Title: Verify wallets before installing & using. You'll lose fund if you don't verify Post by: tranthidung on November 22, 2019, 07:46:43 AM This thread presents basic steps to do verifications. For more details, please read more sources. There are so many bad guys around, and there are so many phishing sites on which you can see and download dangerous faked cryptocurrency wallets. If you get trapped by faked wallets, I am sure that your funds will be stolen. It's just a matter of time that how long bad guys will steal your fund after you installing and storing your fund in faked wallets. Days ago, the news about the compromise on Monero site (https://www.zdnet.com/article/official-monero-website-compromised-with-malware-that-steals-funds/) gives me a reminder to make the thread for newbies. Honestly, it is a very good opportunity for me to learn more about verification. Previously, I only knew and did verification for Electrum wallet. Now, when I made this thread, I have read more sources, from Bitcoin Core to Dash, and Monero; and I definitely and fortunately learned more valuable things. This is another lesson for newbies: Learn first to improve; then help others. From progress to learn and help, you will become more knowledgeable; then you will be more safely in crypto. Why do you have to verify wallets before using them as storage of your fund? "Prevention is better than cure". Basic steps: You should verify three steps. More things to do if you want (if yes, read more in mentioned sources).
Download gpg4win software at https://www.gpg4win.org/ After downloading, checking integrity (verify) the downloaded file first. Yes, you must verify first, don't trust even you download GPG4win from its official website. It is very terrible for you to download a phishing gpg4win software to verify any cryptocurrency wallets. You can see how to install gpg4win software Verify binaries on Windows (beginner), here (https://src.getmonero.org/resources/user-guides/verification-windows-beginner.html) The full guide is here: https://www.gpg4win.org/package-integrity.html There are 5 methods to do that. I would like to recommend you to read the section: Download and Install Gpg4win: Get it SHA1 hash value here: https://www.gpg4win.org/package-integrity.html Copy and paste the hash value you get from the Command prompt to using Find on that page to compare your hash value with the one provides on official site of gpg42win. They are matched so I download a legit GPG4win software. In addition, you can use the Windows PowerShell (Admin) - for Windows 10 - instead of the Command prompt. Electrum Download it at: https://electrum.org/#download Signature: get it here https://download.electrum.org/3.3.8/electrum-3.3.8-setup.exe.asc Quote -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEZpTY3nvo7lYxvtlQK9WCS3+UcOYFAl0nRwYACgkQK9WCS3+U cOZ3/w/8Cby13TYcHWY4j12p/hKZqaGA7lPpma1dtcWriCMEdJMy5Nqb6nwQEQQn fM6ZXSqaDwR7W5M2iaWB5iU+dHRPIs7uctsuP0BgK0mep1yduMQxOtxuDyq5dj/g GY6jYkFUD4GvrLH4vvOWYGmWZ7oeb9J3ogkgjcHoDIWwOTz+5w2UefTTpsjfo4/s Y/lxDM778BV9BGF6GC/Mmpmsv8tF0brRT1T3aku91ARPRBSq0Y78/wjKB4ajq8y4 vArX4ZifqXWlURGwu8NiwnUK4Icg/uxa25DBsHC09Bd1X14j0MzPQZW2QRNjeWJe Yf1NWLG4BqZRc1FKdU285wvZAm8t33lB7XOJFKxdUuiI3LJM2J10CCYMoDv2P+dp lRq4aIvB1vNFQTHhkmH8y1OF48LpKqZ6BIwRqMzpOWTAv0hCQBsW5ao4hGY+etgk StkxZizzc7r8WJkpeYzII6mebhfjiG/ImYeqTVrhdoG9S3R7o+mLTmp2xlChOFb4 GQgoEryQxi9vOvmMmDjOH1NCvwvKMpxQMgp6mlD/aORroDVv7vv5wxqC/EEvRA23 pVhvWJvjPEX0sKv6EKJB3b/8Ny24mOIPt2DHDZcl465jPrwHwoESOLR85mWcYUF0 6k/g2ZvWO4u0suRUyBPyTeuHsXvoPdTlylWu6/qOT9N8pKvagjk= =8Eq5 -----END PGP SIGNATURE----- Search dev key ID on MIT https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6 Electrum dev: 0x2BD5824B7F9470E6 Pub keys of developers ThomasV's public keys -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBE34z9wBEACT31iv9i8Jx/6MhywWmytSGWojS7aJwGiH/wlHQcjeleGnW8HF Z8R73ICgvpcWM2mfx0R/YIzRIbbT+E2PJ+iTw0BTGU7irRKrdLXReH130K3bDg05 +DaYFf0qY/t/e4WDXRVnr8L28hRQ4/9SnvgNcUBzd0IDOUiicZvhkIm6TikL+xSr 5Gcn/PaJFS1VpbWklXaLfvci9l4fINL3vMyLiV/75b1laSP5LPEvbfd7W9T6HeCX 63epTHmGBmB4ycGqkwOgq6NxxaLHxRWlfylRXRWpI/9B66x8vOUd70jjjyqG+mhQ +1+qfydeSW3R6Dr2vzDyDrBXbdVMTL2VFXqNG03FYcv191H7zJgPlJGyaO4IZxj+ +O8LaoJuFqAr8/+NX4K4UfWPvcrJ2i+eUkbkDJHo4GQK712/DtSLAA+YGeIF9HAn zKvaMkZDMwY8z3gBSE/jMV2IcONvpUUOFPQgTmCvlJZAFTPeLTDv+HX8GfhmjAJY T5rTcvyPEkoq9fWhQiFp5HRpYrD36yLVrpznh2Mx7B1Iy8Rq/7avadwVn87C6scJ ouPu+0PF3IeVmYfCScbfxtx1FaEczm8wGBlaB/jkDEhx0RR8PYKKTIEM7T2LH2p6 s/+Ei4V7mqkcveF/DPnScMPBprJwuoGNFdx2qKmgCKLycWlSnwec+hdyTwARAQAB tBlUaG9tYXNWIDx0aG9tYXN2MUBnbXguZGU+iQI4BBMBAgAiBQJN+M/cAhsDBgsJ CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAr1YJLf5Rw5hlhD/9T4I/sBCleS9nH njTJqcOnG28c9C3CRYIizjEui/pKmXz9fB1N9QrCaruPUQx2UacDVCl6dKxac+7s s3/a6lsjaRn0/2OM/sCVLScyxNPNPQs2b6jkodSNPIM8zv51g+flhwtfrO6h6B4j IhZgSjFdvqtZd5jaly9rA0uMX045CC4K6HGnq8n4F2p31z0L0LaHBf5EcsCM0MMp QVkY0aUrNg9uVMGXBHn3osHnOtQaODqcIbpa/OG+Tlt6pVOiDJ7i8TkpQKT7sOaM VdL//TEoDIOC7qVCN82q2q/gtiBXbziaERVs/eU0O52aX5qUhXu3VIjXTp/riRim R/f9BPB1dgDZbF2aPZ/rJm26v82ft7gP1Sf52E9MrAaZATTfI0/TUHXeBzN93EA9 xb6/ENAMTX74u+NjlynWPD+hl64eBzJ2ionZF1bJFTgBkMfRYnhllvleCjcq9YfX md5HKCwtxfygBIujUQSwyUzn0f5DbVCJ7/B19bKdvHGSSBgBEjxqXWQskm2wc0In ww63goZAGDQliKhIT8xnwOBbLkqSobq4tD9zpQyxvMA2rhy7/gfFRp7TTak7MZHf lTJ37S5LvcWHm/ccWUZDUN7akoEDc+m6jX3uIEPMD3PQvcHhWv0amco3zDr1qb/+ rXM7TJKd7DPX0E2dRzKu6aYRMTbklbQhVGhvbWFzIFZvZWd0bGluIDx0aG9tYXN2 MUBnbXguZGU+iQI4BBMBAgAiBQJTQDaRAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe AQIXgAAKCRAr1YJLf5Rw5hOBD/9o/NqHLvjhrCfy6/SblSC/udV9ujFnvhZZZprb