.Table of ContentsIntroductionResourcesGetting StartedInstructions for Windows and Linux Desktop distrosInstructions for MacInstructions for Command Line Interface
.IntroductionElectrum is one of the most popular lightweight bitcoin clients around. The software is incredibly useful and includes several options and tools that allow ultimate control of your bitcoin. Electrum can be used to access any type of bitcoin wallet, including legacy, p2sh, or bech32 (exception: as of the most recent edit of this post, Electrum is not capable of importing Taproot addresses.) Existing wallets can be imported into Electrum by using a private key, an extended private key, or a Bip39 seed phrase. It can create new wallets of any type as well, including multi-signature wallets. Electrum can be used to access the popular brands of hardware wallets, too. It's also handy for creating watch-only versions of your cold or hardware wallets. On top of all that, it’s open source, which allows anyone to audit the software, removing the need to solely trust the developers.
The unfortunate thing about open source software; it can easily be copied by nefarious individuals, and made to look like the real thing. Electrum's popularity and widespread use make it a prime target for these hackers and scammers. So how does one ensure that he has downloaded the official, authentic version, and not a malicious fake? First and foremost, make sure you download it only from the official Electrum website, but don't stop there. The only way you can be certain you have downloaded an official release to check if the file was digitally signed by the developer. Electrum has many active developers and the releases are often signed by multiple individuals for security purposes. The Instructions below focus on checking the signature for one specific developer, Thomas Voegtlin but can be used to verify the signature of any of the developers listed on Electrum's downloads page.
.ResourcesLinks to key resources
ThomasV's PGP fingerprint:
- 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Source: https://electrum.readthedocs.io/en/latest/gpg-check.htmlRedundant links to ThomasV's public key:
List of known, reliable PGP HockeyPuck Keyservers:
- hkps://keys.openpgp.org
- hkps://keyserver.ubuntu.com
- hkps://pgp.mit.edu
Third-party binary installations that include GnuPG and a Graphical User Interface (GUI):
.Getting Started With GPGFirst you'll need to download and install Gnu Privacy Guard (GPG,) the successive implementation of the OpenPGP standard. The link in the resources section above provides download links for the source code, a binary compilation to install the command-line-only GnuPG service on MacOS and Windows, and links to third-party binary releases which include a graphical user interface. GPG4Win provides the option to install Kleopatra, a GUI application which is very user friendly. Kleopatra is also available on Linux. Mac GPG is also a user friendly application with a GUI Frontend. I won't go into too much detail on installing GnuPG on your system, there are plenty of resources on the internet that can guide you through that, but the following paragraphs will help you get started.
Navigate to The GnuPG Project's download page, chose the appropriate command-line tool or third-party binary for your operating system, and install GnuPG according to instructions provided with the distribution.
Note that some Linux distributions include GPG command-line services preinstalled, however few distributions include a graphical user interface for the GPG client. Most Ubuntu Linux distributions, including those running on
Windows Subsystem for Linux will have GPG preinstalled. Refer to the
CLI instructions for more information.
Once you've installed GPG you may be prompted to create or import a keypair. If you already have a private key you can import it. If you do not have a private key I recommend that you create a new keypair. Again, there are plenty of instructional sites on the internet that you can reference to guide you through the process. Having a your own keypair is not mandatory to verify signed messages, but verifications will appear with errors that may be confusing. To get the full experience, and the safety and security offered by GnuPG a keypair will be needed to certify the public keys of others. Details on how this affects verification will be discussed further during the tutorial.
Once you've created or imported your own private key you can now import ThomasV's public key. On the download's page of the official Electrum website, you'll find a link to ThomasV's public PGP key. For redundancy I've posted that link in the references section above. Clicking on the link will take you to a page that displays the public key.
Windows users take note; When downloading signatures and keys Windows likes to save
.asc files with the .txt file extension. To avoid this pitfall open an explorer window, click on the View tab, Folder Options, and under the view menu disable hidden extensions of known file types.
