Bitcoin Forum
November 09, 2024, 09:15:57 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Verify wallets before installing & using. You'll lose fund if you don't verify  (Read 310 times)
tranthidung (OP)
Legendary
*
Offline Offline

Activity: 2450
Merit: 4275


Farewell o_e_l_e_o


View Profile WWW
November 22, 2019, 07:46:43 AM
Last edit: January 07, 2020, 09:17:06 AM by tranthidung
Merited by pooya87 (2), DdmrDdmr (2), mk4 (1), dkbit98 (1), Rikafip (1), Steamtyme (1)
 #1

This thread presents basic steps to do verifications. For more details, please read more sources.



There are so many bad guys around, and there are so many phishing sites on which you can see and download dangerous faked cryptocurrency wallets. If you get trapped by faked wallets, I am sure that your funds will be stolen. It's just a matter of time that how long bad guys will steal your fund after you installing and storing your fund in faked wallets.

Days ago, the news about the compromise on Monero site gives me a reminder to make the thread for newbies. Honestly, it is a very good opportunity for me to learn more about verification. Previously, I only knew and did verification for Electrum wallet. Now, when I made this thread, I have read more sources, from Bitcoin Core to Dash, and Monero; and I definitely and fortunately learned more valuable things.

This is another lesson for newbies: Learn first to improve; then help others. From progress to learn and help, you will become more knowledgeable; then you will be more safely in crypto.

Why do you have to verify wallets before using them as storage of your fund?
"Prevention is better than cure".


Basic steps:
You should verify three steps. More things to do if you want (if yes, read more in mentioned sources).
  • Hash values
  • Developers' public keys
  • Verify the installer signature.
  • All things you use to verify, get them by yourself. Don't trust what I quoted below

Download gpg4win software at https://www.gpg4win.org/
After downloading, checking integrity (verify) the downloaded file first.
Yes, you must verify first, don't trust even you download GPG4win from its official website. It is very terrible for you to download a phishing gpg4win software to verify any cryptocurrency wallets.

You can see how to install gpg4win software Verify binaries on Windows (beginner), here
The full guide is here: https://www.gpg4win.org/package-integrity.html
There are 5 methods to do that. I would like to recommend you to read the section: Download and Install Gpg4win:
Get it SHA1 hash value here: https://www.gpg4win.org/package-integrity.html
Copy and paste the hash value you get from the Command prompt to using Find on that page to compare your hash value with the one provides on official site of gpg42win.
They are matched so I download a legit GPG4win software.

In addition, you can use the Windows PowerShell (Admin) - for Windows 10 - instead of the Command prompt.



Electrum
Download it at: https://electrum.org/#download

Signature: get it here
https://download.electrum.org/3.3.8/electrum-3.3.8-setup.exe.asc
Quote
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEZpTY3nvo7lYxvtlQK9WCS3+UcOYFAl0nRwYACgkQK9WCS3+U
cOZ3/w/8Cby13TYcHWY4j12p/hKZqaGA7lPpma1dtcWriCMEdJMy5Nqb6nwQEQQn
fM6ZXSqaDwR7W5M2iaWB5iU+dHRPIs7uctsuP0BgK0mep1yduMQxOtxuDyq5dj/g
GY6jYkFUD4GvrLH4vvOWYGmWZ7oeb9J3ogkgjcHoDIWwOTz+5w2UefTTpsjfo4/s
Y/lxDM778BV9BGF6GC/Mmpmsv8tF0brRT1T3aku91ARPRBSq0Y78/wjKB4ajq8y4
vArX4ZifqXWlURGwu8NiwnUK4Icg/uxa25DBsHC09Bd1X14j0MzPQZW2QRNjeWJe
Yf1NWLG4BqZRc1FKdU285wvZAm8t33lB7XOJFKxdUuiI3LJM2J10CCYMoDv2P+dp
lRq4aIvB1vNFQTHhkmH8y1OF48LpKqZ6BIwRqMzpOWTAv0hCQBsW5ao4hGY+etgk
StkxZizzc7r8WJkpeYzII6mebhfjiG/ImYeqTVrhdoG9S3R7o+mLTmp2xlChOFb4
GQgoEryQxi9vOvmMmDjOH1NCvwvKMpxQMgp6mlD/aORroDVv7vv5wxqC/EEvRA23
pVhvWJvjPEX0sKv6EKJB3b/8Ny24mOIPt2DHDZcl465jPrwHwoESOLR85mWcYUF0
6k/g2ZvWO4u0suRUyBPyTeuHsXvoPdTlylWu6/qOT9N8pKvagjk=
=8Eq5
-----END PGP SIGNATURE-----

