md5 or sha1 for Electrum 3.0.1

[mike4001]

Hello,

Can someone post a valid md5 or sha1 hash for Electrum 3.0.1.

I downloaded the file and want to check it before running.

I don't have PGP and a Google search showed that this will not be a quick check if you don't have the software and so on

[pooya87]

i would recommend that you check the PGP signatures instead, specially if you are about to store some funds in this wallet that you jut downloaded. it is not hard to do it under windows. https://ssd.eff.org/en/module/how-use-pgp-windows
and it is super easy in Linux.

i am assuming you have windows and here are the hashes for Windows Installer (https://download.electrum.org/3.0.1/electrum-3.0.1-setup.exe). use at your own risk.

MD5

Code:

1c21679b30d38d3d9968cb9cb8cff65b

SHA1

Code:

97c20adb2bd07b3a5d8bf22d59740b7b608b8d72

an screenshot of the steps:

[HCP]

i am assuming you have windows and here are the hashes for Windows Installer (https://download.electrum.org/3.0.1/electrum-3.0.1-setup.exe). use at your own risk.

MD5

Code:

1c21679b30d38d3d9968cb9cb8cff65b

SHA1

Code:

97c20adb2bd07b3a5d8bf22d59740b7b608b8d72

If it makes you feel any better... and it probably shouldn't, because MD5 and SHA1 don't really prove much... but I got the same hashes as Pooya87

---------------------------
Checksum information
---------------------------
Name: electrum-3.0.1-setup.exe
Size: 27657120 bytes (26 MB)

SHA1: 97C20ADB2BD07B3A5D8BF22D59740B7B608B8D72

;     27657120  00:30.23 2017-11-08 electrum-3.0.1-setup.exe
1c21679b30d38d3d9968cb9cb8cff65b *electrum-3.0.1-setup.exe

[mike4001]

Thank you both ... I want to try GnuPG but I believe I need some troubleshooting

Yes I am on Windows and installed GnuPG.

But the first command results in

Code:

D:\Programme\Electrum>gpg --recv-keys 7F9470E6
gpg: key 2BD5824B7F9470E6: 75 signatures not checked due to missing keys
gpg: key 2BD5824B7F9470E6: "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

[HCP]

That looks OK... seems that you already have the key loaded on your system?

Did you download the .asc file? you might need to right click on it and select "save link as"... save it in the same folder as the .exe

Then just try running the 2nd command: gpg --verify electrum-3.0.1-setup.exe.asc electrum-3.0.1-setup.exe

[mike4001]

Well I tried a few other commands incluing creation of my private key. Maybe this did it?

Anyway: The second command gives me:

Code:

D:\Programme\Electrum>gpg --verify electrum-3.0.1.exe.asc electrum-3.0.1.exe
gpg: Signature made 11/06/17 19:44:36 Mitteleuropõische Zeit
gpg:                using RSA key 2BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

Btw: I want to check the Standalone Executable and not the installer, but this shouldn't be the issue I think.

Ah OK: So I can Ignore the WARNING? ... Because it kind of reads serious :-)

[HCP]

What the output is showing you, is that the file is indeed signed by ThomasV's key:

gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]

However, because you have not explicitly stated that you trust that key (ie. it's not in your personal circle of trust) nor is it trusted by any of your "trusted" signatures... you end up with the "scary" warning:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

If you are satisfied that the key you have for ThomasV is trustworthy... and that ThomasV is a trustworthy person (because if you trust ThomasV, depending the level, by default you'll trust HIS trusted keys), you can add ThomasV's key to your list of trusted keys... then when you check the signatures, you won't get the warning.

As mentioned, there are various levels of "trust", and it can be a very subjective thing. Refer: https://www.gnupg.org/gph/en/manual/x334.html for more info

[mike4001]

OK, thank you very much for your explanation!