.Windows and Linux Instructions
.Install on WindowsFor Windows systems I recommend Gpg4win. Browse to their downloads page, and install the latest version. Once the installation directory is chosen, the installer will allow you to choose components:
Kleopatra is the GUI front end that's included with Gpg4win, and I recommend you install it. If you don't, you'll have to use command line tools to manage the GnuPG app. Another optional feature is a shell extension which I find handy, and an Outlook email extension. If you use Outlook the integration is pretty seamless, and actually quite useful.
Kleopatra is also availabe for Linux. Look for it in the application store, or run the following command:
sudo apt install kleopatra
Once installation is complete, and Kleopatra launches you can create a keypair. If you already have a private key that can be used to certify other people's keys, you can import it at this time.
To Create a keypair enter the ID details you choose, and follow the prompts. A password is optional.
.Import ThomasV's PGP Key on Windows and UbuntuImport ThomasV's PGP Key using Kleopatra:
Download ThomasV's PGP Key from a trusted source. Click the Import button, and navigate to the location where "ThomasV.asc" was saved, select the file, and click Open.
Alternatively, you may choose to use the built-in search feature that will download the private key from the keyserver.
To use the Search feature, copy ThomasV's fingerprint from a trusted source and enter it into the provided search field.
Once ThomasV's key has been imported it can be certified. Depending on your version of Kleopatra and the default settings, a pop-up may ask you to certify the public key during the importation process, select Yes. If not, on the Certificates tab select ThomasV's key and click the Certify button.
Chose the identity you want to certify, there's no reason not to select them all. Click Certify.
.Verify Electrum on Windows and UbuntuDownload the Electrum package you prefer, and the associated signature file. Save both in the same directory. In Kleaopatra, click on the "Decrypt/Verify" button, and browse to the location of the
.exe and
.asc files you saved. Select the
.asc file, and click "Open."
The software will check the integrity of the
.exe file and compare it to the signature file. If ThomasV's signature matches the
.exe file you'll see a window like this pop up with text indicating that the signature is valid, and the key is fully trusted:
Note that the
.asc file contains signatures from multiple developers. There are three valid signatures in the example above. Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the
.asc file. The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted. If your result match the example above, you now know that it's safe to run the
.exe file on your system.
Pro Tip: use the convenient Search key on the right to download and certify the keys of the remaining developers. In the example below I show what a fully trusted verification looks like:
In the example above the
.exe file matches all the signatures in the
.asc, and those signatures were made by available and certified keys. The result has a bright green tinted background which makes fully trusted and valid signatures unmistakable.
If your results do not match my examples above, or you just want to learn more, keep reading.
In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.
In the example above you'll note there are three signatures in the
.asc file that could not be verified. That's because none of the keys used to sign the
.exe file are trusted by the system in my example. The example shows that ThomasV's key is available, but it has not been certified. The results also show that the
.exe file matches the signatures in the
.asc file, and lists the fingerprints of the keys used to create the signatures. So, we have valid signatures by unknown or untrusted signers. The keys must now be manually compared to the keys you are expecting to sign the
.exe file. The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system. To certify keys you need to have your own keypair.
Next, I will demonstrate a failed signature. If the
.exe does not match the signatures in the
.asc file, the window will have a red tint and the text will also be red:
The example above shows what an invalid signature would look like. To get the results above I created a text file full of gibberish and changed the name to match the
.exe file. The test stops when it encounters one invalid signature. The results would look similar if at least one of the signing keys has been imported, even if it has not been certified. This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
.Mac Instructions
.Install on MacFor Mac users I recommend using the Mac GPG Suite from GPGtools.org. It includes a GPG Keychain app that's very user friendly and walks you through creating a private key pair.
Browse to gpgtools.org site, download the
.dmg file for your version of MacOS, and unpack it to start installation.
Once installation has reached the "Installation Type" page, click "Customize."