Search dev key ID on MIT
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
Electrum dev: 0x2BD5824B7F9470E6


Pub keys of developers
ThomasV's public keys
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBE34z9wBEACT31iv9i8Jx/6MhywWmytSGWojS7aJwGiH/wlHQcjeleGnW8HF
Z8R73ICgvpcWM2mfx0R/YIzRIbbT+E2PJ+iTw0BTGU7irRKrdLXReH130K3bDg05
+DaYFf0qY/t/e4WDXRVnr8L28hRQ4/9SnvgNcUBzd0IDOUiicZvhkIm6TikL+xSr
5Gcn/PaJFS1VpbWklXaLfvci9l4fINL3vMyLiV/75b1laSP5LPEvbfd7W9T6HeCX
63epTHmGBmB4ycGqkwOgq6NxxaLHxRWlfylRXRWpI/9B66x8vOUd70jjjyqG+mhQ
+1+qfydeSW3R6Dr2vzDyDrBXbdVMTL2VFXqNG03FYcv191H7zJgPlJGyaO4IZxj+
+O8LaoJuFqAr8/+NX4K4UfWPvcrJ2i+eUkbkDJHo4GQK712/DtSLAA+YGeIF9HAn
zKvaMkZDMwY8z3gBSE/jMV2IcONvpUUOFPQgTmCvlJZAFTPeLTDv+HX8GfhmjAJY
T5rTcvyPEkoq9fWhQiFp5HRpYrD36yLVrpznh2Mx7B1Iy8Rq/7avadwVn87C6scJ
ouPu+0PF3IeVmYfCScbfxtx1FaEczm8wGBlaB/jkDEhx0RR8PYKKTIEM7T2LH2p6
s/+Ei4V7mqkcveF/DPnScMPBprJwuoGNFdx2qKmgCKLycWlSnwec+hdyTwARAQAB
tBlUaG9tYXNWIDx0aG9tYXN2MUBnbXguZGU+iQI4BBMBAgAiBQJN+M/cAhsDBgsJ
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAr1YJLf5Rw5hlhD/9T4I/sBCleS9nH
njTJqcOnG28c9C3CRYIizjEui/pKmXz9fB1N9QrCaruPUQx2UacDVCl6dKxac+7s
s3/a6lsjaRn0/2OM/sCVLScyxNPNPQs2b6jkodSNPIM8zv51g+flhwtfrO6h6B4j
IhZgSjFdvqtZd5jaly9rA0uMX045CC4K6HGnq8n4F2p31z0L0LaHBf5EcsCM0MMp
QVkY0aUrNg9uVMGXBHn3osHnOtQaODqcIbpa/OG+Tlt6pVOiDJ7i8TkpQKT7sOaM
VdL//TEoDIOC7qVCN82q2q/gtiBXbziaERVs/eU0O52aX5qUhXu3VIjXTp/riRim
R/f9BPB1dgDZbF2aPZ/rJm26v82ft7gP1Sf52E9MrAaZATTfI0/TUHXeBzN93EA9
xb6/ENAMTX74u+NjlynWPD+hl64eBzJ2ionZF1bJFTgBkMfRYnhllvleCjcq9YfX
md5HKCwtxfygBIujUQSwyUzn0f5DbVCJ7/B19bKdvHGSSBgBEjxqXWQskm2wc0In
ww63goZAGDQliKhIT8xnwOBbLkqSobq4tD9zpQyxvMA2rhy7/gfFRp7TTak7MZHf
