Electrum SHA256 hashes

[kostepanych2]

Hi,
Where can I find Electrum SHA256 hashes to ensure that downloaded wallet is original and not compromised?
I see only signature file on the official site, but signature check procedure is very complex...

[TryNinja]

They don't publish it. You will need to verify the PGP Signature, which is not that hard.

1. Import ThomasV's pubkey:

Code:

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x2BD5824B7F9470E6

2. Verify if it's imported:

Code:

gpg --fingerprint 0x2BD5824B7F9470E6

3. Download the signature file on the website.

4. Verify with:

Code:

gpg --verify signatureFile.asc ElectrumFile.tar.gz

[kostepanych2]

They don't publish it. You will need to verify the PGP Signature, which is not that hard.

1. Import ThomasV's pubkey:

Code:

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x2BD5824B7F9470E6

2. Verify if it's imported:

Code:

gpg --fingerprint 0x2BD5824B7F9470E6

3. Download the signature file on the website.

4. Verify with:

Code:

gpg --verify signatureFile.asc ElectrumFile.tar.gz

When trying to to that I get this:

gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe
gpg: Signature made Пaн 02 Лiп 2018 10:12:08 +03 using RSA key ID 7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>"
gpg:                 aka "ThomasV <thomasv1@gmx.de>"
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

What does this warning mean?

[bob123]

When trying to to that I get this:

gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe


gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>"

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.


What does this warning mean?

You can safely ignore the warning since the signature does match.

The warning appears because you didn't trust TomasV's key yet. For a single verification this is not necessary.
The important thing is the Good signature output.

[TryNinja]

When trying to to that I get this:

gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe
gpg: Signature made Пaн 02 Лiп 2018 10:12:08 +03 using RSA key ID 7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>"
gpg:                 aka "ThomasV <thomasv1@gmx.de>"
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

What does this warning mean?

This means that the signature is valid but you don't directly trust the user who generated the key (you didn't set the key as trusted).

Don't worry, that's not an issue. The file is legit.

[kostepanych2]

2. Verify if it's imported:

Code:

gpg --fingerprint 0x2BD5824B7F9470E6

How should I verify that it is correct ThomasV's pubkey?
There should be Key fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6?
Can this signature be forged?
Can it be possible that fake public key have the same  fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6?

[Abdussamad]

2. Verify if it's imported:

Code:

gpg --fingerprint 0x2BD5824B7F9470E6

How should I verify that it is correct ThomasV's pubkey?
There should be Key fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6?

Yep.

Can this signature be forged?

No you need the private key behind that public key to generate a valid sig. As far as we know only thomas has that and he hasn't been hacked. So if you trust him not to include malware and not to get hacked you can use this software. Alternatively go through the code line by line so that you don't have to trust anyone!

Can it be possible that fake public key have the same  fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6?

Nope. Always compare the long fingerprint as above and not the shortened one (0x7F9470E6) because it may be possible to create another key pair with the same short fingerprint.