r8Oe6GdMwfw+ktZd2nYb09KjxXYmGoZeZKmvCb0LoMKSVWgisH1rgzDzI6UzFL4b pV2+PqCSiWaekfnBm+oHbGgJCuAXebGXjVL8JsvhAl0HQZzTA1RX0u8TEAHOxOI5 l+mXSN+cwVZuDMpt5v+JDyPGHM/KqaXCw1WJY50mqlan6/15XHilmvY/CaxmbXNH ZOXucmPxyCTeiQTqyhHsIBb4RxWYCaUXv9+svriotv2HZpQ110NN09ml1K1kDlNL Zh3jNqMsbImFArbN8GikjqhRBV3K77Np4lccnsBPllQMqqQULG7UshcQTatkmTMb j2TQ0oQWEZt0uJmnmxgz18ijs6m2fJZhlH0QYVYOwUvK6GfAFluHwOZHIXonv8Ck uTW+P90lOB/9ZnREZeYb2wlvV6fCTMHxptIbT31kbLTzu4KEI6+ShQXT+YAKiC5S JC9heheaeApH3wcLiZJcCKYv6ubY+3Uf/EoXcqWywwpS/nWkSpMSYjq+V9xCcGHI MZ4vZkiZ6OS5Mu739rgGfP7Yi3pqUYLIpUa5QiNOMEhPtWbj/oH5ldaZowwgZ4MK 2Mzxex8IhFppPtZgqJfu9NZQLICpxcd2hUe3XWvB+jcvboZ1p7RO7ax3Vo9zy1fy YEFML7Q9VGhvbWFzIFZvZWd0bGluIChodHRwczovL2VsZWN0cnVtLm9yZykgPHRo b21hc3ZAZWxlY3RydW0ub3JnPokCOAQTAQIAIgUCVMYFygIbAwYLCQgHAwIGFQgC CQoLBBYCAwECHgECF4AACgkQK9WCS3+UcOZ7BQ//VJuRmM7kQd5DcJS76BKpMtKt gUNV3hi2h8kNGtkIeKhpeiK+PeweFJCb0nQDiEYsg5Xd/l5ZwN34cqlhgaQ8uWBY rmNnSYGECLrxejx6WTWHp2AtD9BXrj73HEox2abC0Bdky39aCTyuRhSzbFnV2unh L7IarKqr5bat6ywFZWsOcaisEjWXlTSD/hYqnkRX8vnBZRnRgHyi1yOvHsXGFB3x O+P7JUb4E7BVzVRDJzMgcBhY5vTZ4Mnc8eIplNVI1TaF2hmhmnezvRF6XNYV1Ew9 t2/HE85+DqIBikUWYPTTxJiWUOwxXP9dVOEmNTcAgVThvMN7W+WoF7//qcNKmbPI DyGU5xb/MLNrM+MWfavtkHNqcY0+cFf27z4mOxd2eEMDVxN/Fhq0HipugMEawaZ0 G9xsF/rZBzKgpu7+SvqRqxUn36vNz59vDlBYEXSng6nJobUdNb6iHo/rpZ6ZYHKx mzrK5ROpmKs6zpPTOn8Hw29jxx07auzEIVEa8hzZaiqTfwI9yBwzhFQwNxmNaKRE adxosvU1VyTvaEVmMmTx227MF1qhwq9yrSXtmKZJGiHRzyL4B4vAGrf9uK9GwzS2 TlyksRdjapw6Cqp8sUB2PUzHqYNWs0wSsZuxwVt6JSD4N8vpYTTF00LONKe2oLhj GNxpH+BV3SqMHXQl9Ki5Ag0ETfjP3AEQAL5LYJiX5S4PG891TMihejh5KVgc36/R zgWYJkE26K855t+WdAa6spHKR1RmpTTsnaTXaC/bNxJZq+0vi9GKlw94twEueu0v Cniinpy6AFeydveCi+qdr5XQ4hx1DY11kntGBL2wMOtrZ4oAeFnntHYcAMYaMBY5 p8gd3WVR2dgIvpOcezQBLwhoMHnN6A+JEQ27ZHcolwDO9ic+t4YAtl552DP1xKbc T4D1JD0J6W6FbUJElOXReSjNGCuSLZZTsCzMg0P6RHwWUKtDvRKrK/M3Nh/L2EsW 5mAQnYps6a+hyVkVd9kLsogtHPE4xv33pzbDB5Yj+2zqdjYUqO/ODfkP+HjNRvyj uHL6W3bjU6FnuJQXX4llskls4hlKDPawa3cuWnsdafouAZOxWwBlGysRZ7BaHOFE TOlAeUN1EYfFrckcfkYzTX7NDA0S99aX730z/c9XrnqM52OO9LrSFRnYZ+K3M8z2 FFvo9/ZtqqTDH0/oH+ay0CwtowSovZUoljAQ8zmmi8CtPDFHg4srae8YxW4fetn7 QtP6rOVRwQCyP12LztC7oYGOectU5G9GkVDubNW48Vuex0/upP9RORjKN8atBroS cmomR5hShxmgdJBy4I/TDkVFbZq/hRPSTAHgnciEC67TYhszzXP3nTn5/Ah0wCGC d3HfiNX6G7MdABEBAAGJAh8EGAECAAkFAk34z9wCGwwACgkQK9WCS3+UcOaJRA// dLHRBjeAkNbRsY5GNTWUZzXr3VC5vNqpwpP9rK4QTAmpl3iU5F+wsgMG78iS2XOV +ijZA8KvishletQJoNMxS1PU4sA4Y34hYb61ptHs+PmwNpcdgjAX+mCh9xQ0816G yIaXtxtxacJJW3K07fqKIkJjISPOyTLSd+wl1LtRE2fA67pMmpMHG8t+RPq1dp/e 3qp6L7jc6X3U+bn2m7u2cgEVbuAnSaKGoMSMnsd71Ltf1b6/DwvZz/HBttEgcgSm PleHUVyBD4LDrcjTDK7zdEMw7b/cPBnu6CmTcogFEqvB4n9Yodo+4ij7AndUTz4J j1p8vFlnHvhRg82MDfGUPJ+ujBjbYXROs+WAmaCQ8TgjZ3dAFNFrOqAbYu6QlY2x fu7vj+ruc6ArdmBrOlsJFmNsxFRJfgdUug5JFIUN77GbjisHjWem8cY3szuyEke8 H2pi803CAuVtkaoNmNDHsEBieft34Zo0V+A/q2wkix3S9vyRjOKqhGrW30qxnV6Z FexueWuO3qOQ0ZU5/TIH0kft2n45/RexeBq/Ip52zE1vEvTkQmBCfCGZmqTu+9Ro 8qsjecxVNxyVPlwhlimryiQ+dPaJYaOSfiwEEMh2MyV5c6t6qN9n6jFdiCLOlmmH ZFA8xDodsofQEmlv+I/xyEZ7na6nxbpZVuPC3B0JFtY= =sUYl -----END PGP PUBLIC KEY BLOCK----- Get it hash file Key pair and verify You have to enter paraphrase Import key: Linux: Code: gpg --import ThomasV.asc Code: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/ MacOs Code: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/ Check fingerprints from third-parties https://www.youtube.com/watch?v=hjYCXOyDy7Y Web of Trust: https://en.wikipedia.org/wiki/Web_of_trust DASH Download wallet here: https://www.dash.org/downloads and you can also see hash file for Dash Core or Dash Electrum. Then you can directly use the site: https://keybase.io/verify to verify hash file of Dash Core, for example Code: 7058b28f5b1028caa862c8a29e34a683f8abacfa6ddd50caf37cb1d1f21ef1dd dashcore-0.14.0.3-aarch64-linux-gnu.tar.gz You can do this on GPG4win after importing codablock's key too. https://i.imgur.com/uqJch1U.png There you go: GPG verification results I get by clicking on dashcore-0.14.0.3-osx.dmg.asc (assuming you have GPG Tools installed and codablock's key imported into it already) on top of Downloads with the binary itself and this signature file on top of Github releases page with both these files lilsted :) Dash Github's Tags (https://github.com/dashpay/dash/tags) Credits to qwizzie and UdjinM6: You can read more details of unofficial guides from two users here (https://bitcointalk.org/index.php?topic=421615.msg53135303#msg53135303) Monero Follow the guide below to verify both hash file and binary file.
Sources: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/ https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/ http://www.differencebetween.net/technology/software-technology/difference-between-pgp-and-gpg/ Verifying Bitcoin Core (theymos) (https://bitcointalk.org/index.php?topic=1588906.0). I don't use Bitcoin Core but if you use it, you know what to do: Verify first, don't trust. Title: Re: Verify wallets before installing and using. Don't do this, you'll lose your fund Post by: Steamtyme on November 22, 2019, 08:18:36 AM It's funny I've been reading through a lot on this lately, and actually stumbled across a pretty good thread a few days ago, can't find the link right now. I like that you mentioned verify the gpg4win software, there was a video from a few years back I was watching and he brought up what I was thinking when I got into verify mode. It's sort of the chicken and the egg conundrum as he put it - Crypto Dad or something like that. Only suggestion is that if it's available do the initial download on a PC, that doesn't contain anything sensitive from the start. Just in case.
Title: Re: Verify wallets before installing and using. Don't do this, you'll lose your fund Post by: killat on November 22, 2019, 08:19:08 AM Indeed, threats are everywhere in crypto world and the risks to see your funds lost are bigger every day, specially if you're using online wallets.
However prices continued to decrease constantly for hardware wallets. You can buy very cheap a Ledger Nano S or a Trezor wallet (Trezor is more expensive and it does pretty much the same thing) and get rid of the stress every time you check your balances. https://shop.ledger.com/products/ledger-nano-s https://shop.trezor.io/ I bought a Ledger Nano S and since then I sleep better thinking that my crypto are safe :) Title: Verify wallets before installing & using. You'll lose fund if you don't verify Post by: tranthidung on November 22, 2019, 08:28:06 AM Nothing can save you if you don't manage how to do it safely.
No wallets, no Trezor, no Ledger Nano S, no exchanges. :D Title: Re: Verify wallets before installing and using. Don't do this, you'll lose your fund Post by: bitmover on November 22, 2019, 12:22:21 PM Nothing can save you if you don't manage how to do it safely. No wallets, no Trezor, no Ledger Nano S, no exchanges. :D Yes. You are much safer using a hardware wallet. However if you are careless, you will lose money. For example, always check the address displayed in device LED visor before sending funds. Store your seed offline in a paper, etc.. Title: Re: Verify wallets before installing and using. Don't do this, you'll lose your fund Post by: Velkro on November 22, 2019, 01:29:23 PM Why do you have to verify wallets before using them as storage of your fund? This guide is more complicated and long than space shuttfle schematis/instruction :D"Prevention is better than cure". Do we like it or not, people are too often technically illiterate or even worse, they don't care that much. Faster the better with minimum effort. So i hope it will help someone, but i like to verify files other ways than "official" requiring 10 steps. Title: Re: Verify wallets before installing and using. Don't do this, you'll lose your fund Post by: bitmover on November 22, 2019, 02:17:59 PM This guide is more complicated and long than space shuttfle schematis/instruction :D Do we like it or not, people are too often technically illiterate or even worse, they don't care that much. Faster the better with minimum effort. So i hope it will help someone, but i like to verify files other ways than "official" requiring 10 steps. I agree the guide is too long and complicated. Personally I have never verified a pgp signature from a file. (I am almost shame to admit lol) However, I feel safe enough just by downloading files from the official website (just check social media and see if the links from there matches the address you have). I always double check everything as well.. addresses on device , on the website, etc. It is like a basic common sense, however few people do . Title: Verify wallets before installing & using. You'll lose fund if you don't verify Post by: tranthidung on November 22, 2019, 02:40:07 PM I agree the guide is too long and complicated. All things are always complicated at beginnings.Personally I have never verified a pgp signature from a file. (I am almost shame to admit lol) However, I feel safe enough just by downloading files from the official website (just check social media and see if the links from there matches the address you have). I always double check everything as well.. addresses on device , on the website, etc. It is like a basic common sense, however few people do . For crypto newbies: How to get a bitcoin address? How to send bitcoin to other people? How to install a bitcoin wallet? Which wallet to use? What are differences between public key and private key? How to backup and recover wallets from seeds? How to do KYCs? And more. All of them are complicated. I had same feelings when I joined crypto in the late of 2017. Another example is account in the forum: How to secure it? How to sign a message to use as ownership-proof? Yes, it's complicated for guys don't know how to do. It is unnecessary to sign a message for above purpose before one realizes account can be hacked and without a sign message the recovery will be more difficult and takes more time. Then, they will do it. The same thing with wallet verifications, IMO. The more repetitions we do verifications, the faster we finish and the more comfortable we feel about wallet verifications. Title: Re: Verify wallets before installing and using. Don't do this, you'll lose your fund Post by: khaled0111 on November 22, 2019, 11:12:27 PM @OP, I think you should change the topic's title. "Don't do this" makes it look like you are asking us to avoid verifying the wallet we are downloading :)
