Bitcoin Forum

Bitcoin => Electrum => Topic started by: ABCbits on November 15, 2018, 10:27:49 AM


Title: How do i verify Electrum installer on Linux?
Post by: ABCbits on November 15, 2018, 10:27:49 AM
As the title mentioned, how do i verify Electrum on Linux? I'm talking about installing Electrum on Terminal with these command :
Code:
Install dependencies:
sudo apt-get install python3-setuptools python3-pyqt5 python3-pip
Install Electrum:
sudo python3 -m pip install https://download.electrum.org/3.2.3/Electrum-3.2.3.tar.gz#egg=electrum[fast]

or should i just download Electrum's source, verify it's signature and compile it myself?

Title: Re: How do i verify Electrum installer on Linux?
Post by: bob123 on November 15, 2018, 11:33:42 AM
To verify electrum on linux:

1. Get ThomasV's PGP key:
Code:
gpg --keyserver pool.sks-keyservers.net --recv-keys 2BD5824B7F9470E6

(verify yourself, don't trust me)

2. Get the signature file (from electrum.org)

3. Verify:
Code:
gpg --verify electrum_signature_file.asc electrum_downloaded_file.tar


You should see this line output (among others):
Code:
Good signature from "Thomas Voegtlin (https://electrum.org) "

That's the important line.

Title: Re: How do i verify Electrum installer on Linux?
Post by: bob123 on November 15, 2018, 05:48:13 PM
That's the preferred way, yes.

I am not aware of a way to verify the version PIP installs automatically.

However, i believe PIP is verifying the signature itself. But i'm not sure about this.

Title: Re: How do i verify Electrum installer on Linux?
Post by: Abdussamad on November 16, 2018, 09:23:09 AM
pip modules are not subject to review. It is indeed possible that backdoors might be introduced via them. 


Title: Re: How do i verify Electrum installer on Linux?
Post by: bob123 on November 16, 2018, 10:53:37 AM
Quote from: Abdussamad on November 16, 2018, 09:23:09 AM
pip modules are not subject to review. It is indeed possible that backdoors might be introduced via them. 

This itself is not possible IF you trust the developer.

1) PIP is using https. This already elminates some attack vectors (e.g. MITM).

2) PIP is using checksums (MD5 i believe) provided by the author (in this case ThomasV) to be sure it has not been tampered with.
This is not necessarily safe since MD5 is quite broken. But it at least is SOME security.

However, downloading it manually and checking the signature is more secure and eliminates any risk of maliciously replaced packages (this still requires that you trust the developer).

Title: Re: How do i verify Electrum installer on Linux?
Post by: Abdussamad on November 16, 2018, 03:52:39 PM
I meant the electrum dependencies that get downloaded from pypy.  These are pip modules written by other authors and not by Thomas V.



Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines