How can I verify that my Exodus download is authentic?
In this article:
What are release hashes?
A hash is a unique signature of a file's contents - Checking that the hash of the installer you downloaded matches the hash we publish, ensures that the file was not tampered with between our server and your computer.
Security and trust are some of Exodus' top concerns and key issues in the world of crypto-currencies. We want to make sure our users know they are downloading a legitimate and untampered copy of Exodus, so we digitally sign each installer package with our official developer signature.
We also publish PGP signed hashes of each installer for every new version of Exodus that is released, so our advanced users can verify that the hashes we publish came from us.
The instructions below include verifying the signature of the file and producing its SHA256 hash, which you can compare to the hashes we publish with each release.
Verifying the signature of the file proves that the installer was indeed published by us, while checking the hash of the file ensures it has not been tampered with between our servers and your computer. Although such an event is unlikely, as long as you download Exodus from our official download page, it's generally a good security practice to verify the hash of the files you download.
Where can I find the release hashes?
You can find our release hashes on our download page:
How do I use release hashes to verify the installer's authenticity?
- First, you will need to find the release hashes. See the following guide on how to find the release hashes: Where can I find the release hashes?
- Next, to verify that the release hashes are authentic and belong to Exodus Movement, Inc., copy the text of the release hashes.
Go to the website
https://keybase.io/verify and a) paste in the release hashes from step 2, then b) click
- If the release hashes are authentic, after you click Verify, you will see the message Signed by exodusmovement.
Instructions for Windows
Here's how to double-check Exodus' developer signature on the install package:
- Open the properties menu of the installer:
a) Go to the "Digital Signatures" tab and b) verify that the signature is from "Exodus Movement Inc":
In order to check the SHA256 hash of the installer please follow these steps:
- Open Command Prompt
Enter this command and add a space at the end:
- Then drag and drop the file you just downloaded. That will fill out its path.
Finally type sha256 . The command would look something like this:
certutil -hashfile "C:\Users\username\Downloads\exodus-windows-x64-19.1.18.exe sha256
- Press Enter.
The result would be the hash of the file, which should match the hash found in our download page.
Instructions for macOS
Mac OS X users benefit from a built-in app-signature-verifying system called Gatekeeper. Whenever you open a Mac OS X application, Gatekeeper automatically verifies the authenticity of an application's developer signature. Unless one has gone to the trouble of intentionally disabling the Mac OS X Gatekeeper in System Preferences, Mac users should not need to verify your downloads, as Apple's software already does it for you whenever you open the Exodus application.
If Mac OS prompts you, when opening Exodus, that the application is from an 'uncertified developer', then you should not open it. You may have downloaded an unsigned or illegitimate copy of Exodus.
For users who would rather verify their Exodus installation manually, here's how:
Open the Mac OS X Terminal application located here (or by searching for Terminal in Spotlight):
Enter this command:
codesign -dv --verbose=4
- Remember to include the space at the end. Then, drag and drop the downloaded .dmg installer file into the terminal window - this will automatically populate the file path of the installer into the terminal.
Press Enter and Terminal should print out the developer certification information. Look specifically for these lines and make sure they match:
Authority=Developer ID Application: Exodus Movement Inc (VK5Q293EVL) Authority=Developer ID Certification Authority Authority=Apple Root CA
To cross-check the SHA256 hash against the ones published on our download page, please follow these steps:
In Terminal enter the following:
openssl dgst -sha256
- Remember to include the space at the end. Then, click and drag the downloaded .dmg installer file into the terminal window - Once more, this will automatically populate the file path into the console.
Instructions for Linux
First, verify the authenticity of the release hashes, as explained here.
Then, Linux users with GnuPG and Curl installed can verify the authenticity of a downloaded Exodus package with a simple two-line script. You must include the URL to the current version's published release hashes, which can be found at https://www.exodus.com/download/:
To verify the downloaded package hasn't been tampered with, verify its SHA256 hash against the hash published on our website by running this command in Terminal:
curl -s ****URL-TO-RELEASE-HASHES**** | grep linux ; shasum -a 256 ~/Downloads/exodus-linux*
URL-TO-RELEASE-HASHES is the link you copied in the screenshot above. So, the command for version 20.7.20 would look like this:
curl -s https://downloads.exodus.io/releases/hashes-exodus-20.7.20.txt | grep linux ; shasum -a 256 ~/Downloads/exodus-linux-x64-20.7.20.zip
If these two hashes match, then you know you know the package is authentic and un-tampered with!