All Collections
Security
How can I verify that my Exodus download is authentic?
How can I verify that my Exodus download is authentic?

Information about Exodus wallet's official download sources, and how to make sure you've installed an authentic version of the Exodus app.

Updated over a week ago

Need a crypto wallet that gives you full control of your assets? You can download Exodus here.

https://www.exodus.io/download/ and https://www.exodus.com/download/ are the only official portals for Exodus Desktop downloads.


In this article:


What are release hashes?

A hash is a unique signature of a file's contents - Checking that the hash of the installer you downloaded matches the hash we publish, ensures that the file was not tampered with between our server and your computer.

Security and trust are some of Exodus' top concerns and key issues in the world of crypto-currencies. We want to make sure our users know they are downloading a legitimate and untampered copy of Exodus, so we digitally sign each installer package with our official developer signature.

We also publish PGP signed hashes of each installer for every new version of Exodus that is released, so our advanced users can verify that the hashes we publish came from us.

The instructions below include verifying the signature of the file and producing its SHA256 hash, which you can compare to the hashes we publish with each release.

Verifying the signature of the file proves that the installer was indeed published by us, while checking the hash of the file ensures it has not been tampered with between our servers and your computer. Although such an event is unlikely, as long as you download Exodus from our official download page, it's generally a good security practice to verify the hash of the files you download.


Where can I find the release hashes?

You can find our release hashes on our download page:


How do I use release hashes to verify the installer's authenticity?

  1. First, you will need to find the release hashes. See the following guide on how to find the release hashes: Where can I find the release hashes?

  2. Next, to verify that the release hashes are authentic and belong to Exodus Movement, Inc., copy the text of the release hashes.

  3. Go to the website https://keybase.io/verify and a) paste in the release hashes from step 2, then b) click Verify.

    Keybase is a third-party platform that is not affiliated with Exodus. As such, Exodus cannot guarantee the performance of its products/services or that the steps shown and the information provided will always be accurate.

  4. If the release hashes are authentic, after you click Verify, you will see the message Signed by exodusmovement.

Instructions for Windows

Here's how to double-check Exodus' developer signature on the install package:

  1. Open the properties menu of the installer:

  1. a) Go to the "Digital Signatures" tab and b) verify that the signature is from "Exodus Movement Inc":

In order to check the SHA256 hash of the installer please follow these steps:

  1. Open Command Prompt

  2. Enter this command and add a space at the end:

    certutil -hashfile 

  3. Then drag and drop the file you just downloaded. That will fill out its path.

  4. Finally, type sha256 . The command would look something like this:

    certutil -hashfile "C:\Users\username\Downloads\exodus-windows-x64-19.1.18.exe" sha256

  5. Press Enter.

The result would be the hash of the file, which should match the hash found in our download page.


Instructions for macOS

Mac OS X users benefit from a built-in app-signature-verifying system called Gatekeeper. Whenever you open a Mac OS X application, Gatekeeper automatically verifies the authenticity of an application's developer signature. Unless one has gone to the trouble of intentionally disabling the Mac OS X Gatekeeper in System Preferences, Mac users should not need to verify your downloads, as Apple's software already does it for you whenever you open the Exodus application.

If Mac OS prompts you, when opening Exodus, that the application is from an 'uncertified developer', then you should not open it. You may have downloaded an unsigned or illegitimate copy of Exodus.

For users who would rather verify their Exodus installation manually, here's how:

  1. Open the Mac OS X Terminal application located here (or by searching for Terminal in Spotlight):
    /Applications/Utilities/Terminal.app

  2. Enter this command:

    codesign -dv --verbose=4 

  3. Remember to include the space at the end. Then, drag and drop the downloaded .dmg installer file into the terminal window - this will automatically populate the file path of the installer into the terminal.

  4. Press Enter and Terminal should print out the developer certification information. Look specifically for these lines and make sure they match:

    Authority=Developer ID Application: Exodus Movement Inc (VK5Q293EVL) Authority=Developer ID Certification Authority
    Authority=Apple Root CA


To cross-check the SHA256 hash against the ones published on our download page, please follow these steps:

  1. In Terminal enter the following:

    openssl dgst -sha256 

  2. Remember to include the space at the end. Then, click and drag the downloaded .dmg installer file into the terminal window - Once more, this will automatically populate the file path into the console.


Instructions for Linux

First, verify the authenticity of the release hashes, as explained here.

Then, Linux users with GnuPG and Curl installed can verify the authenticity of a downloaded Exodus package with a simple two-line script. You must include the URL to the current version's published release hashes, which can be found at https://www.exodus.com/download/:

To verify the downloaded package hasn't been tampered with, verify its SHA256 hash against the hash published on our website by running this command in Terminal:

curl -s ****URL-TO-RELEASE-HASHES**** | grep linux ; shasum -a 256 ~/Downloads/exodus-linux*

URL-TO-RELEASE-HASHES is the link you copied in the screenshot above. So, the command for version 20.7.20 would look like this:

curl -s https://downloads.exodus.io/releases/hashes-exodus-20.7.20.txt | grep linux ; shasum -a 256 ~/Downloads/exodus-linux-x64-20.7.20.zip

If these two hashes match, then you know you know the package is authentic and un-tampered with!


What standard does Exodus use for the version numbers?

Exodus uses a week-based system for the version numbers.

Exodus version numbers are formatted as yy.ww.bb, yy represents the year, ww is the week number, and bb is the build number, which is the number of builds before the final production build for that release.

This means the Exodus version 24.9.7 was released in the 9th week of 2024, and the build number is 7.

Before March 2024, Exodus releases used date-based version numbers, and version numbers were formatted as yy.mm.dd.

Did this answer your question?