Firefly
Firefly is IOTA's new official wallet for Chrysalis.
Website: https://firefly.iota.org/
Code Repository: https://github.com/iotaledger/firefly
Verify your Firefly Desktop Download
When you download Firefly Desktop, you should verify its authenticity to make sure that you downloaded the correct one from the IOTA Foundation GitHub repository. In this how-to guide, you learn how to verify various Firefly Desktop downloads.
You can verify the authenticity of the Firefly Desktop by checking its SHA256 hash and code signature. The instructions for both of these steps differ, depending on your operating system.
Windows Operating System
Verify the SHA256 Hash
Open a command-line interface.
Create a SHA256 hash of the Firefly Desktop
.exe
file. Replace the path with the path to your Firefly.exe
file.
certUtil -hashfile path\to\firefly-desktop-version.exe SHA256
For example, if the file is in the C:\Users\yourname\Downloads
directory, do the following:
certUtil -hashfile C:\Users\yourname\Downloads\firefly-desktop-1.0.0.exe SHA256
- Compare your SHA256 hash with the one in the release notes and make sure that they match.
Verify the code signature
Right-click on
firefly-desktop-version.exe
.Go to Digital Signatures > Details > View Certificate.
For Firefly 1.2.0 and earlier
In the Certification Path tab, make sure that the path matches the following information:
- DigiCert.
- DigiCert SHA2 Assured Code Signing CA.
- IOTA Stiftung.
Make sure that the Certificate status reads "This certificate is OK.".
For Firefly 1.3.0 and later
In the Certification Path tab, make sure that the path matches the following information:
- Sectigo (AAA).
- Sectigo Public Code Signing Root R46.
- Sectigo Public Code Signing CA R36.
- IOTA Stiftung.
Make sure that the Certificate status reads, "This certificate is OK.".
MacOS Operating System
Verify the SHA256 Hash
Open the Terminal (in
/Applications/Utilities/Terminal
).Create a SHA256 hash of the Firefly Desktop
.dmg
file. Replace the path with the path to your Firefly.dmg
file.
shasum -a 256 /path/to/firefly-desktop-version.dmg
For example, if the file is in ~/Downloads
, do the following:
shasum -a 256 ~/Downloads/firefly-desktop-1.0.0.dmg
- Compare your SHA256 hash with the one in the release notes and make sure that they match.
Verify the code signature
Prerequisites
To follow these instructions you need the Xcode Command Line Tools.
Open the Terminal (in
/Applications/Utilities/Terminal
).Verify the
Firefly.app
file's signature. Replace the path with the path to yourFirefly.app
file. This command confirms whether the code binaries are actually signed, the signature is valid, all the sealed components are unaltered, and the signature passes some basic consistency checks.codesign -d -vv /path/to/Firefly.app
For example, if the file is in the
/Applications
directory, do the following:codesign -d -vv /Applications/Firefly.app
Make sure that the following information matches the output of the command:
Identifier=org.iota.firefly
Authority=Developer ID Application: IOTA Stiftung (UG77RJKZHH)
Authority=Developer ID Certification Authority
Authority=Apple Root CATest the signature against system policies. Replace the path with the path to your
Firefly.app
file.spctl -a -vv path/to/Firefly.app
For example, if the file is in the
/Applications
directory, do the following:spctl -a -vv /Applications/Firefly.app
Make sure that the following information matches the output of the command (assuming Firefly is in the
/Applications
directory):/Applications/Firefly.app: accepted
source=Developer ID
origin=Developer ID Application: IOTA Stiftung (UG77RJKZHH)
Linux Operating System
Verify the SHA256 Hash
Prerequisites
You will need the sha256sum
package, which is included with most Linux distributions.
Open the Terminal.
Create a SHA256 hash of the Firefly Desktop executable file. Replace the path with the path to your Firefly executable file.
sha256sum path/to/firefly-desktop-version.AppImage
For example, if the file is in ~/Downloads
, do the following:
sha256sum ~/Downloads/firefly-desktop-1.0.0.AppImage
- Compare your SHA256 hash with the one in the release notes and make sure that they match.
Verify the code signature
Download the .asc file in the Assets section of the release notes.
Import the Firefly GPG key from keyserver.ubuntu.com.
gpg --keyserver keyserver.ubuntu.com --recv 466385BD0B40D9550F93C04746A440CCE5664A64
Make sure that the following information matches the output of the command:
gpg: key 46A440CCE5664A64: public key "IOTA Foundation (IOTA Foundation Identity) <contact@iota.org>"
Verify the signature.
gpg --verify path/to/firefly-desktop-version.AppImage.asc path/to/firefly-desktop-version.AppImage
For example, if the .asc and .AppImage files are both in
~/Downloads
, do the following:gpg --verify ~/Downloads/firefly-desktop-1.0.0.AppImage.asc ~/Downloads/firefly-desktop-1.0.0.AppImage
Make sure that the following information matches the output of the command:
gpg: Good signature from "IOTA Foundation (IOTA Foundation Identity) <contact@iota.org>"