[GUIDE] How to Safely Download and Verify Electrum [Guide]

[DireWolfM14]

.
Table of Contents
Introduction
Resources
Getting Started
Instructions for Windows and Linux Desktop distros

• Install GPG
• Download and Import ThomasV's PGP Key
• Download and Verify Electrum

Instructions for Mac

• Install GPG
• Download and Import ThomasV's PGP Key
• Download and Verify Electrum

Instructions for Command Line Interface

• Install GPG
• Download and Import ThomasV's PGP Key
• Download and Verify Electrum

.
Introduction
Electrum is one of the most popular lightweight bitcoin clients around.  The software is incredibly useful and includes several options and tools that allow ultimate control of your bitcoin.  Electrum can be used to access any type of bitcoin wallet, including legacy, p2sh, or bech32 (exception: as of the most recent edit of this post, Electrum is not capable of importing Taproot addresses.)  Existing wallets can be imported into Electrum by using a private key, an extended private key, or a Bip39 seed phrase.  It can create new wallets of any type as well, including multi-signature wallets.  Electrum can be used to access the popular brands of hardware wallets, too.  It's also handy for creating watch-only versions of your cold or hardware wallets.  On top of all that, it’s open source, which allows anyone to audit the software, removing the need to solely trust the developers.

The unfortunate thing about open source software; it can easily be copied by nefarious individuals, and made to look like the real thing.  Electrum's popularity and widespread use make it a prime target for these hackers and scammers.  So how does one ensure that he has downloaded the official, authentic version, and not a malicious fake?  First and foremost, make sure you download it only from the official Electrum website, but don't stop there.  The only way you can be certain you have downloaded an official release to check if the file was digitally signed by the developer.  Electrum has many active developers and the releases are often signed by multiple individuals for security purposes.  The Instructions below focus on checking the signature for one specific developer, Thomas Voegtlin but can be used to verify the signature of any of the developers listed on Electrum's downloads page.
.
Resources
Links to key resources

• Electrum website: https://electrum.org/#home
• Electrum Git: https://github.com/spesmilo/electrum
• Electrum documentation: https://electrum.readthedocs.io/en/latest/index.html#
• Electrum developers' signing keys: https://github.com/spesmilo/electrum/tree/master/pubkeys
• The GnuPG Project: https://gnupg.org/

ThomasV's PGP fingerprint:

• 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

Source: https://electrum.readthedocs.io/en/latest/gpg-check.html

Redundant links to ThomasV's public key:

• https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
• https://keys.openpgp.org/search?q=6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
• https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6694d8de7be8ee5631bed9502bd5824b7f9470e6

List of known, reliable PGP HockeyPuck Keyservers:

• hkps://keys.openpgp.org
• hkps://keyserver.ubuntu.com
• hkps://pgp.mit.edu

Third-party binary installations that include GnuPG and a Graphical User Interface (GUI):

• Windows: https://gpg4win.org/download.html
• MacOS: https://gpgtools.org/
• Linux: https://apps.kde.org/kleopatra/

.
Getting Started With GPG
First you'll need to download and install Gnu Privacy Guard (GPG,) the successive implementation of the OpenPGP standard.  The link in the resources section above provides download links for the source code, a binary compilation to install the command-line-only GnuPG service on MacOS and Windows, and links to third-party binary releases which include a graphical user interface.  GPG4Win provides the option to install Kleopatra, a GUI application which is very user friendly.  Kleopatra is also available on Linux.  Mac GPG is also a user friendly application with a GUI Frontend.  I won't go into too much detail on installing GnuPG on your system, there are plenty of resources on the internet that can guide you through that, but the following paragraphs will help you get started.

Navigate to The GnuPG Project's download page, chose the appropriate command-line tool or third-party binary for your operating system, and install GnuPG according to instructions provided with the distribution.  

Note that some Linux distributions include GPG command-line services preinstalled, however few distributions include a graphical user interface for the GPG client.  Most Ubuntu Linux distributions, including those running on Windows Subsystem for Linux will have GPG preinstalled.  Refer to the CLI instructions for more information.

Once you've installed GPG you may be prompted to create or import a keypair.  If you already have a private key you can import it.  If you do not have a private key I recommend that you create a new keypair.  Again, there are plenty of instructional sites on the internet that you can reference to guide you through the process.  Having a your own keypair is not mandatory to verify signed messages, but verifications will appear with errors that may be confusing.  To get the full experience, and the safety and security offered by GnuPG a keypair will be needed to certify the public keys of others.  Details on how this affects verification will be discussed further during the tutorial.

Once you've created or imported your own private key you can now import ThomasV's public key.  On the download's page of the official Electrum website, you'll find a link to ThomasV's public PGP key.  For redundancy I've posted that link in the references section above.  Clicking on the link will take you to a page that displays the public key.

Windows users take note; When downloading signatures and keys Windows likes to save .asc files with the .txt file extension.  To avoid this pitfall open an explorer window, click on the View tab, Folder Options, and under the view menu disable hidden extensions of known file types.


.
Windows and Linux Instructions

• Install GPG
• Download and Import ThomasV's PGP Key
• Download and Verify Electrum

.
Install on Windows
For Windows systems I recommend Gpg4win.  Browse to their downloads page, and install the latest version.  Once the installation directory is chosen, the installer will allow you to choose components:




Kleopatra is the GUI front end that's included with Gpg4win, and I recommend you install it.  If you don't, you'll have to use command line tools to manage the GnuPG app.  Another optional feature is a shell extension which I find handy, and an Outlook email extension.  If you use Outlook the integration is pretty seamless, and actually quite useful.

Kleopatra is also availabe for Linux.  Look for it in the application store, or run the following command:

Code:

sudo apt install kleopatra

Once installation is complete, and Kleopatra launches you can create a keypair.  If you already have a private key that can be used to certify other people's keys, you can import it at this time.




To Create a keypair enter the ID details you choose, and follow the prompts.  A password is optional.


.
Import ThomasV's PGP Key on Windows and Ubuntu
Import ThomasV's PGP Key using Kleopatra:
Download ThomasV's PGP Key from a trusted source.  Click the Import button, and navigate to the location where "ThomasV.asc" was saved, select the file, and click Open.




Alternatively, you may choose to use the built-in search feature that will download the private key from the keyserver.




To use the Search feature, copy ThomasV's fingerprint from a trusted source and enter it into the provided search field.




Once ThomasV's key has been imported it can be certified.  Depending on your version of Kleopatra and the default settings, a pop-up may ask you to certify the public key during the importation process, select Yes.  If not, on the Certificates tab select ThomasV's key and click the Certify button.




Chose the identity you want to certify, there's no reason not to select them all.  Click Certify.


.
Verify Electrum on Windows and Ubuntu
Download the Electrum package you prefer, and the associated signature file.  Save both in the same directory.  In Kleaopatra, click on the "Decrypt/Verify" button, and browse to the location of the .exe and .asc files you saved.  Select the .asc file, and click "Open."




The software will check the integrity of the .exe file and compare it to the signature file.  If ThomasV's signature matches the .exe file you'll see a window like this pop up with text indicating that the signature is valid, and the key is fully trusted:




Note that the .asc file contains signatures from multiple developers.  There are three valid signatures in the example above.  Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the .asc file.  The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted.  If your result match the example above, you now know that it's safe to run the .exe file on your system.

Pro Tip: use the convenient Search key on the right to download and certify the keys of the remaining developers.  In the example below I show what a fully trusted verification looks like:




In the example above the .exe file matches all the signatures in the .asc, and those signatures were made by available and certified keys.  The result has a bright green tinted background which makes fully trusted and valid signatures unmistakable.

If your results do not match my examples above, or you just want to learn more, keep reading.

In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.




In the example above you'll note there are three signatures in the .asc file that could not be verified.  That's because none of the keys used to sign the .exe file are trusted by the system in my example.  The example shows that ThomasV's key is available, but it has not been certified.  The results also show that the .exe file matches the signatures in the .asc file, and lists the fingerprints of the keys used to create the signatures.  So, we have valid signatures by unknown or untrusted signers.  The keys must now be manually compared to the keys you are expecting to sign the .exe file.  The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system.  To certify keys you need to have your own keypair.

Next, I will demonstrate a failed signature.  If the .exe does not match the signatures in the .asc file, the window will have a red tint and the text will also be red:




The example above shows what an invalid signature would look like.  To get the results above I created a text file full of gibberish and changed the name to match the .exe file.  The test stops when it encounters one invalid signature.  The results would look similar if at least one of the signing keys has been imported, even if it has not been certified.  This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
.
Mac Instructions

• Install GPG
• Download and Import ThomasV's PGP Key
• Download and Verify Electrum

.
Install on Mac
For Mac users I recommend using the Mac GPG Suite from GPGtools.org.  It includes a GPG Keychain app that's very user friendly and walks you through creating a private key pair.
Browse to gpgtools.org site, download the .dmg file for your version of MacOS, and unpack it to start installation.






Once installation has reached the "Installation Type" page, click "Customize."




Mac GPG is free to use, except for the mail clients.  They come with a 30-day free trial if you care to try them, or you may choose to deselect them.




Enter your password if prompted:




Once installation is complete, the system will launch the GPG Keychain app, and prompt you to create a key pair.  Enter the credentials of your preference and click the "Generate Key" button.  If you already have a private key that can be used to certify other people's keys, click cancel and use the "Import" button to import your private key.


.
Import ThomasV's PGP Key on Mac OS
Download ThomasV's PGP Key from a trusted source.  If it's not already running, launch the GPG Keychain app, and click the import button.  Browse to the location where you saved the ThomasV.asc file, and select it.




The Keychain should now list ThomasV's public key.




Select ThomasV's key, right-click on it, and select "Sign..." to certify ThomasV's key:




Sign the identifications ThomasV has included in his key:


.
Verify on Mac OS
Download the Electrum image file and the associated signature file.  Open a Finder window, navigate to the location where you saved the Electrum .dmg file and the .asc signature file, and double click the signature file.




Mac GPG will launch the verification tool and compare the .dmg file to the signature file.  Once the verification tool has completed its diagnostic it'll pop up a window like this:




Note that the .asc file contains signatures from multiple developers.  There are three valid signatures in the example above.  Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the .asc file.  The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted.  If your result match the example above, you now know that it's safe to run the .dmg file on your system.

The example below demonstrates a fully verified signature.




In the example above the .dmg file matches all the signatures in the .asc, and those signatures were made by available and certified keys.  To replicate these results you'll have to download and sign the keys of the remaining developers by repeating the steps used to optain ThomasV's key.

If your results do not match my examples above, or you just want to learn more, keep reading.

In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.




In the example above you'll note there are three signatures in the .asc file that could not be verified.  That's because none of the keys used to sign the .dmg file are trusted by the system in my example.  The example shows that ThomasV's key is available, but it has not been certified.  The results also show that the .dmg file matches the signatures in the .asc file, and lists the fingerprints of the keys used to create the signatures.  So, we have valid signatures by unknown or untrusted signers.  The keys must now be manually compared to the keys you are expecting to sign the .dmg file.  The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system.  To certify keys you need to have your own keypair.

Next, I will demonstrate a failed signature.  If the .dmg does not match the signatures in the .asc file the result will indicate a bad signature:




The example above shows what an invalid signature would look like.  To get the results above I created a text file full of gibberish and changed the name to match the .dmg file.  The results would look similar if at least one of the signing keys has been imported, even if it has not been certified.  This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
.
Shell Terminal Instructions

• Install GPG
• Download and Import ThomasV's PGP Key
• Download and Verify Electrum

.
Install CLI-Only Binary
Terminal commands are a more powerful way to interact with GPG.  They can be used on any of the operating systems mentioned in this post.  

If you've installed one of the third-party binaries with a GUI, the core GnuPG services are already installed.  If you choose not to use a third-party binary with a GUI, the GnuPG site has binary files for Windows that can be used to run the command line tools only.  For more convenient usage, they can also be set to run as a NT-service.  For MacOS use homebrew or your preferred package manager to install the core services.  If you're using Linux, many distros include the core GnuPG services by default, otherwise see institutions below.  Once GPG is installed on your system you can run these commands.  In Windows use PowerShell or the Windows Terminal, in MacOS and Linux use the terminal app.

WARNING!
As a general precaution you should never copy unknown commands from the internet and paste them into your operating system's shell terminal.  Take the time to research these instructions before following them.  Your safety is why you're here in the first place.

If your version of Linux doesn't have GnuPG installed run the following command (Note; apt is the default package manager for Debian based Linux distros, change accordingly for your version of Linux.)

Code:

sudo apt update && sudo apt install -y gnupg

To show a list of common commands use:

Code:

gpg --help

To create a new keypair use:

Code:

gpg --generate-key

To import an existing private key use:

Code:

gpg --import /path/to/private-key.gpg

To list all the keys in your keyring use:

Code:

gpg -k

To list only the private keys in your keyring use:

Code:

gpg -K

.
Import ThomasV's PGP Key using terminal commands
Download ThomasV's PGP key from a trusted source and import ThomasV's public key:

Code:

gpg --import /<path>/<to>/<file>/<location>/ThomasV.asc

Example:

Code:

gpg --import ~/Downloads/ThomasV.asc

Alternatively, you can use GnuPG's built-in function to download ThomasV's key from one of the GnuPG key servers.  For example, here's a command using the OpenPGP key server:

Code:

gpg --keyserver hkps://keys.openpgp.org --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

Indicate your acceptance at the prompts.  The response should look like this:

gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Refresh your keyring:

Code:

gpg -k

You should now see ThomasV's key in your keyring, the entry should look like this:

pub   rsa4096 2011-06-15 [SC]
      6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid           [ unknown] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid           [ unknown] ThomasV <thomasv1@gmx.de>
uid           [ unknown] Thomas Voegtlin <thomasv1@gmx.de>
sub   rsa4096 2011-06-15 [E]

ThomasV's key can now be certified.

Code:

gpg --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

This command may be needed for some configurations:

Code:

gpg -u <yourfingerprint> --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

Select y and press enter at the two following prompts.  You'll be prompted for the GPG password that you set when creating your key pair.  ThomasV's key trust level will be set to "full."

Check the trust level of the public key by refreshing the keyring:

Code:

gpg -k

The results for ThomasVs key should look like this:

pub   rsa4096 2011-06-15 [SC]
      6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid           [  full  ] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid           [  full  ] ThomasV <thomasv1@gmx.de>
uid           [  full  ] Thomas Voegtlin <thomasv1@gmx.de>
sub   rsa4096 2011-06-15 [E]

.
Verify using Terminal Commands
Download the Electrum app image file and the associated signature file.  To verify the downloaded AppImage, open a terminal and enter the following command:

Code:

gpg --verify /<path>/<to>/<file>/<location>/<filename>.AppImage.asc

Example:

Code:

gpg --verify ~/Downloads/electrum-4.2.0-x86_64.AppImage.asc

The result should look like this:

gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [full]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [full]

Note that the .asc file contains signatures from multiple developers.  There are three valid signatures in the example above.  Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the .asc file.  The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted.  If your result match the example above, you now know that it's safe to run the .AppImage file on your system.

The example below demonstrates a fully verified signature.

gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Good signature from "Stephan Oeste (it) <it@oeste.de>" [full]
gpg:                 aka "Emzy E. (emzy) <emzy@emzy.de>" [full]
gpg:                 aka "Stephan Oeste (Master-key) <stephan@oeste.de>" [full]
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [full]
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [full]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [full]

In the example above the .AppImage file matches all the signatures in the .asc, and those signatures were made by available and certified keys.  The results indicate good signatures from all three keys.

If your results do not match my examples above, or you just want to learn more, keep reading.

In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.

gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

In the example above you'll note there are three signatures in the .asc file that could not be verified.  That's because none of the keys used to sign the .AppImage file are trusted by the system in my example.  The example shows that ThomasV's key is available, but it has not been certified.  The results also show that the .AppImage file matches the signatures in the .asc file, and lists the fingerprints of the keys used to create the signatures.  So, we have valid signatures by unknown or untrusted signers.  The keys must now be manually compared to the keys you are expecting to sign the .AppImage file.  The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system.  To certify keys you need to have your own keypair.

Next, I will demonstrate a failed signature.  If the .AppImage does not match the signatures in the .asc file the result will indicate a bad signature:

gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg:                using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: BAD signature from "Stephan Oeste (it) <it@oeste.de>" [full]
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg:                using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: BAD signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [full]
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: BAD signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]

The example above shows what an invalid signature would look like.  To get the results above I created a text file full of gibberish and changed the name to match the .AppImage file.  The results would look similar if at least one of the signing keys has been imported, even if it has not been certified.  This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
The contents of this article may be shared, in part or in whole.  The images within are posted and shared in the public domain.  If you share this article please give credit to the author and provide a link to the original.

[1715491916]

1715491916

[1715491916]

1715491916

[1715491916]

1715491916

[1715491916]

1715491916

[1715491916]

1715491916

[DireWolfM14]

Given that the tutorial above contains instructions that require trust to follow I thought it was appropreate that I provide a signature for the tutorial.  To verify click on the "quote" button above the post, copy all the text including the quote header and footer, paste it into your favorite text editor, then save the text file.  Use the code below to create another file in the same directory and with the same name, but with a .asc extension.  Use your preferred method to verify.

Code:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE5uCk8qpATL256qefg7ozyN3KpUcFAmPURNEACgkQg7ozyN3K
pUfxtg//WiYnADw/JA7jvyeVanOBO/9XMaDcz1iNIEzLnCgIxPkKEcFLSA7484Hc
5EtRU92gzaNLtyyEBnHgigYFLyZ1vl6SZmn9VYhgRgnD6xEA+pudTGE6SkovOheR
8tpx4zCTB9WPYCUOFnwpRHAzBVvh2IiinSvut8DvW3UIVirslfnbk5NDzBlmPR+b
Rc+fCruYf21p+YUFOMmvkdOofRpUSZgMna5DsXCZrSSeRF6apjJpBez5zd0mEad+
9Lxv6DjFLNjG87cF3A2dcNSfuCL2tUD/QTaqbx4a0g+8p0CH9pkfN2k2HH7xbOry
UmdDOG+r8IckUKzK71fEhs0Vpk+EoiPYbtsSMDWx8ssd60qbXRM5XRGi6jdUOH7v
LxM0P6fw/iH3bFDMefMtAlzlGbMirQkbsxOf6AGoa8AoXNeezNjWfoWO8pD71cMS
tKVc6QGrgHH4BCswarGhP/k8ReUYtk6lKhr6qsOVfQqIvvpApzsoDwo3UkAlUG3y
j62EbYfhxCDTT8k7Qz2FjkRHaMus90QJZhuapZZIqCEX+LmMCEADw/vSA5n64qY4
H1KL9oGN8ldU5+So3poKV/fN5TTumVmURq9yjvPJJccSmq+immXFPeaNQZlcsKqR
5Z5pWfLuNlDXoTP5/nrSiUFf5sJXiv+EZrEG/MoNTuny4dy55GU=
=iya1
-----END PGP SIGNATURE-----

My GPG key is available by clicking on the website link in my profile, or here on the forum:

https://bitcointalk.org/index.php?topic=1159946.msg56665744#msg56665744

Update 15 JAN 2023
 - Fixed some typos
 - Clarified Linux installation information
 - Added list of HockeyPuck Keyservers

Update 27 JAN 2023
 - Fixed some typos
 - Added link to KDE Kleopatra

[pooya87]

excellent post. just two additions.
first is that usually people don't add the key to their list of trusted keys so the verification result always has a warning that confuses most people. it is along the line of saying something like this:

Code:

gpg: WARNING: This key is not certified with a trusted signature! 
gpg: There is no indication that the signature belongs to the owner.

sometimes people confuse this with the signature not being valid whereas all it says is that they key is not saved in their local database as a trusted key.

second is that it may be a good idea to show what the message is going to look like when wrong signature or wrong key is used. although it is obvious.

ps. we can't talk about GPG and not mention Web of Trust.

[DireWolfM14]

excellent post. just two additions.
first is that usually people don't add the key to their list of trusted keys so the verification result always has a warning that confuses most people. it is along the line of saying something like this:

Code:

gpg: WARNING: This key is not certified with a trusted signature! 
gpg: There is no indication that the signature belongs to the owner.

sometimes people confuse this with the signature not being valid whereas all it says is that they key is not saved in their local database as a trusted key.

I considered adding an example of such results.  Technically the signature file can be verified without any keys in the keyring, but I don't know how deep the rabbit hole I should go with all that.

second is that it may be a good idea to show what the message is going to look like when wrong signature or wrong key is used. although it is obvious.

That's a very practical suggestion, and I do want to include "negative" results so people are familiar with what to look out for.  I will be making some example screenshots of wrong files/signatures and include those.

ps. we can't talk about GPG and not mention Web of Trust.

Definitely worth a read while practicing social distancing and safe computing.  

[Pmalek]

I have always verified all Electrum apps before going through the installation process and I always get that result that pooya87 was talking about regarding the key not being certified. This guide will come in handy to get rid of that once and for all. 

[BlackHatCoiner]

How can a scammer fool the official site of electrum since it's owned by Thomas?

[Rath_]

How can a scammer fool the official site of electrum since it's owned by Thomas?

There's a slight chance that the website might be compromised in the future; nothing is completely secure. The files might be replaced without any other changes to the website. Also, there have been many phishing attempts related to Electrum updates or typos in the official website's name. Verifying the signature can save you from a fatal mistake.

[BlackHatCoiner]

Okay, so now that I've verified that my files are authetic, I can simply uninstall kleopatra and gpg right?

[Rath_]

Okay, so now that I've verified that my files are authetic, I can simply uninstall kleopatra and gpg right?

Yes, but I would recommend you to keep them. Electrum updates are not released very often but you also should verify their installation files especially if Electrum is going to be your main wallet. You might forget to reinstall them or skip the verification process which might result in a loss of funds.

[DireWolfM14]

Okay, so now that I've verified that my files are authetic, I can simply uninstall kleopatra and gpg right?

You can, but I would recommend you keep it installed, you might find more uses for GPG in the future.  You can use it sign and encrypt messages or files of your own.  I frequently use it to sign addresses for my escrow service.  I recently used it to encrypt a message to another member that contained my real name and mailing address (for an auction that I won.)

If you're like me and use your main computer to access your cryptocurrency, you'll want to make sure you aren't downloading some other malware that can compromise your security.  Other than Electrum, there are many software distributions that use GPG signatures for verification, including any updates to GPG4WIN that you'll want to download.  Some software developers will publish a list of the sha256 or MD5 hashes, and sign the list with a PGP key, so you know the hashes are authentic.

Here are some popular downloads that use GPG signatures to ensure authenticity:
Bitcoin core: https://bitcoincore.org/en/download/
Ubuntu: https://ubuntu.com/tutorials/tutorial-how-to-verify-ubuntu#1-overview
Tor Project: https://support.torproject.org/tbb/how-to-verify-signature/#BuildVerification

[BlackHatCoiner]

Some software developers will publish a list of the sha256 or MD5 hashes, and sign the list with a PGP key, so you know the hashes are authentic.

I couldn't agree more with that. Hackers cannot fool us if the official site gives us the hash of their software.

[bob123]

How can a scammer fool the official site of electrum since it's owned by Thomas?

There are multiple ways to achieve that.
Some would be:

1) Compromise the Web Server
2) Gain access to the Registrar account (gandi.net in this case) and change the DNS resolution to a different IP (server owned by the attacker)
3) Man-in-the-Middle: Either via malicious browser extension (still https) installed in your browser or via redirecting you to a http site without a certificate.
4) DNS Hijacking: Manipulating DNS Servers to resolve the URL to a different IP (server owned by an attacker)

Verifying the signature (given that his PGP key is not compromised) does protect against these attacks.

[DireWolfM14]

Verifying the signature (given that his PGP key is not compromised) does protect against these attacks.

Emphasis mine, but this really gets to the crux of the matter.  I included redundant links to ThomasV's PGP key because the odds of multiple servers being compromised becomes infinitely small.  The act verifying is really just using those redundant and separate sources to confirm the authenticity of the other source.

[pooya87]

Some software developers will publish a list of the sha256 or MD5 hashes, and sign the list with a PGP key, so you know the hashes are authentic.

I couldn't agree more with that. Hackers cannot fool us if the official site gives us the hash of their software.

this is actually a terrible idea because it could encourage many users (specially the beginners, or those who are lazy) to skip the PGP verification since they have a hash and only check the file's hash. then that hash could be compromised and they end up with a fake software thinking they have the legit one.

besides, this method is adding an unnecessary extra step. the user has to download the hash file, and its signature and verify that signature then verify the hash of the file. whereas if they had the signature of the file itself the user would verify the signature of the file instead of the hash file.
if there is any concerns about the hash algorithm used during signing they can publish more than one signature using different hash algorithms (keep in mind everything is hashed under the hood before being signed).

[bob123]

Some software developers will publish a list of the sha256 or MD5 hashes, and sign the list with a PGP key, so you know the hashes are authentic.

I couldn't agree more with that. Hackers cannot fool us if the official site gives us the hash of their software.

Not if the hacker also hack the official website, add tampered installer with it's hash on the website. And yes, it happened before on popular software/OS, such as Linux Mint OS

The point is that these hashes are signed using his PGP key.
Hosting the software and it hashes on the same website / same place obviously is prone to be abused.

But the crucial factor is that they are signed with his PGP key, which is not stored on the server.
Verifying the signature of the txt file containing the hashes would then only passed if these are indeed the hashes produced by the developer.

[HCP]

Yes, that's the entire point... you either need the downloaded application file/installer/exe to be PGP signed or the file containing the hashes (or both for the really paranoid! )...

Without the PGP signature attached to something, you basically have no way to properly validate the download.

[Asuspawer09]

Hi, my desktop pc got reformat and I need to reinstall my electrum, To be honest I'm just new here in electrum and doesn't really know a lot about here that is why I don't have any transactions in my Electrum wallet I only use it because I need to stake my address here in the forum because it can sign an address.

I find this electrum download guide, in the past I only download the electrum application for PC. Is it necessary to download or do every here on the list?



sorry to bother but could anyone explain the importance of these steps. because I didn't do this when I installed the electrum last time. I just can't find a clear explanation online thanks.

[DireWolfM14]

The guide has instructions for three operating systems, you only need to follow the instruction for your OS.  I do recommend you complete all the steps, as it makes abundantly clear that you have the authentic version and not malware.  There are three steps to complete,

Here're links to the instructions for windows:

Install:	https://bitcointalk.org/index.php?topic=5240594.msg54467820;topicseen#post_WinInstall
Import.ThomasV's.Key:	https://bitcointalk.org/index.php?topic=5240594.msg54467820;topicseen#post_WinImport
Verify:	https://bitcointalk.org/index.php?topic=5240594.msg54467820;topicseen#post_WinVerify

[bisdak40]

Why can't we send BTC to native segwit address in Electrum? Is this just a limitation?

I am sending from my "I'm Token" mobile wallet. It says that I should send to an address that starts with "3" or "1".

I'm trying to acquire a "nested segwit address" from electrum but i guess it's hard for a newbie like me to download such a thing.

[pooya87]

Why can't we send BTC to native segwit address in Electrum? Is this just a limitation?

I am sending from my "I'm Token" mobile wallet. It says that I should send to an address that starts with "3" or "1".

because the other wallet you are currently using and are trying to send from appears to not support Bech32 addresses which has nothing to do with bitcoin. you should complain to the developers of that wallet and ask why they haven't added a feature that has been a part of bitcoin for 3 years already!

[Chikito]

I'm trying to acquire a "nested segwit address" from electrum but i guess it's hard for a newbie like me to download such a thing.

in the fact you are a senior member.

Open electrum wallet select already seed > select option > tick BIP39 > then select p2wpkh-p2sh:

or export your native private key then select import private key on beginning electrum then put p2wpkh-p2sh: on front.

[btcb3g1nn3r]

great post, still one short question for Windows users: it's not enough to download the .exe (either installer or standalone) and to check its properties for digital signature, to see the certificates used? Can an attacker resign such .exe files with new certificates to mimic the original ones?

[BlackHatCoiner]

great post, still one short question for Windows users: it's not enough to download the .exe (either installer or standalone) and to check its properties for digital signature, to see the certificates used? Can an attacker resign such .exe files with new certificates to mimic the original ones?

You're verifying the signature of ThomasV using his public key which is outside of the software. There is no reason to remove the certificate from the software, because the hacker's signature won't be verified using ThomasV's public key.

[ranochigo]

great post, still one short question for Windows users: it's not enough to download the .exe (either installer or standalone) and to check its properties for digital signature, to see the certificates used? Can an attacker resign such .exe files with new certificates to mimic the original ones?

Good question. No and no. Hackers wouldn't be able to sign the file after modifying it's code which would result in the signature not matching for the file.

I wouldn't trust using the digital signature of the software as a guarantee that the software hasn't been modified in a malicious manner. CAs has been compromised before and some of them were able to issue fake certification to state actors or hackers. PGP is the only way to ensure that you're downloading the version that is signed by ThomasV.

Also, some of the binaries during the Electrum phishing were actually digitally signed by the hackers using some presumably compromised CA.

[NotATether]

Also, some of the binaries during the Electrum phishing were actually digitally signed by the hackers using some presumably compromised CA.

There is a tool included with Visual Studio that lets you sign any executable before you distribute it. Most people just make a self-signed certificate and those cannot be trusted by themselves because those certificates aren't signed by a chain of CAs.

When windows displays a warning about running a program from an "unknown publisher" then it used a self-signed certificate. That's why the embedded signature can't be relied upon for Electrum integrity. Unless somebody is willing to pay hundreds of dollars for a CA to sign it.

[ranochigo]

There is a tool included with Visual Studio that lets you sign any executable before you distribute it. Most people just make a self-signed certificate and those cannot be trusted by themselves because those certificates aren't signed by a chain of CAs.

When windows displays a warning about running a program from an "unknown publisher" then it used a self-signed certificate. That's why the embedded signature can't be relied upon for Electrum integrity. Unless somebody is willing to pay hundreds of dollars for a CA to sign it.

I don't think it was self-signed. I analysed it on my VM (on an old computer, to be safe) and it appeared to be issued by DigiCert, IIRC and it didn't throw a warning to me. I don't want to download it again but I've found the MalwareBytes analysis.

https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/

[NotATether]

I strongly believe this thread should be stickied by a global mod or admin. It will save us from having to repeat that using Electrum without verifying it is unsafe to use. People generally only read the first few results on a page, whether it's bitcointalk or Google, and this page doesn't even appear in google search results (well it looks something like a footnote and not an actual result).

Before people come to this board and ask a new question, this will reduce the number of people that need hand-holding.

You all agree that this should be stickied or what?

[Dabs]

This is Thomas V public key as gotten from the website:

Code:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBE34z9wBEACT31iv9i8Jx/6MhywWmytSGWojS7aJwGiH/wlHQcjeleGnW8HF
Z8R73ICgvpcWM2mfx0R/YIzRIbbT+E2PJ+iTw0BTGU7irRKrdLXReH130K3bDg05
+DaYFf0qY/t/e4WDXRVnr8L28hRQ4/9SnvgNcUBzd0IDOUiicZvhkIm6TikL+xSr
5Gcn/PaJFS1VpbWklXaLfvci9l4fINL3vMyLiV/75b1laSP5LPEvbfd7W9T6HeCX
63epTHmGBmB4ycGqkwOgq6NxxaLHxRWlfylRXRWpI/9B66x8vOUd70jjjyqG+mhQ
+1+qfydeSW3R6Dr2vzDyDrBXbdVMTL2VFXqNG03FYcv191H7zJgPlJGyaO4IZxj+
+O8LaoJuFqAr8/+NX4K4UfWPvcrJ2i+eUkbkDJHo4GQK712/DtSLAA+YGeIF9HAn
zKvaMkZDMwY8z3gBSE/jMV2IcONvpUUOFPQgTmCvlJZAFTPeLTDv+HX8GfhmjAJY
T5rTcvyPEkoq9fWhQiFp5HRpYrD36yLVrpznh2Mx7B1Iy8Rq/7avadwVn87C6scJ
ouPu+0PF3IeVmYfCScbfxtx1FaEczm8wGBlaB/jkDEhx0RR8PYKKTIEM7T2LH2p6
s/+Ei4V7mqkcveF/DPnScMPBprJwuoGNFdx2qKmgCKLycWlSnwec+hdyTwARAQAB
tBlUaG9tYXNWIDx0aG9tYXN2MUBnbXguZGU+iQI4BBMBAgAiBQJN+M/cAhsDBgsJ
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAr1YJLf5Rw5hlhD/9T4I/sBCleS9nH
njTJqcOnG28c9C3CRYIizjEui/pKmXz9fB1N9QrCaruPUQx2UacDVCl6dKxac+7s
s3/a6lsjaRn0/2OM/sCVLScyxNPNPQs2b6jkodSNPIM8zv51g+flhwtfrO6h6B4j
IhZgSjFdvqtZd5jaly9rA0uMX045CC4K6HGnq8n4F2p31z0L0LaHBf5EcsCM0MMp
QVkY0aUrNg9uVMGXBHn3osHnOtQaODqcIbpa/OG+Tlt6pVOiDJ7i8TkpQKT7sOaM
VdL//TEoDIOC7qVCN82q2q/gtiBXbziaERVs/eU0O52aX5qUhXu3VIjXTp/riRim
R/f9BPB1dgDZbF2aPZ/rJm26v82ft7gP1Sf52E9MrAaZATTfI0/TUHXeBzN93EA9
xb6/ENAMTX74u+NjlynWPD+hl64eBzJ2ionZF1bJFTgBkMfRYnhllvleCjcq9YfX
md5HKCwtxfygBIujUQSwyUzn0f5DbVCJ7/B19bKdvHGSSBgBEjxqXWQskm2wc0In
ww63goZAGDQliKhIT8xnwOBbLkqSobq4tD9zpQyxvMA2rhy7/gfFRp7TTak7MZHf
lTJ37S5LvcWHm/ccWUZDUN7akoEDc+m6jX3uIEPMD3PQvcHhWv0amco3zDr1qb/+
rXM7TJKd7DPX0E2dRzKu6aYRMTbklbQhVGhvbWFzIFZvZWd0bGluIDx0aG9tYXN2
MUBnbXguZGU+iQI4BBMBAgAiBQJTQDaRAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
AQIXgAAKCRAr1YJLf5Rw5hOBD/9o/NqHLvjhrCfy6/SblSC/udV9ujFnvhZZZprb
r8Oe6GdMwfw+ktZd2nYb09KjxXYmGoZeZKmvCb0LoMKSVWgisH1rgzDzI6UzFL4b
pV2+PqCSiWaekfnBm+oHbGgJCuAXebGXjVL8JsvhAl0HQZzTA1RX0u8TEAHOxOI5
l+mXSN+cwVZuDMpt5v+JDyPGHM/KqaXCw1WJY50mqlan6/15XHilmvY/CaxmbXNH
ZOXucmPxyCTeiQTqyhHsIBb4RxWYCaUXv9+svriotv2HZpQ110NN09ml1K1kDlNL
Zh3jNqMsbImFArbN8GikjqhRBV3K77Np4lccnsBPllQMqqQULG7UshcQTatkmTMb
j2TQ0oQWEZt0uJmnmxgz18ijs6m2fJZhlH0QYVYOwUvK6GfAFluHwOZHIXonv8Ck
uTW+P90lOB/9ZnREZeYb2wlvV6fCTMHxptIbT31kbLTzu4KEI6+ShQXT+YAKiC5S
JC9heheaeApH3wcLiZJcCKYv6ubY+3Uf/EoXcqWywwpS/nWkSpMSYjq+V9xCcGHI
MZ4vZkiZ6OS5Mu739rgGfP7Yi3pqUYLIpUa5QiNOMEhPtWbj/oH5ldaZowwgZ4MK
2Mzxex8IhFppPtZgqJfu9NZQLICpxcd2hUe3XWvB+jcvboZ1p7RO7ax3Vo9zy1fy
YEFML7Q9VGhvbWFzIFZvZWd0bGluIChodHRwczovL2VsZWN0cnVtLm9yZykgPHRo
b21hc3ZAZWxlY3RydW0ub3JnPokCOAQTAQIAIgUCVMYFygIbAwYLCQgHAwIGFQgC
CQoLBBYCAwECHgECF4AACgkQK9WCS3+UcOZ7BQ//VJuRmM7kQd5DcJS76BKpMtKt
gUNV3hi2h8kNGtkIeKhpeiK+PeweFJCb0nQDiEYsg5Xd/l5ZwN34cqlhgaQ8uWBY
rmNnSYGECLrxejx6WTWHp2AtD9BXrj73HEox2abC0Bdky39aCTyuRhSzbFnV2unh
L7IarKqr5bat6ywFZWsOcaisEjWXlTSD/hYqnkRX8vnBZRnRgHyi1yOvHsXGFB3x
O+P7JUb4E7BVzVRDJzMgcBhY5vTZ4Mnc8eIplNVI1TaF2hmhmnezvRF6XNYV1Ew9
t2/HE85+DqIBikUWYPTTxJiWUOwxXP9dVOEmNTcAgVThvMN7W+WoF7//qcNKmbPI
DyGU5xb/MLNrM+MWfavtkHNqcY0+cFf27z4mOxd2eEMDVxN/Fhq0HipugMEawaZ0
G9xsF/rZBzKgpu7+SvqRqxUn36vNz59vDlBYEXSng6nJobUdNb6iHo/rpZ6ZYHKx
mzrK5ROpmKs6zpPTOn8Hw29jxx07auzEIVEa8hzZaiqTfwI9yBwzhFQwNxmNaKRE
adxosvU1VyTvaEVmMmTx227MF1qhwq9yrSXtmKZJGiHRzyL4B4vAGrf9uK9GwzS2
TlyksRdjapw6Cqp8sUB2PUzHqYNWs0wSsZuxwVt6JSD4N8vpYTTF00LONKe2oLhj
GNxpH+BV3SqMHXQl9Ki5Ag0ETfjP3AEQAL5LYJiX5S4PG891TMihejh5KVgc36/R
zgWYJkE26K855t+WdAa6spHKR1RmpTTsnaTXaC/bNxJZq+0vi9GKlw94twEueu0v
Cniinpy6AFeydveCi+qdr5XQ4hx1DY11kntGBL2wMOtrZ4oAeFnntHYcAMYaMBY5
p8gd3WVR2dgIvpOcezQBLwhoMHnN6A+JEQ27ZHcolwDO9ic+t4YAtl552DP1xKbc
T4D1JD0J6W6FbUJElOXReSjNGCuSLZZTsCzMg0P6RHwWUKtDvRKrK/M3Nh/L2EsW
5mAQnYps6a+hyVkVd9kLsogtHPE4xv33pzbDB5Yj+2zqdjYUqO/ODfkP+HjNRvyj
uHL6W3bjU6FnuJQXX4llskls4hlKDPawa3cuWnsdafouAZOxWwBlGysRZ7BaHOFE
TOlAeUN1EYfFrckcfkYzTX7NDA0S99aX730z/c9XrnqM52OO9LrSFRnYZ+K3M8z2
FFvo9/ZtqqTDH0/oH+ay0CwtowSovZUoljAQ8zmmi8CtPDFHg4srae8YxW4fetn7
QtP6rOVRwQCyP12LztC7oYGOectU5G9GkVDubNW48Vuex0/upP9RORjKN8atBroS
cmomR5hShxmgdJBy4I/TDkVFbZq/hRPSTAHgnciEC67TYhszzXP3nTn5/Ah0wCGC
d3HfiNX6G7MdABEBAAGJAh8EGAECAAkFAk34z9wCGwwACgkQK9WCS3+UcOaJRA//
dLHRBjeAkNbRsY5GNTWUZzXr3VC5vNqpwpP9rK4QTAmpl3iU5F+wsgMG78iS2XOV
+ijZA8KvishletQJoNMxS1PU4sA4Y34hYb61ptHs+PmwNpcdgjAX+mCh9xQ0816G
yIaXtxtxacJJW3K07fqKIkJjISPOyTLSd+wl1LtRE2fA67pMmpMHG8t+RPq1dp/e
3qp6L7jc6X3U+bn2m7u2cgEVbuAnSaKGoMSMnsd71Ltf1b6/DwvZz/HBttEgcgSm
PleHUVyBD4LDrcjTDK7zdEMw7b/cPBnu6CmTcogFEqvB4n9Yodo+4ij7AndUTz4J
j1p8vFlnHvhRg82MDfGUPJ+ujBjbYXROs+WAmaCQ8TgjZ3dAFNFrOqAbYu6QlY2x
fu7vj+ruc6ArdmBrOlsJFmNsxFRJfgdUug5JFIUN77GbjisHjWem8cY3szuyEke8
H2pi803CAuVtkaoNmNDHsEBieft34Zo0V+A/q2wkix3S9vyRjOKqhGrW30qxnV6Z
FexueWuO3qOQ0ZU5/TIH0kft2n45/RexeBq/Ip52zE1vEvTkQmBCfCGZmqTu+9Ro
8qsjecxVNxyVPlwhlimryiQ+dPaJYaOSfiwEEMh2MyV5c6t6qN9n6jFdiCLOlmmH
ZFA8xDodsofQEmlv+I/xyEZ7na6nxbpZVuPC3B0JFtY=
=sUYl
-----END PGP PUBLIC KEY BLOCK-----

