How to check Daedalus installer integrity
Windows PGP signature verification instructions
- Obtain both the Daedalus installer .exe file, and its corresponding .exe.asc signature file -- put them in the same directory.
- Obtain the GNUPG package from https://www.gpg4win.org/
- Proceed with installation and launch the Kleopatra component.
-
Unless you already have a personal GPG key, you will have to create one (which is required for step 6):
- Select the menu item File -> New keypair -> Create a personal OpenPGP key pair.
- Enter a name and an email address that suit you personally.
- Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use GNUPG in future).
-
Import the IOHK key:
- File -> Lookup on Server
- Allow network access to 'dirmngr', if the prompt arises
- Search for signing.authority@iohk.io
- If you cannot find the key, please make sure hkp://Keys.Openpgp.org (or any other maintained PGP key server of your choice) is used as Kleopatra's default key server.
- Import the key
- Do not certify the key just yet
- Right-click on the key, and choose "Details"
- Ensure that the fingerprint is D32587D4090FE461CAEE0FF4966E5CB9CBFAA9BA
- If it's not, the wrong key was imported, right click and delete
- If it is, we are good to go
-
Certify the IOHK key (this designates trust and is required for the next step):
- Once you have a personal GPG key, right-click on the imported IOHK key and choose Certify
- Enable the IOHK user ID
- Tick the I have verified the fingerprint checkbox (since you did, as per step 5), and proceed.
- You should receive a message saying Certification successful
-
Verify the installer binary:
- Click the Decrypt/Verify button on the Kleopatra toolbar
- Choose the Daedalus installer .exe file in the file dialog (the .asc signature file must reside in the same directory)
-
If the verification is successful, you will receive a green-tinted message box saying:
- Valid signature by signing.authority@iohk.io
- Date of signature
- With certificate D325 87D4 090F E461 CAEE 0FF4 966E 5CB9 CBFA A9BA
- Anything else would constitute a signature verification failure.
macOS PGP signature verification instructions
- Obtain both the Daedalus installer .pkg file and its corresponding .pkg.asc signature file – put them in the same directory.
- If you already have the GPG Suite installed, and a personal key generated, please skip to step 5, and if not, proceed with the next step.
- Go to https://gpgtools.org, head to the GPG Suite section, download the .dmg file and install it:
- Right-click the .dmg file, then Open, which will open a new window with two icons: Install and Uninstall
- Right-click the Install icon, and choose Open with.. -> Installer, which should start the GPG Suite installer
- Follow through the installation wizard
- Once GPG Suite installation completes, it will ask you to create a new key pair (this is required for step 6, so please don’t skip it):
- Enter a name and an email that suit you personally.
- Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use this key and GPG Suite in future).
- Import the IOHK key using the GPG Keychain application:
- Select Key -> Lookup Key on Key Server in the application menu
- Search for signing.authority@iohk.io
- Choose the key with fingerprint CBFAA9BA with the user ID “IOHK Signing Authority <signing.authority@iohk.io>”, then click Retrieve Key
-
Verify (right-click the imported key, then Details) that the fingerprint of the imported key is D325 87D4 090F E461 CAEE 0FF4 966E 5CB9 CBFA A9BA
- if it’s not, the wrong key was imported, right-click and delete
- if it is, we are good to proceed with the next step.
- Sign the imported IOHK key (this designates trust and is required for the next step):
- Right-click on the imported IOHK key, then “Sign”.
- Verify the installer binary:
- Right-click the Daedalus installer (.pkg file) in Finder (do NOT right click on the .asc file, that will not work), then select Services -> OpenPGP: Verify Signature of File (the .asc signature file must reside in the same directory)
- The Verification Results dialog will then appear with the verdict:
Trusted signature
IOHK Signing Authority <signing.authority@iohk.io>
9F98 40B5 0AE5 39A2 732C F646 C131 557F 1471 941A
Anything different means there was no valid signature for the installer.
Linux PGP signature verification instructions
1. Obtain both the Daedalus installer .bin file, and its corresponding .bin.asc signature file and put them in the same directory.
2. Ensure that the gpg2 is available (assuming Ubuntu Linux) in your shell, and if not, install it with:
apt-get install gnupg2
3. Generate your GPG keys if you don't have them already.
gpg2 --generate-key
Provide a user ID (real name and email)
Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use this key and GNUPG in future)
4. Import the IOHK key:
gpg2 --keyserver hkp://Keys.Openpgp.org --search-keys signing.authority@iohk.io
In the selection dialogue, choose the key with fingerprint 966E5CB9CBFAA9BA
5. Sign the IOHK key (this designates trust and is required for the next step):
gpg2 --lsign D32587D4090FE461CAEE0FF4966E5CB9CBFAA9BA
6. Verify the installer binary using the .asc signature (the .asc signature file must reside in the same directory of the installer binary):
gpg2 --verify daedalus-4.2.0-mainnet-18540.bin.asc
7. Successful verification should produce a message like follows:
gpg: assuming signed data in daedalus-4.2.0-mainnet-18540.bin.pkggpg: Signature made
...DATE...gpg: using RSA key 9F9840B50AE539A2732CF646C131557F1471941Agpg: checking
the trustdbgpg: marginals needed: 3 completes needed: 1 trust model: pgpgpg: depth:
0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1ugpg: depth: 1 valid: 1 signed: 0
trust: 1-, 0q, 0n, 0m, 0f, 0ugpg: next trustdb check due at ...DATE...gpg:
Good signature from IOHK Signing Authority