How to check Daedalus installer integrity
Windows PGP signature verification instructions
- Obtain both the Daedalus installer .exe file, and its corresponding .exe.asc signature file -- put them in the same directory.
- Obtain the GnuPG package from https://www.gpg4win.org/
- Proceed with installation and launch the Kleopatra component.
-
Unless you already have a personal GPG key, you will have to create one (which is required for step 6):
- Select the menu item File -> New keypair -> Create a personal OpenPGP key pair.
- Enter a name and an email address that suit you personally.
- Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use GNUPG in future).
-
Import the IOHK key:
- File -> Lookup on Server
- Allow network access to 'dirmngr', if the prompt arises
- Search for signing.authority@iohk.io
- If you cannot find the key, please make sure hkp://Keys.Openpgp.org (or any other maintained PGP key server of your choice) is used as Kleopatra's default key server.
- Import the key
- Do not certify the key just yet
- Right-click on the key, and choose "Details"
- Ensure that the fingerprint is 53D0FA8DA2B8D1FF4975AECBF99D6C70C2B3FB43
- If it's not, the wrong key was imported, right click and delete
- If it is, we are good to go
-
Certify the IOHK key (this designates trust and is required for the next step):
- Once you have a personal GPG key, right-click on the imported IOHK key and choose Certify
- Enable the IOHK user ID
- Tick the I have verified the fingerprint checkbox (since you did, as per step 5), and proceed.
- You should receive a message saying Certification successful
-
Verify the installer binary:
- Click the Decrypt/Verify button on the Kleopatra toolbar
- Choose the Daedalus installer .exe file in the file dialog (the .asc signature file must reside in the same directory)
-
If the verification is successful, you will receive a green-tinted message box saying:
- Valid signature by signing.authority@iohk.io
- Date of signature
- With certificate 53D0 FA8D A2B8 D1FF 4975 AECB F99D 6C70 C2B3 FB43
- Anything else would constitute a signature verification failure.
macOS PGP signature verification instructions
- Obtain both the Daedalus installer .pkg file and its corresponding .pkg.asc signature file – put them in the same directory.
- If you already have the GPG Suite installed, and a personal key generated, please skip to step 5, and if not, proceed with the next step.
- Go to https://gpgtools.org, head to the GPG Suite section, download the .dmg file and install it:
- Right-click the .dmg file, then Open, which will open a new window with two icons: Install and Uninstall
- Right-click the Install icon, and choose Open with.. -> Installer, which should start the GPG Suite installer
- Follow through the installation wizard
- Once GPG Suite installation completes, it will ask you to create a new key pair (this is required for step 6, so please don’t skip it):
- Enter a name and an email that suit you personally.
- Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use this key and GPG Suite in future).
- Import the IOHK key using the GPG Keychain application:
- Select Key -> Lookup Key on Key Server in the application menu
- Search for signing.authority@iohk.io
- Choose the key with fingerprint C2B3FB43 with the user ID “IOHK Signing Authority <signing.authority@iohk.io>”, then click Retrieve Key
-
Verify (right-click the imported key, then Details) that the fingerprint of the imported key is 53D0 FA8D A2B8 D1FF 4975 AECB F99D 6C70 C2B3 FB43
- if it’s not, the wrong key was imported, right-click and delete
- if it is, we are good to proceed with the next step.
- Sign the imported IOHK key (this designates trust and is required for the next step):
- Right-click on the imported IOHK key, then “Sign”.
- Verify the installer binary:
- Right-click the Daedalus installer (.pkg file) in Finder (do NOT right click on the .asc file, that will not work), then select Services -> OpenPGP: Verify Signature of File (the .asc signature file must reside in the same directory)
- The Verification Results dialog will then appear with the verdict:
Trusted signature
IOHK Signing Authority <signing.authority@iohk.io>
1429 962A 8C47 A3F9 24AE D49F D7B2 E172 D11C 4B3C
Anything different means there was no valid signature for the installer.
Linux PGP signature verification instructions
1. Obtain both the Daedalus installer .bin file, and its corresponding .bin.asc signature file and put them in the same directory.
2. Ensure that the gpg2 is available (assuming Ubuntu Linux) in your shell, and if not, install it with:
apt-get install gnupg2
3. Generate your GPG keys if you don't have them already.
gpg2 --generate-key
Provide a user ID (real name and email)
Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use this key and GNUPG in future)
4. Import the IOHK key:
gpg2 --keyserver hkp://Keys.Openpgp.org --search-keys signing.authority@iohk.io
In the selection dialogue, choose the key with fingerprint F99D6C70C2B3FB43
5. Sign the IOHK key (this designates trust and is required for the next step):
gpg2 --lsign 53D0FA8DA2B8D1FF4975AECBF99D6C70C2B3FB43
6. Verify the installer binary using the .asc signature (the .asc signature file must reside in the same directory of the installer binary):
gpg2 --verify daedalus-5.2.0-mainnet-22505-x86_64-linux.bin.asc
7. Successful verification should produce a message like follows:
gpg: assuming signed data in daedalus-4.2.0-mainnet-18540.bin.pkggpg: Signature made
...DATE...gpg: using RSA key 1429962A8C47A3F924AED49FD7B2E172D11C4B3Cgpg: checking
the trustdbgpg: marginals needed: 3 completes needed: 1 trust model: pgpgpg: depth:
0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1ugpg: depth: 1 valid: 1 signed: 0
trust: 1-, 0q, 0n, 0m, 0f, 0ugpg: next trustdb check due at ...DATE...gpg:
Good signature from IOHK Signing Authority