lTJ37S5LvcWHm/ccWUZDUN7akoEDc+m6jX3uIEPMD3PQvcHhWv0amco3zDr1qb/+
rXM7TJKd7DPX0E2dRzKu6aYRMTbklbQhVGhvbWFzIFZvZWd0bGluIDx0aG9tYXN2
MUBnbXguZGU+iQI4BBMBAgAiBQJTQDaRAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
AQIXgAAKCRAr1YJLf5Rw5hOBD/9o/NqHLvjhrCfy6/SblSC/udV9ujFnvhZZZprb
r8Oe6GdMwfw+ktZd2nYb09KjxXYmGoZeZKmvCb0LoMKSVWgisH1rgzDzI6UzFL4b
pV2+PqCSiWaekfnBm+oHbGgJCuAXebGXjVL8JsvhAl0HQZzTA1RX0u8TEAHOxOI5
l+mXSN+cwVZuDMpt5v+JDyPGHM/KqaXCw1WJY50mqlan6/15XHilmvY/CaxmbXNH
ZOXucmPxyCTeiQTqyhHsIBb4RxWYCaUXv9+svriotv2HZpQ110NN09ml1K1kDlNL
Zh3jNqMsbImFArbN8GikjqhRBV3K77Np4lccnsBPllQMqqQULG7UshcQTatkmTMb
j2TQ0oQWEZt0uJmnmxgz18ijs6m2fJZhlH0QYVYOwUvK6GfAFluHwOZHIXonv8Ck
uTW+P90lOB/9ZnREZeYb2wlvV6fCTMHxptIbT31kbLTzu4KEI6+ShQXT+YAKiC5S
JC9heheaeApH3wcLiZJcCKYv6ubY+3Uf/EoXcqWywwpS/nWkSpMSYjq+V9xCcGHI
MZ4vZkiZ6OS5Mu739rgGfP7Yi3pqUYLIpUa5QiNOMEhPtWbj/oH5ldaZowwgZ4MK
2Mzxex8IhFppPtZgqJfu9NZQLICpxcd2hUe3XWvB+jcvboZ1p7RO7ax3Vo9zy1fy
YEFML7Q9VGhvbWFzIFZvZWd0bGluIChodHRwczovL2VsZWN0cnVtLm9yZykgPHRo
b21hc3ZAZWxlY3RydW0ub3JnPokCOAQTAQIAIgUCVMYFygIbAwYLCQgHAwIGFQgC
CQoLBBYCAwECHgECF4AACgkQK9WCS3+UcOZ7BQ//VJuRmM7kQd5DcJS76BKpMtKt
gUNV3hi2h8kNGtkIeKhpeiK+PeweFJCb0nQDiEYsg5Xd/l5ZwN34cqlhgaQ8uWBY
rmNnSYGECLrxejx6WTWHp2AtD9BXrj73HEox2abC0Bdky39aCTyuRhSzbFnV2unh
L7IarKqr5bat6ywFZWsOcaisEjWXlTSD/hYqnkRX8vnBZRnRgHyi1yOvHsXGFB3x
O+P7JUb4E7BVzVRDJzMgcBhY5vTZ4Mnc8eIplNVI1TaF2hmhmnezvRF6XNYV1Ew9
t2/HE85+DqIBikUWYPTTxJiWUOwxXP9dVOEmNTcAgVThvMN7W+WoF7//qcNKmbPI
DyGU5xb/MLNrM+MWfavtkHNqcY0+cFf27z4mOxd2eEMDVxN/Fhq0HipugMEawaZ0
G9xsF/rZBzKgpu7+SvqRqxUn36vNz59vDlBYEXSng6nJobUdNb6iHo/rpZ6ZYHKx
mzrK5ROpmKs6zpPTOn8Hw29jxx07auzEIVEa8hzZaiqTfwI9yBwzhFQwNxmNaKRE
adxosvU1VyTvaEVmMmTx227MF1qhwq9yrSXtmKZJGiHRzyL4B4vAGrf9uK9GwzS2
TlyksRdjapw6Cqp8sUB2PUzHqYNWs0wSsZuxwVt6JSD4N8vpYTTF00LONKe2oLhj
GNxpH+BV3SqMHXQl9Ki5Ag0ETfjP3AEQAL5LYJiX5S4PG891TMihejh5KVgc36/R
zgWYJkE26K855t+WdAa6spHKR1RmpTTsnaTXaC/bNxJZq+0vi9GKlw94twEueu0v
Cniinpy6AFeydveCi+qdr5XQ4hx1DY11kntGBL2wMOtrZ4oAeFnntHYcAMYaMBY5
p8gd3WVR2dgIvpOcezQBLwhoMHnN6A+JEQ27ZHcolwDO9ic+t4YAtl552DP1xKbc
T4D1JD0J6W6FbUJElOXReSjNGCuSLZZTsCzMg0P6RHwWUKtDvRKrK/M3Nh/L2EsW
5mAQnYps6a+hyVkVd9kLsogtHPE4xv33pzbDB5Yj+2zqdjYUqO/ODfkP+HjNRvyj
uHL6W3bjU6FnuJQXX4llskls4hlKDPawa3cuWnsdafouAZOxWwBlGysRZ7BaHOFE
TOlAeUN1EYfFrckcfkYzTX7NDA0S99aX730z/c9XrnqM52OO9LrSFRnYZ+K3M8z2
FFvo9/ZtqqTDH0/oH+ay0CwtowSovZUoljAQ8zmmi8CtPDFHg4srae8YxW4fetn7
QtP6rOVRwQCyP12LztC7oYGOectU5G9GkVDubNW48Vuex0/upP9RORjKN8atBroS
cmomR5hShxmgdJBy4I/TDkVFbZq/hRPSTAHgnciEC67TYhszzXP3nTn5/Ah0wCGC
d3HfiNX6G7MdABEBAAGJAh8EGAECAAkFAk34z9wCGwwACgkQK9WCS3+UcOaJRA//
dLHRBjeAkNbRsY5GNTWUZzXr3VC5vNqpwpP9rK4QTAmpl3iU5F+wsgMG78iS2XOV
+ijZA8KvishletQJoNMxS1PU4sA4Y34hYb61ptHs+PmwNpcdgjAX+mCh9xQ0816G
yIaXtxtxacJJW3K07fqKIkJjISPOyTLSd+wl1LtRE2fA67pMmpMHG8t+RPq1dp/e
3qp6L7jc6X3U+bn2m7u2cgEVbuAnSaKGoMSMnsd71Ltf1b6/DwvZz/HBttEgcgSm
PleHUVyBD4LDrcjTDK7zdEMw7b/cPBnu6CmTcogFEqvB4n9Yodo+4ij7AndUTz4J
j1p8vFlnHvhRg82MDfGUPJ+ujBjbYXROs+WAmaCQ8TgjZ3dAFNFrOqAbYu6QlY2x
fu7vj+ruc6ArdmBrOlsJFmNsxFRJfgdUug5JFIUN77GbjisHjWem8cY3szuyEke8
H2pi803CAuVtkaoNmNDHsEBieft34Zo0V+A/q2wkix3S9vyRjOKqhGrW30qxnV6Z
FexueWuO3qOQ0ZU5/TIH0kft2n45/RexeBq/Ip52zE1vEvTkQmBCfCGZmqTu+9Ro
8qsjecxVNxyVPlwhlimryiQ+dPaJYaOSfiwEEMh2MyV5c6t6qN9n6jFdiCLOlmmH
ZFA8xDodsofQEmlv+I/xyEZ7na6nxbpZVuPC3B0JFtY=
=sUYl
-----END PGP PUBLIC KEY BLOCK-----

Get it hash file

Key pair and verify
You have to enter paraphrase



Import key:
Linux:
Code:
gpg --import ThomasV.asc
Windows
Code:
https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/

MacOs
Code:
https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/

Check fingerprints from third-parties
https://www.youtube.com/watch?v=hjYCXOyDy7Y
Web of Trust: https://en.wikipedia.org/wiki/Web_of_trust


DASH
Download wallet here: https://www.dash.org/downloads and you can also see hash file for Dash Core or Dash Electrum.
Then you can directly use the site: https://keybase.io/verify to verify hash file of Dash Core, for example
Code:
7058b28f5b1028caa862c8a29e34a683f8abacfa6ddd50caf37cb1d1f21ef1dd  dashcore-0.14.0.3-aarch64-linux-gnu.tar.gz
37c96f2bf56bef55d5acc980a6ae96c1b6dfc6ad29b4c985f1b3392a9f9ac4bb  dashcore-0.14.0.3-arm-linux-gnueabihf.tar.gz
3859e654526bc7171dc613c0de1867b710220feae754d6d58792ef8a37452768  dashcore-0.14.0.3-i686-pc-linux-gnu.tar.gz
8ad9de5ad2a428fff9a1b71e6b711ac0e8132069706902431c4c51bcd5171153  dashcore-0.14.0.3-osx64.tar.gz
8460c124dd2a1943b629ea9c40e99b5e510831edce9e8f6644e3096aa01fac01  dashcore-0.14.0.3-osx.dmg
4743a15824cd0a81d72922ed9318a6de5cba62964a608ae772de578274226751  dashcore-0.14.0.3-osx-unsigned.dmg
65060ea4a38b55e7f1298997be40abab1277b5ffba0e6cf7358d40e49b3f05b8  dashcore-0.14.0.3.tar.gz
adb078691090b62e331d2eb8f2841de2e837f27b6ce8dcfef107cb9682222bd2  dashcore-0.14.0.3-win32-setup.exe
032cb5cec4f09b1a30934ed17fb3bee3b68c73b5b64f93a86fa3cf2605273889  dashcore-0.14.0.3-win32-setup-unsigned.exe
57ae3e71105dfca31a07011c24b849cf616b4ead4491f0f089a04c69f9f023b3  dashcore-0.14.0.3-win32.zip
87a0af9daeb05d33be4e2cb675cb296ab7b6745079c9e65ec79850e31ac0df2f  dashcore-0.14.0.3-win64-setup.exe
8783145bcb0439c4ead82f1106978e349e180ee852246897e8aca84201d2aba1  dashcore-0.14.0.3-win64-setup-unsigned.exe
0c3fe9a3658f4b676596154b085793fe6674f4d2c5c6015146f8bcedc883e25a  dashcore-0.14.0.3-win64.zip
28d45537e1c982967075742f9f6ff631d6de72d075091d53ff039ed8919714ba  dashcore-0.14.0.3-x86_64-linux-gnu.tar.gz
Copy and paste above code (that you get in the SHA256SUMS.asc file) to the box and click verify. If you download a legit wallet, the result will be shown as "Signed by codablock". Click on the name to see who is codablock at https://keybase.io/codablock
 
You can do this on GPG4win after importing codablock's key too.


There you go: GPG verification results I get by clicking on dashcore-0.14.0.3-osx.dmg.asc (assuming you have GPG Tools installed and codablock's key imported into it already) on top of Downloads with the binary itself and this signature file on top of Github releases page with both these files lilsted Smiley

Dash Github's Tags

Credits to qwizzie and UdjinM6: You can read more details of unofficial guides from two users here



Monero
Follow the guide below to verify both hash file and binary file.




Sources:
https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/
https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/
http://www.differencebetween.net/technology/software-technology/difference-between-pgp-and-gpg/
Verifying Bitcoin Core (theymos). I don't use Bitcoin Core but if you use it, you know what to do: Verify first, don't trust.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
Steamtyme
Legendary
*
Offline Offline

Activity: 1554
Merit: 2037


View Profile
November 22, 2019, 08:18:36 AM
 #2

It's funny I've been reading through a lot on this lately, and actually stumbled across a pretty good thread a few days ago, can't find the link right now. I like that you mentioned verify the gpg4win software, there was a video from a few years back I was watching and he brought up what I was thinking when I got into verify mode. It's sort of the chicken and the egg conundrum as he put it - Crypto Dad or something like that. Only suggestion is that if it's available do the initial download on a PC, that doesn't contain anything sensitive from the start. Just in case.


░░░░░▄▄██████▄▄
░░▄████▀▀▀▀▀▀████▄
███▀░░░░░░░░░░▀█▀█
███░░░▄██████▄▄░░░██
░░░░░█████████░░░░██▌
░░░░█████████████████
░░░░█████████████████
░░░░░████████████████
███▄░░▀██████▀░░░███
█▀█▄▄░░░░░░░░░░▄███
░░▀████▄▄▄▄▄▄████▀
░░░░░▀▀██████▀▀
Ripmixer
░░░░░▄▄██████▄▄
░░▄████▀▀▀▀▀▀████▄
███▀░░░░░░░░░░▀█▀█
███░░░▄██████▄▄░░░██
░░░░░█████████░░░░██▌
░░░░█████████████████
░░░░█████████████████
░░░░░████████████████
███▄░░▀██████▀░░░███
█▀█▄▄░░░░░░░░░░▄███
░░▀████▄▄▄▄▄▄████▀
░░░░░▀▀██████▀▀
killat
Member
**
Offline Offline

Activity: 742
Merit: 21

Be the reason someone smiles today


View Profile WWW
November 22, 2019, 08:19:08 AM
 #3

Indeed, threats are everywhere in crypto world and the risks to see your funds lost are bigger every day, specially if you're using online wallets.

However prices continued to decrease constantly for hardware wallets. You can buy very cheap a Ledger Nano S or a Trezor wallet (Trezor is more expensive and it does pretty much the same thing) and get rid of the stress every time you check your balances.
https://shop.ledger.com/products/ledger-nano-s
https://shop.trezor.io/

I bought a Ledger Nano S and since then I sleep better thinking that my crypto are safe  Smiley


✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦
Be kind whenever possible. It is always possible
✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦
tranthidung (OP)
Legendary
*
Offline Offline

Activity: 2450
Merit: 4275


Farewell o_e_l_e_o


View Profile WWW
November 22, 2019, 08:28:06 AM
Last edit: November 23, 2019, 04:35:00 AM by tranthidung
Merited by bitmover (1)
 #4

Nothing can save you if you don't manage how to do it safely.
No wallets, no Trezor, no Ledger Nano S, no exchanges.  Cheesy

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
bitmover
Legendary
*
Offline Offline

Activity: 2478
Merit: 6316


bitcoindata.science


View Profile WWW
November 22, 2019, 12:22:21 PM
Merited by tranthidung (1)
 #5

Nothing can save you if you don't manage how to do it safely.
No wallets, no Trezor, no Ledger Nano S, no exchanges.  Cheesy

Yes. You are much safer using a hardware wallet. However if you are careless, you will lose money.

For example, always check the address displayed in device LED visor before sending funds. Store your seed offline in a paper, etc..

Velkro
Legendary
*
Offline Offline

Activity: 2296
Merit: 1014



View Profile
November 22, 2019, 01:29:23 PM
 #6

Why do you have to verify wallets before using them as storage of your fund?
"Prevention is better than cure".

This guide is more complicated and long than space shuttfle schematis/instruction Cheesy
Do we like it or not, people are too often technically illiterate or even worse, they don't care that much.
Faster the better with minimum effort.

So i hope it will help someone, but i like to verify files other ways than "official" requiring 10 steps.
bitmover
Legendary
*
Offline Offline

Activity: 2478
Merit: 6316


bitcoindata.science


View Profile WWW
November 22, 2019, 02:17:59 PM
 #7

This guide is more complicated and long than space shuttfle schematis/instruction Cheesy
Do we like it or not, people are too often technically illiterate or even worse, they don't care that much.
Faster the better with minimum effort.

So i hope it will help someone, but i like to verify files other ways than "official" requiring 10 steps.

I agree the guide is too long and complicated.
Personally I have never verified a pgp signature from a file. (I am almost shame to admit lol)

However, I feel safe enough just by downloading files from the official website (just check social media and see if the links from there matches the address you have). I always double check everything as well..  addresses on device , on the website, etc.
It is like a basic common sense, however few people do .

tranthidung (OP)
Legendary
*
Offline Offline

Activity: 2450
Merit: 4275


Farewell o_e_l_e_o


View Profile WWW
November 22, 2019, 02:40:07 PM
Last edit: November 23, 2019, 04:34:44 AM by tranthidung
 #8

I agree the guide is too long and complicated.
Personally I have never verified a pgp signature from a file. (I am almost shame to admit lol)

However, I feel safe enough just by downloading files from the official website (just check social media and see if the links from there matches the address you have). I always double check everything as well..  addresses on device , on the website, etc.
It is like a basic common sense, however few people do .
All things are always complicated at beginnings.
For crypto newbies: How to get a bitcoin address? How to send bitcoin to other people? How to install a bitcoin wallet? Which wallet to use? What are differences between public key and private key? How to backup and recover wallets from seeds? How to do KYCs? And more. All of them are complicated.

I had same feelings when I joined crypto in the late of 2017.

Another example is account in the forum: How to secure it? How to sign a message to use as ownership-proof? Yes, it's complicated for guys don't know how to do.

It is unnecessary to sign a message for above purpose before one realizes account can be hacked and without a sign message the recovery will be more difficult and takes more time. Then, they will do it.

The same thing with wallet verifications, IMO. The more repetitions we do verifications, the faster we finish and the more comfortable we feel about wallet verifications.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
khaled0111
Legendary
*
Offline Offline

Activity: 2702
Merit: 3045


Top Crypto Casino


View Profile WWW
November 22, 2019, 11:12:27 PM
Merited by tranthidung (1)
 #9

@OP, I think you should change the topic's title. "Don't do this" makes it look like you are asking us to avoid verifying the wallet we are downloading  Smiley


So i hope it will help someone, but i like to verify files other ways than "official" requiring 10 steps.
Is there other ways to check the authenticity of files we download online other than what was mentioned here?!
It is a long process indeed but we are talking about how to keep our money safe from hackers. So it is definitely worth the time we spend on it.

tranthidung (OP)
Legendary
*
Offline Offline

Activity: 2450
Merit: 4275


Farewell o_e_l_e_o


View Profile WWW
November 22, 2019, 11:19:22 PM
Last edit: November 23, 2019, 04:34:29 AM by tranthidung
 #10

@OP, I think you should change the topic's title. "Don't do this" makes it look like you are asking us to avoid verifying the wallet we are downloading  Smiley
Thanks (I will think of small changes). You should know there are limitations on total characters. The thread title (current one) uses the max cap of characters allowed.  Undecided
Code:
Verify wallets before installing & using. You'll lose fund if you don't verify
Now, the title is better and I hope you like the new one but there is problem with title of replies. Replies will have title like this (2 last character automatically cut because of character limit).
Code:
Re: Verify wallets before installing & using. You'll lose fund if you don't veri

I always do what @bitmover wrote, carefully, before moving forwards with wallet verification steps in OP. They are two-layered protections for you:
- Download at legit websites.
- Verify wallets and related things.
You are safe with handy verifications.
However, I feel safe enough just by downloading files from the official website (just check social media and see if the links from there matches the address you have). I always double check everything as well..  addresses on device , on the website, etc.
It is like a basic common sense, however few people do .

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
hatshepsut93
Legendary
*
Offline Offline

Activity: 3038
Merit: 2161


View Profile
November 22, 2019, 11:33:12 PM
 #11

I agree the guide is too long and complicated.
Personally I have never verified a pgp signature from a file. (I am almost shame to admit lol)


It's really not that hard, it takes a bit of time to set the whole thing up for the first time, but after you are done, verifying signatures takes just a few clicks. I use Kleopatra on Windows and it's pretty simple.

But verifying developer's signature doesn't guarantee a 100% security, there's always a small chance that developer has gone rogue or got hacked themselves and their keys were stolen - to cover situations like that, it's always wise to check for such problems on public media first.
tranthidung (OP)
Legendary
*
Offline Offline

Activity: 2450
Merit: 4275


Farewell o_e_l_e_o


View Profile WWW
November 22, 2019, 11:43:12 PM
Last edit: November 23, 2019, 04:34:12 AM by tranthidung
 #12

It's really not that hard, it takes a bit of time to set the whole thing up for the first time, but after you are done, verifying signatures takes just a few clicks. I use Kleopatra on Windows and it's pretty simple.
Right, for later times it is faster but even with setup process, I don't think it is too complicated. I felt complicate the first time, but the second time I was familiar with it.
Quote
But verifying developer's signature doesn't guarantee a 100% security, there's always a small chance that developer has gone rogue or got hacked themselves and their keys were stolen - to cover situations like that, it's always wise to check for such problems on public media first.
Notifications or hyperlinks to newest wallet versions provides by wallets are unreliable too.
Electrum vulnerability allows arbitrary messages, phishing (theymos)
I believe most of newbies instantly click on links in their wallets to visit sites and download newest versions without further investigations, and sure without wallet verifications.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
Negotiation
Sr. Member
****
Offline Offline

Activity: 1204
Merit: 270


Hire Bitcointalk Camp. Manager @ r7promotions.com


View Profile WWW
November 23, 2019, 12:16:42 AM
 #13

Nothing can save you if you don't manage how to do it safely.
No wallets, no Trezor, no Ledger Nano S, no exchanges.  Cheesy

Yeah @tranthidung you are the right If one does not know how to manage well then it is necessary to have the ability to understand the problem especially good and bad, Moreover, he will lose the right over his money which is very harmful.

█████████████████████████████████
████████▀▀█▀▀█▀▀█▀▀▀▀▀▀▀▀████████
████████▄▄█▄▄█▄▄██████████▀██████
█████░░█░░█░░█░░████████████▀████
██▀▀█▀▀█▀▀█▀▀█▀▀██████████████▀██
██▄▄█▄▄█▄▄█▄▄█▄▄█▄▄▄▄▄▄██████████
██░░█░░█░░███████████████████████
██▀▀█▀▀█▀▀███████████████████████
██▄▄█▄▄█▄▄███████████████████████
██░░█░░█░░███████████████████████
██▀▀█▀▀█▀▀██████████▄▄▄██████████
██▄▄█▄▄█▄▄███████████████████████
██░░█░░█░░███████████████████████
██████
██
██
██
██
██
██
██
██
██
██
██
██████
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
R7 PROMOTIONS Crypto Marketing Agency
By AB de Royse Campaign Management

███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██████
██
██
██
██
██
██
██
██
██
██
██
██████
██████
██
██
██
██
██
██
██
██
██
██
██
██████
██████████████████████████████████████████████████████████████████████████████████████████████████
WIN $50 FREE RAFFLE
Community Giveaway

██████████████████████████████████████████████████████████████████████████████████████████████████
██████
██
██
██
██
██
██
██
██
██
██
██
██████
████████████████████████
██
██████████████████████
██████████████████▀▀████
██████████████▀▀░░░░████
██████████▀▀░░░▄▀░░▐████
██████▀▀░░░░▄█▀░░░░█████
████▄▄░░░▄██▀░░░░░▐█████
████████░█▀░░░░░░░██████
████████▌▐░░▄░░░░▐██████
█████████░▄███▄░░███████
████████████████████████
████████████████████████
████████████████████████
hugeblack
Legendary
*
Online Online

Activity: 2688
Merit: 3969



View Profile WWW
November 23, 2019, 01:58:38 PM
Merited by tranthidung (1)
 #14

I think you have developed this topic --> [Eng: Tutorial] PGP Signature - Encrypt/Decrypt message - Fingerprint and updated it with some data, you can refer to it to reformat this topic and make it perfect.

I would like to point out that if you want to verify Electrum's signature, the link above is a link to the latest version (3.3.8,) I hope you indicate the location of the signature on the site instead of giving the link (will not work with the new update.)


█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
pooya87
Legendary
*
Offline Offline

Activity: 3626
Merit: 11023


Crypto Swap Exchange


View Profile
November 24, 2019, 09:33:51 AM
Merited by tranthidung (1)
 #15

i want to add two things here,
first kudos for mentioning "web of trust" but since the importance of it is high in my opinion it should be the first thing to be mentioned and it should be explained more with the dangers of neglecting it. it must be first step or rather step 0 of this whole thing. you first have to find a way to acquire the real public key in a safe way that you can be nearly sure that it is the correct one.
for example if the user is simply copying the key hash from the same website and verifies the downloaded file (from the same site) then he didn't really increase his security at all. he just took an extra step! since a malicious attacker could have injected both malicious software and pubkey he used to sign that into that website.

second is that even if you did all that and verified signature of that file with the real pubkey that still doesn't mean the software you are about to use is safe. you are still downloading a compiled binary file that may not even be the compiled version of the same source code you see as the open source project!
the solution to this is either compiling yourself which is not possible for most users or only using open source software that is using deterministic builds. unfortunately only a couple of wallets follow that.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!