Bitcoin Forum

Installed the Linux EASY INSTALLATION method shown at download page: https://electrum.org/#download

How can I verify downloaded package? And Signature ?
Where is the application installed in Ubuntu ?


Thanks

#1 download the PGP key by ThomasV https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
#2 import it into gpg with gpg2 --import path/to/file.asc
#3 download electrum source https://download.electrum.org/2.7.18/Electrum-2.7.18.tar.gz
#4 download signature for source https://download.electrum.org/2.7.18/Electrum-2.7.18.tar.gz.asc
#5 verify download with gpg2 --verify Electrum-2.7.18.tar.gz.asc
#5.1 it should show a valid signature from an untrusted key
#6 untar with tar xvf Electrum-2.7.18.tar.gz
#7 run with python electrum from folder

Thanks, then I guess I need to uninstall Electrum first as I installed using the sudo apt-get install python-qt4 python-pip    etc etc
terminal cmmands to install it, and then follow the installation using Python sources

Maybe there is a way to verify that as well. I only used the source directly so I only know that way.

Flanagan,

Shorena's way is the surest.  That is how I did it before starting to use a hardware wallet with Electrum.  I am less worried now with my Trezor, but I still use the process below without fail.

Since you are using Linux you are likely to be OK the way you did it.  If you decide to continue downloading from Electrum the "easy way" you discussed, then perform a simple test to KNOW you are connected to the actual Electrum site.  How?  Confirm the site's certificate fingerprint before downloading.  Open the browser and observe the certificate symbol in the url window (the lock symbol).  Then open it up and observe the SHA256 fingerprint.  A MITM site cannot fully replicate the full fingerprint because it takes possession of the private key to generate a match.  Remember how we here sign a BTC address as members to prove we own our btc address?  Well the certificate allows for a similar strength proof.  If the site doesn't own the private side of the certificate key it won't and cannot match the correct fingerprint.  This is math and math won't allow for an imposter.  Go ahead and connect to Electrum's site using https and open the cert.  You should observe the following and if you don't you are not at Electrum's site.  Easy stuff.


SHA256

D0:9E:C1:85:9C:CF:85:4A:42:C1:48:38:8D:33:43:0C:4F:23:77:A3:BB:F3:DE:92:51:9F:0E:6F:E8:63:DE:C6


Now you need to save this fingerprint somewhere so when you return to Electrum (or the site you think is Electrum) you can view it and inspect for a match.  Without a match do not proceed with any download.  A cert will expire, so you will need to update every couple of years or so.  Hope this helps put your mind at ease.

Note that you are supposed to verify it before installing it:

https://bitcointalk.org/index.php?topic=518133.msg5981126#msg5981126

You don't have to be root to verify the download. You only need to be root if you want to install it. Also adjust the ELECTRUM_VERSION variable to the one you downloaded.

no you don't have to uninstall anything. the instructions there are correct. what you install using apt-get is already verified by apt prior to installation. you only need to verify the electrum tar ball that you downloaded.

Thanks for all the replies. I',m making screenshots and saving all the good information  for reference, thanks

Perhaps for now I will trust that what I installed using apt-get is already verified by apt prior to installation, so no need for to to further verify...

you misunderstood apt doesn't verify the electrum download. You did that using pip.

You installed dependencies via apt and those are verified:


But the pip install step did not involve apt. You have to verify the electrum tar ball manually

I created a script that downloads, verifies and installs electrum for you:

https://github.com/BitcoinsPakistan/electrum-install

Thanks again but I didn't download anything directly. I installed using this commenad shown on the electrum download page:

sudo pip install https://download.electrum.org/2.7.18/Electrum-2.7.18.tar.gz

So, since the command uses "pip" I have to trust that it is verified just installing like that right ?