So i hope it will help someone, but i like to verify files other ways than "official" requiring 10 steps. It is a long process indeed but we are talking about how to keep our money safe from hackers. So it is definitely worth the time we spend on it. Title: Verify wallets before installing & using. You'll lose fund if you don't verify Post by: tranthidung on November 22, 2019, 11:19:22 PM @OP, I think you should change the topic's title. "Don't do this" makes it look like you are asking us to avoid verifying the wallet we are downloading :) Thanks (I will think of small changes). You should know there are limitations on total characters. The thread title (current one) uses the max cap of characters allowed. :-\Code: Verify wallets before installing & using. You'll lose fund if you don't verify Code: Re: Verify wallets before installing & using. You'll lose fund if you don't veri I always do what @bitmover wrote, carefully, before moving forwards with wallet verification steps in OP. They are two-layered protections for you: - Download at legit websites. - Verify wallets and related things. You are safe with handy verifications. However, I feel safe enough just by downloading files from the official website (just check social media and see if the links from there matches the address you have). I always double check everything as well.. addresses on device , on the website, etc. It is like a basic common sense, however few people do . Title: Re: Verify wallets before installing and using. Don't do this, you'll lose your fund Post by: hatshepsut93 on November 22, 2019, 11:33:12 PM I agree the guide is too long and complicated. Personally I have never verified a pgp signature from a file. (I am almost shame to admit lol) It's really not that hard, it takes a bit of time to set the whole thing up for the first time, but after you are done, verifying signatures takes just a few clicks. I use Kleopatra on Windows and it's pretty simple. But verifying developer's signature doesn't guarantee a 100% security, there's always a small chance that developer has gone rogue or got hacked themselves and their keys were stolen - to cover situations like that, it's always wise to check for such problems on public media first. Title: Verify wallets before installing & using. You'll lose fund if you don't verify Post by: tranthidung on November 22, 2019, 11:43:12 PM It's really not that hard, it takes a bit of time to set the whole thing up for the first time, but after you are done, verifying signatures takes just a few clicks. I use Kleopatra on Windows and it's pretty simple. Right, for later times it is faster but even with setup process, I don't think it is too complicated. I felt complicate the first time, but the second time I was familiar with it.Quote But verifying developer's signature doesn't guarantee a 100% security, there's always a small chance that developer has gone rogue or got hacked themselves and their keys were stolen - to cover situations like that, it's always wise to check for such problems on public media first. Notifications or hyperlinks to newest wallet versions provides by wallets are unreliable too.Electrum vulnerability allows arbitrary messages, phishing (theymos) (https://bitcointalk.org/index.php?topic=5090097.0) I believe most of newbies instantly click on links in their wallets to visit sites and download newest versions without further investigations, and sure without wallet verifications. Title: Re: Verify wallets before installing and using. Don't do this, you'll lose your fund Post by: Negotiation on November 23, 2019, 12:16:42 AM Nothing can save you if you don't manage how to do it safely. No wallets, no Trezor, no Ledger Nano S, no exchanges. :D Yeah @tranthidung you are the right If one does not know how to manage well then it is necessary to have the ability to understand the problem especially good and bad, Moreover, he will lose the right over his money which is very harmful. Title: Re: Verify wallets before installing & using. You'll lose fund if you don't verify Post by: hugeblack on November 23, 2019, 01:58:38 PM I think you have developed this topic --> [Eng: Tutorial] PGP Signature - Encrypt/Decrypt message - Fingerprint (https://bitcointalk.org/index.php?topic=4059348.0) and updated it with some data, you can refer to it to reformat this topic and make it perfect.
I would like to point out that if you want to verify Electrum's signature, the link above is a link to the latest version (3.3.8,) I hope you indicate the location of the signature on the site instead of giving the link (will not work with the new update.) Title: Re: Verify wallets before installing & using. You'll lose fund if you don't verify Post by: pooya87 on November 24, 2019, 09:33:51 AM i want to add two things here,
first kudos for mentioning "web of trust" but since the importance of it is high in my opinion it should be the first thing to be mentioned and it should be explained more with the dangers of neglecting it. it must be first step or rather step 0 of this whole thing. you first have to find a way to acquire the real public key in a safe way that you can be nearly sure that it is the correct one. for example if the user is simply copying the key hash from the same website and verifies the downloaded file (from the same site) then he didn't really increase his security at all. he just took an extra step! since a malicious attacker could have injected both malicious software and pubkey he used to sign that into that website. second is that even if you did all that and verified signature of that file with the real pubkey that still doesn't mean the software you are about to use is safe. you are still downloading a compiled binary file that may not even be the compiled version of the same source code you see as the open source project! the solution to this is either compiling yourself which is not possible for most users or only using open source software that is using deterministic builds. unfortunately only a couple of wallets follow that (https://bitcointalk.org/index.php?topic=5195281.0). |