Articles in this section

See more

How to check installer integrity with GPG on macOS

Avatar
Carl
  • Updated
Follow
 

Editions: Daedalus

Instructions for macOS

  1. Obtain both the Daedalus installer .pkg file and its corresponding .pkg.asc signature file – put them in the same directory.
  2. If you already have the GPG Suite installed, and a personal key generated, please skip to step 5, and if not, proceed with the next step.
  3. Go to https://gpgtools.org, head to the GPG Suite section, download the .dmg file and install it:
    • Right-click the .dmg file, then Open, which will open a new window with two icons: Install and Uninstall
    • Right-click the Install icon, and choose Open with.. -> Installer, which should start the GPG Suite installer
    • Follow through the installation wizard
  4. Once GPG Suite installation completes, it will ask you to create a new key pair (this is required for step 6, so please don’t skip it):
    • Enter a name and an email that suit you personally.
    • Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use this key and GPG Suite in future).
  5. Import the IOHK key using the GPG Keychain application:
    • Select Key -> Lookup Key on Key Server in the application menu
    • Search for signing.authority@iohk.io
    • Choose the key with fingerprint CBFAA9BA with the user ID “IOHK Signing Authority <signing.authority@iohk.io>”, then click Retrieve Key

    • Verify (right-click the imported key, then Details) that the fingerprint of the imported key is D325 87D4 090F E461 CAEE 0FF4 966E 5CB9 CBFA A9BA

    • if it’s not, the wrong key was imported, right-click and delete
    • if it is, we are good to proceed with the next step.
  6. Sign the imported IOHK key (this designates trust and is required for the next step):
    • Right-click on the imported IOHK key, then “Sign”.
  7. Verify the installer binary:
    • Right-click the Daedalus installer (.pkg file) in Finder (do NOT right click on the .asc file, that will not work), then select Services -> OpenPGP: Verify Signature of File (the .asc signature file must reside in the same directory)
    • The Verification Results dialog will then appear with the verdict in the Result column:
      1. “Signed by: IOHK Signing Authority <signing.authority@iohk.io> 1471941A – full trust” – if successful
      2. ..anything else means there was no valid signature for the installer.

Related articles

Comments

0 comments

Please sign in to leave a comment.