path into the console.

You can match up the checksum to the View Release Hashes on our download page.

Linux

Linux users with GnuPG and Curl installed (most Linux distributions have GPG installed by default) can verify the authenticity of a downloaded Exodus package with a simple two line script. You must include the URL to the current version's published release hashes, which can be found at  https://www.exodus.io/releases/

A member of our team has made a handy, interactive shell script to perform this verification for Linux, and uploaded it to Github for public use: 

https://github.com/kklash/exodus_tools/blob/master/verifyLinux.sh

To run that script, simply execute:

sh <(curl -s https://raw.githubusercontent.com/kklash/exodus_tools/master/verifyLinux.sh)

on a terminal. For those who would prefer to manually execute this script, here's how: 

curl -s https://keybase.io/jprichardson/pgp_keys.asc?fingerprint=12408650e2192febe4e7024c9d959455325b781a | gpg --import -q

curl -s ***URL-TO-RELEASE-HASHES*** | gpg --verify

Executing the above lines should produce:

~$ curl -s https://keybase.io/jprichardson/pgp_keys.asc?fingerprint=12408650e2192febe4e7024c9d959455325b781a | gpg --import -q
~$ curl -s ***URL-TO-RELEASE-HASHES*** | gpg --verify
gpg: Signature made Thu 14 Sep 2017 09:43:29 PM PDT using RSA key ID 325B781A
gpg: Good signature from "JP Richardson <jprichardson@gmail.com>"
gpg: aka "JP Richardson <jp@exodus.io>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1240 8650 E219 2FEB E4E7  024C 9D95 9455 325B 781A

Especially note the "Primary key fingerprint" signature and the "RSA key ID" number. If these signatures match, you know that the checksums on the release-hashes page are authentic. 

Now, to verify the downloaded package hasn't been tampered with, verify its checksum against the checksum published on our website:

curl -s ****URL-TO-RELEASE-HASHES**** | grep linux ; shasum -a 256 ~/Downloads/exodus-linux*

If these two hashes match, then you know you know the package is authentic and un-tampered with!