Mac GPG is free to use, except for the mail clients. They come with a 30-day free trial if you care to try them, or you may choose to deselect them.
Enter your password if prompted:
Once installation is complete, the system will launch the GPG Keychain app, and prompt you to create a key pair. Enter the credentials of your preference and click the "Generate Key" button. If you already have a private key that can be used to certify other people's keys, click cancel and use the "Import" button to import your private key.
.Import ThomasV's PGP Key on Mac OSDownload ThomasV's PGP Key from a trusted source. If it's not already running, launch the GPG Keychain app, and click the import button. Browse to the location where you saved the ThomasV.asc file, and select it.
The Keychain should now list ThomasV's public key.
Select ThomasV's key, right-click on it, and select "Sign..." to certify ThomasV's key:
Sign the identifications ThomasV has included in his key:
.Verify on Mac OSDownload the Electrum image file and the associated signature file. Open a Finder window, navigate to the location where you saved the Electrum
.dmg file and the
.asc signature file, and double click the signature file.
Mac GPG will launch the verification tool and compare the .dmg file to the signature file. Once the verification tool has completed its diagnostic it'll pop up a window like this:
Note that the
.asc file contains signatures from multiple developers. There are three valid signatures in the example above. Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the
.asc file. The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted. If your result match the example above, you now know that it's safe to run the
.dmg file on your system.
The example below demonstrates a fully verified signature.
In the example above the
.dmg file matches all the signatures in the
.asc, and those signatures were made by available and certified keys. To replicate these results you'll have to download and sign the keys of the remaining developers by repeating the steps used to optain ThomasV's key.
If your results do not match my examples above, or you just want to learn more, keep reading.
In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.
In the example above you'll note there are three signatures in the
.asc file that could not be verified. That's because none of the keys used to sign the
.dmg file are trusted by the system in my example. The example shows that ThomasV's key is available, but it has not been certified. The results also show that the
.dmg file matches the signatures in the
.asc file, and lists the fingerprints of the keys used to create the signatures. So, we have valid signatures by unknown or untrusted signers. The keys must now be manually compared to the keys you are expecting to sign the
.dmg file. The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system. To certify keys you need to have your own keypair.
Next, I will demonstrate a failed signature. If the
.dmg does not match the signatures in the
.asc file the result will indicate a bad signature:
The example above shows what an invalid signature would look like. To get the results above I created a text file full of gibberish and changed the name to match the
.dmg file. The results would look similar if at least one of the signing keys has been imported, even if it has not been certified. This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
.Shell Terminal Instructions
.Install CLI-Only BinaryTerminal commands are a more powerful way to interact with GPG. They can be used on any of the operating systems mentioned in this post.
If you've installed one of the third-party binaries with a GUI, the core GnuPG services are already installed. If you choose not to use a third-party binary with a GUI, the GnuPG site has binary files for Windows that can be used to run the command line tools only. For more convenient usage, they can also be set to run as a NT-service. For MacOS use homebrew or your preferred package manager to install the core services. If you're using Linux, many distros include the core GnuPG services by default, otherwise see institutions below. Once GPG is installed on your system you can run these commands. In Windows use PowerShell or the Windows Terminal, in MacOS and Linux use the terminal app.
WARNING! As a general precaution you should never copy unknown commands from the internet and paste them into your operating system's shell terminal. Take the time to research these instructions before following them. Your safety is why you're here in the first place.
If your version of Linux doesn't have GnuPG installed run the following command (Note;
apt is the default package manager for Debian based Linux distros, change accordingly for your version of Linux.)
sudo apt update && sudo apt install -y gnupg
To show a list of common commands use:
gpg --help
To create a new keypair use:
gpg --generate-key
To import an existing private key use:
gpg --import /path/to/private-key.gpg
To list all the keys in your keyring use:
gpg -k
To list only the private keys in your keyring use:
gpg -K
.Import ThomasV's PGP Key using terminal commandsDownload ThomasV's PGP key from a trusted source and import ThomasV's public key:
gpg --import /<path>/<to>/<file>/<location>/ThomasV.asc
Example:
gpg --import ~/Downloads/ThomasV.asc
Alternatively, you can use GnuPG's built-in function to download ThomasV's key from one of the GnuPG key servers. For example, here's a command using the OpenPGP key server:
gpg --keyserver hkps://keys.openpgp.org --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Indicate your acceptance at the prompts. The response should look like this:
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
Refresh your keyring:
gpg -k
You should now see ThomasV's key in your keyring, the entry should look like this:
pub rsa4096 2011-06-15 [SC]
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid [ unknown] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid [ unknown] ThomasV <thomasv1@gmx.de>
uid [ unknown] Thomas Voegtlin <thomasv1@gmx.de>
sub rsa4096 2011-06-15 [E]
ThomasV's key can now be certified.
gpg --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
This command may be needed for some configurations:
gpg -u <yourfingerprint> --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Select y and press enter at the two following prompts. You'll be prompted for the GPG password that you set when creating your key pair. ThomasV's key trust level will be set to "full."
Check the trust level of the public key by refreshing the keyring:
gpg -k
The results for ThomasVs key should look like this:
pub rsa4096 2011-06-15 [SC]
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid [ full ] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid [ full ] ThomasV <thomasv1@gmx.de>
uid [ full ] Thomas Voegtlin <thomasv1@gmx.de>
sub rsa4096 2011-06-15 [E]
.Verify using Terminal CommandsDownload the Electrum app image file and the associated signature file. To verify the downloaded AppImage, open a terminal and enter the following command:
gpg --verify /<path>/<to>/<file>/<location>/<filename>.AppImage.asc
Example:
gpg --verify ~/Downloads/electrum-4.2.0-x86_64.AppImage.asc
The result should look like this:
gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
gpg: aka "ThomasV <thomasv1@gmx.de>" [full]
gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [full]
Note that the
.asc file contains signatures from multiple developers. There are three valid signatures in the example above. Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the
.asc file. The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted. If your result match the example above, you now know that it's safe to run the
.AppImage file on your system.
The example below demonstrates a fully verified signature.
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Good signature from "Stephan Oeste (it) <it@oeste.de>" [full]
gpg: aka "Emzy E. (emzy) <emzy@emzy.de>" [full]
gpg: aka "Stephan Oeste (Master-key) <stephan@oeste.de>" [full]
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [full]
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
gpg: aka "ThomasV <thomasv1@gmx.de>" [full]
gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [full]
In the example above the
.AppImage file matches all the signatures in the
.asc, and those signatures were made by available and certified keys. The results indicate good signatures from all three keys.
If your results do not match my examples above, or you just want to learn more, keep reading.
In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.
gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
In the example above you'll note there are three signatures in the
.asc file that could not be verified. That's because none of the keys used to sign the
.AppImage file are trusted by the system in my example. The example shows that ThomasV's key is available, but it has not been certified. The results also show that the
.AppImage file matches the signatures in the
.asc file, and lists the fingerprints of the keys used to create the signatures. So, we have valid signatures by unknown or untrusted signers. The keys must now be manually compared to the keys you are expecting to sign the
.AppImage file. The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system. To certify keys you need to have your own keypair.
Next, I will demonstrate a failed signature. If the
.AppImage does not match the signatures in the
.asc file the result will indicate a bad signature:
gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: BAD signature from "Stephan Oeste (it) <it@oeste.de>" [full]
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: BAD signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [full]
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: BAD signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
The example above shows what an invalid signature would look like. To get the results above I created a text file full of gibberish and changed the name to match the
.AppImage file. The results would look similar if at least one of the signing keys has been imported, even if it has not been certified. This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
The contents of this article may be shared, in part or in whole. The images within are posted and shared in the public domain. If you share this article please give credit to the author and provide a link to the original.