“I need to download Daedalus. What do I need to do to stay safe?”
We will describe and explain best practises for acquiring and using Daedalus starting with a basic example for everyone and followed by an instruction for the more experienced users.
- Evaluate the website address. Spot the difference: daedaluswallet.(domain) and daedaluswaIIet.(domain) (hint: the second link has capitalized i’s)
- Watch out for poor spelling, grammar and inconsistencies
- When in doubt, give a shout! We would rather have our people to be cautious and ask us for confirmation than users getting scammed.
Watch the video for an explainer:
Still not sure? Please proceed here to verify the integrity of the installer:
How to verify the Windows installer
- Download the Windows installer of Daedalus
- View the SHA256 checksum on https://daedaluswallet.io/#download beneath the Windows version
- Press Windows Start Menu
- Type cmd
- You should see cmd.exe in the list of results. Click on cmd.exe to launch it.
- Type or paste: certutil -hashfile
- Press space
- Drag and drop Daedalus installer from your file location to command prompt
- Press space
- Type or paste: SHA256
- Press enter key
You should see the following output, where string on the second line is the SHA256 checksum:
SHA256 hash of file C:\Users\YOUR_USERNAME\Downloads\daedalus-(version)-cardano-sl-(version)-mainnet-windows-7144.exe:
95 c8 12 74 a5 dc b8 94 db 5b 93 a4 9c 12 cf aa 70 52 7f 9a f3 99 8f e7 3e e1 5b c3 fe 63 b7 35
CertUtil: -hashfile command completed successfully.
You can also do this manually from the command line in one go:
SHA256 checksum can be verified using the following command: certutil -hashfile C:\Users\YOUR_USERNAME\Downloads\daedalus-0.14.0-cardano-sl-3.0.3-mainnet-windows-7144.exe SHA256
How to verify the OSX installer:
Obtain both the Daedalus installer .pkg file, and its corresponding .pkg.asc signature file – put them in the same directory.
If you already have the GPG Suite installed, and a personal key generated, please skip to step 5, and if not, proceed with the next step.
Go to https://gpgtools.org, head to the GPG Suite section, download the .dmg file and install it:
- Right-click the .dmg file, then Open, which will open a new window with two icons: Install and Uninstall
- Right-click the Install icon, and choose Open with… -> Installer, which should start the GPG Suite installer
- Follow through the installation wizard
Once GPG Suite installation completes, it will ask you to create a new key pair (this is required for step 6, so please don’t skip it):
- Enter a name and an email that suit you personally.
- Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use this key and GPG Suite in future).
Import the IOHK key using the GPG Keychain application:
- Select Key -> Lookup Key on Key Server in the application menu
- Search for email@example.com
- Choose the key with fingerprint CBFAA9BA with the user ID “IOHK Signing Authority firstname.lastname@example.org”, then click Retrieve Key
- Verify (right-click the imported key, then Details) that the fingerprint of the imported key is D325 87D4 090F E461 CAEE 0FF4 966E 5CB9 CBFA A9BA
- if it’s not, the wrong key was imported, right click and delete
- if it is, we are good to proceed with the next step.
Sign the imported IOHK key (this designates trust and is required for the next step):
- Right-click on the imported IOHK key, then “Sign”.
Verify the installer binary:
- Right-click the Daedalus installer (.pkg file) in Finder (do NOT right click on the .asc file, that will not work), then select Services -> OpenPGP: Verify Signature of File (the .asc signature file must reside in the same directory)
- The Verification Results dialog will then appear with the verdict in the Result column:
- “Signed by: IOHK Signing Authority email@example.com 1471941A – full trust” – if successful
- …anything else means there was no valid signature for the installer.
That’s all for now. Please don’t hesitate to contact us if you have any follow up questions.