HCP, has there been cases where someone downloaded electrum from the actual electrum website and gotten a fake electrum installed? You say the other half protection is verifying the signature of the downloaded file.
No. But there are times where you think you are on the Electrum website, but you are actually at electrun.org or electrum.to or something like this. By verifying the signatures, you can always be 100% that the file is legit and that you downloaded it from the right place. Make this an obligatory step and you will never be phished for lacking attention.
Not 100% correct.
You can
think you are on the official electrum site (electrum.org shown in the browser, secured through TLS), while in fact you are on an attackers copy of the site.
There are multiple ways to accomplish this as an attacker (e.g. DNS spoofing / cache poisining, MITM, etc..).
But is there a chance verifying the signature of the downloaded file could give you malware/keylogger/virus?
No.
Well.. yes.. in exactly 2 cases this would be possible:
1) TomasV publishes a malicious version of electrum (would be very dumb of him - legal consequences)
2) Someone gains access to ThomasV's signing key and uploads a malicious version signed with this key.
