Cardano Stay Safe Series: Verifying integrity of websites and installers

English Education
1

“I need to download Daedalus. What do I need to do to stay safe?”

We will describe and explain best practises for acquiring and using Daedalus starting with a basic example for everyone and followed by an instruction for the more experienced users.

Some tips:

  • Evaluate the website address. Spot the difference: daedaluswallet.(domain) and daedaluswaIIet.(domain) (hint: the second link has capitalized i’s)
  • Watch out for poor spelling, grammar and inconsistencies
  • When in doubt, give a shout! We would rather have our people to be cautious and ask us for confirmation than users getting scammed.

Watch the video for an explainer:

Still not sure? Please proceed here to verify the integrity of the installer:

How to verify the Windows installer

  1. Download the Windows installer of Daedalus
  2. View the SHA256 checksum on https://daedaluswallet.io/#download beneath the Windows version
  3. Press Windows Start Menu
  4. Type cmd
  5. You should see cmd.exe in the list of results. Click on cmd.exe to launch it.
  6. Type or paste: certutil -hashfile
  7. Press space
  8. Drag and drop Daedalus installer from your file location to command prompt
  9. Press space
  10. Type or paste: SHA256
  11. Press enter key

You should see the following output, where string on the second line is the SHA256 checksum:

SHA256 hash of file C:\Users\YOUR_USERNAME\Downloads\daedalus-(version)-cardano-sl-(version)-mainnet-windows-7144.exe:

95 c8 12 74 a5 dc b8 94 db 5b 93 a4 9c 12 cf aa 70 52 7f 9a f3 99 8f e7 3e e1 5b c3 fe 63 b7 35

CertUtil: -hashfile command completed successfully.

You can also do this manually from the command line in one go:

SHA256 checksum can be verified using the following command: certutil -hashfile C:\Users\YOUR_USERNAME\Downloads\daedalus-0.14.0-cardano-sl-3.0.3-mainnet-windows-7144.exe SHA256

How to verify the OSX installer:

Obtain both the Daedalus installer .pkg file, and its corresponding .pkg.asc signature file – put them in the same directory.

If you already have the GPG Suite installed, and a personal key generated, please skip to step 5, and if not, proceed with the next step.

Go to https://gpgtools.org, head to the GPG Suite section, download the .dmg file and install it:

  • Right-click the .dmg file, then Open, which will open a new window with two icons: Install and Uninstall
  • Right-click the Install icon, and choose Open with… -> Installer, which should start the GPG Suite installer
  • Follow through the installation wizard

Once GPG Suite installation completes, it will ask you to create a new key pair (this is required for step 6, so please don’t skip it):

  • Enter a name and an email that suit you personally.
  • Choose a passphrase to protect your personal key (NOTE: the passphrase can be empty, but it is not recommended if you intend to use this key and GPG Suite in future).

Import the IOHK key using the GPG Keychain application:

  • Select Key -> Lookup Key on Key Server in the application menu
  • Search for signing.authority@iohk.io
  • Choose the key with fingerprint CBFAA9BA with the user ID “IOHK Signing Authority signing.authority@iohk.io”, then click Retrieve Key
  • Verify (right-click the imported key, then Details) that the fingerprint of the imported key is D325 87D4 090F E461 CAEE 0FF4 966E 5CB9 CBFA A9BA
  • if it’s not, the wrong key was imported, right click and delete
  • if it is, we are good to proceed with the next step.

Sign the imported IOHK key (this designates trust and is required for the next step):

  • Right-click on the imported IOHK key, then “Sign”.

Verify the installer binary:

  • Right-click the Daedalus installer (.pkg file) in Finder (do NOT right click on the .asc file, that will not work), then select Services -> OpenPGP: Verify Signature of File (the .asc signature file must reside in the same directory)
  • The Verification Results dialog will then appear with the verdict in the Result column:
    1. “Signed by: IOHK Signing Authority signing.authority@iohk.io 1471941A – full trust” – if successful
    2. …anything else means there was no valid signature for the installer.

As an alternative option our community member @rickymac has made a video about how to verify the Daedalus signatures on Windows and OSX

That’s all for now. Please don’t hesitate to contact us if you have any follow up questions.

Thanks!

2 Likes
3

Hello, I am new in all this exciting world of Cardano. I just downloaded the Daedalus wallet and the SHA256 check doesn’t match me. I get the following next message.!

Microsoft Windows [Versión 10.0.18362.418]
© 2019 Microsoft Corporation. Todos los derechos reservados.

C:\WINDOWS\system32>certutil -hashfile “C:\Users\Rafael Jaén\Desktop\daedalus-0.15.0-cardano-sl-3.1.0-mainnet-windows-8276 (1).exe” SHA256
SHA256 hash de C:\Users\Rafael Jaén\Desktop\daedalus-0.15.0-cardano-sl-3.1.0-mainnet-windows-8276 (1).exe:
25228cfb27c075cd1229df57a4974021c351709220aab153e064f640bce57553
CertUtil: -hashfile comando completado correctamente.

Someone could help me and tell me if the message is correct. Thank you

4

the following result is supposed to come out:
0a7cbb2cfac0b317be583d8fe451640e76fdf61f20d216fb8e0d79a178877c6a

5

The hash 25228cfb27c075cd1229df57a4974021c351709220aab153e064f640bce57553 you got is correct for 0.15.0, which is however not the newest version available.

6

Yes, this is for 0.15.1, but you downloaded and tested 0.15.0.

7

But when I open the wallet it says Daedalus 0.15.1 # 3.1.0.8695

8

The file you’ve specified on command line (see above) is 0.15.0

9

Then everything is ok. I can now pass my adas quietly to my wallet, right?

10

I meant safely. Sorry for the translation. I am Spanish