How can I verify that my Exodus download is authentic?

Security and trust are some of Exodus' top concerns and key issues in the world of crypto-currencies.

We want to make sure our users know they are downloading a legitimate and untampered copy of Exodus, so we digitally sign each installer package with our official developer signature. 

We also publish PGP signed hashes of each installer for every new version of Exodus that is released, so our advanced users can verify that the hashes we publish came from us.

A hash is a unique signature of a file's contents - Checking that the hash of the installer you downloaded matches the hash we publish, ensures that the file was not tampered with between our server and your computer. 

You can find our release hashes on our download page.

https://www.exodus.io/releases/ is the only official portal for Exodus Desktop downloads.


To verify that the release hashes are authentic and belong to Exodus Movement, Inc., copy and paste the hashes file text from the `View Release Hashes` link into https://keybase.io/verify

Below, you will find OS specific instructions for verifying the downloaded app is authentic:

They include verifying the signature of the file and producing its SHA256 hash, which you can compare to the hashes we publish with each release. 

Verifying the signature of the file proves that the installer was indeed published by us, while checking the hash of the file ensures it has not been tampered with between our servers and your computer. Although such an event is unlikely, as long as you download Exodus from our official download page, it's generally a good security practice to verify the hash of the files you download.

Windows

Here's how to double check Exodus' developer signature on the install package:

1. Open the properties menu of the installer:

2. Go to the "Digital Signatures" tab and verify that the signature is from "Exodus Movement Inc"

In order to check the SHA256 hash of the installer please follow these steps:

1. Open Command Prompt

2. Enter this command and add a space at the end:

certutil -hashfile

3. Then drag and drop the file you just downloaded. That will fill out its path.

4. Finally type sha256 and press Enter.

The command would look something like this:

certutil -hashfile "C:\Users\username\Downloads\exodus-windows-x64-19.1.18.exe sha256<br>

and the result would be the hash of the file, which should match the hash found in our download page. Below is a video of that process for those who prefer a visual guide.


MacOS

Mac OS X users benefit from a built-in app-signature-verifying system called Gatekeeper. Whenever you open a Mac OS X application, Gatekeeper automatically verifies the authenticity of an application's developer signature. Unless one has gone to the trouble of intentionally disabling the Mac OS X Gatekeeper in System Preferences, Mac users should not need to verify your downloads, as Apple's software already does it for you whenever you open the Exodus application.

If Mac OS prompts you, when opening Exodus, that the application is from an 'uncertified developer', then you should not open it. You may have downloaded an unsigned or illegitimate copy of Exodus.

For users who would rather verify their Exodus installation manually, here's how: 

1. Open the Mac OS X Terminal application located here (or by searching for Terminal in Spotlight):

/Applications/Utilities/Terminal.app

2. Enter this command: 

codesign -dv --verbose=4

3. Remember to include the space at the end. Then, drag and drop the downloaded .dmg installer file into the terminal window - this will automatically populate the file path of the installer into the terminal.

4. Press Enter and Terminal should print out the developer certification information. Look specifically for these lines and make sure they match:

Authority=Developer ID Application: Exodus Movement Inc (VK5Q293EVL)
Authority=Developer ID Certification Authority
Authority=Apple Root CA

To cross check the SHA256 hash against the ones published on our download page, please follow these steps:

1. In Terminal enter the following:

openssl dgst -sha256

2. Remember to include the space at the end. Then, click and drag the downloaded .dmg installer file into the terminal window - Once more, this will automatically populate the file path into the console.

Linux

Linux users with GnuPG and Curl installed can verify the authenticity of a downloaded Exodus package with a simple two line script. You must include the URL to the current version's published release hashes, which can be found at https://www.exodus.io/releases/

To verify the downloaded package hasn't been tampered with, verify its SHA256 hash against the hash published on our website by running this command in Terminal:

curl -s ****URL-TO-RELEASE-HASHES**** | grep linux ; shasum -a 256 ~/Downloads/exodus-linux*

URL-TO-RELEASE-HASHES is the link you copied in the screenshot above. So, the command for version 19.1.18 would look like this:

curl -s https://exodusbin.azureedge.net/releases/hashes-exodus-19.1.18.txt | grep linux ; shasum -a 256 ~/Downloads/exodus-linux-x64-19.1.18.zip

If these two hashes match, then you know you know the package is authentic and un-tampered with!