Please do not use this without checking from another source that it matches the same key from another source or someone else quotes this and says it's matched.

Fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

I copied it here so we have another source that's not changed if the official website gets compromised.

[DireWolfM14]

April showers bring may flowers, and allowed me some time to work on this tutorial.  I've updated the OP to include "BAD" signatures.  I also rearranged the post to consolidate instructions based on operating system.  I think it flows better this way.

Suggestions are always welcome.

[BlackHatCoiner]

Can't Thomas provide a signed hash of each executable? Why should one, that isn't familiar with GPG, go though all this procedure just to verify a signature since he/she could do that really easily?

[NotATether]

April showers bring may flowers, and allowed me some time to work on this tutorial.  I've updated the OP to include "BAD" signatures.  I also rearranged the post to consolidate instructions based on operating system.  I think it flows better this way.

That's great, it means I don't have to wait until a rainy November to update the Bitcoin Wiki page. It's already rainy season here anyway

Can't Thomas provide a signed hash of each executable? Why should one, that isn't familiar with GPG, go though all this procedure just to verify a signature since he/she could do that really easily?

I remember asking this before and the answer I got is that the risk of checksum collision with a bad executable is mitigated if it's signed with GPG.

[BlackHatCoiner]

I remember asking this before and the answer I got is that the risk of checksum collision with a bad executable is mitigated if it's signed with GPG.

Specifically with GPG? How could that happen, I don't understand. Once you hash an executable, don't you hash its binaries?

[NotATether]

Specifically with GPG? How could that happen, I don't understand. Once you hash an executable, don't you hash its binaries?

GPG uses RSA-2048 or RSA-4096 keypairs to encrypt and decrypt messages. It just so happens that it is also possible to sign a message using RSA keypairs, where the "message" here is the binary file contents, and this makes an RSA signature along with some metadata that GPG adds. There's also a verification process[1] that exists for RSA which GPG uses to verify these signatures (which are also binary data).

[1]: https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php

[Dabs]

I like hashes such as SHA256. But it's more like a super secure checksum that your download is not corrupted. You'd still need to verify the hash using the GPG signature.

It's a quick way to see if something is good, but without verifying the signature anyway, it's possible that the site was compromised and showing a hash that matches the executable or binary.

[BlackHatCoiner]

You'd still need to verify the hash using the GPG signature.

There are other simpler ways to verify a signed message, but GPG does fine, yes.

It's a quick way to see if something is good, but without verifying the signature anyway, it's possible that the site was compromised and showing a hash that matches the executable or binary.

But if the site was compromised, and it showed a different hash, the signature using Thomas' key wouldn't be valid.

[DireWolfM14]

It's a quick way to see if something is good, but without verifying the signature anyway, it's possible that the site was compromised and showing a hash that matches the executable or binary.

But if the site was compromised, and it showed a different hash, the signature using Thomas' key wouldn't be valid.

I don't want to speak for Dabs, but I think that's the point he's trying to make.  If you only rely on checksum hashes and the site is compromised, the checksums could easily be replaced by the hackers.  If we rely on GPG signatures the hacker wouldn't be able to sign the releases (or a list of checksums) with ThomasV's key, and we would know something was wrong.  To defeat this type of security the hacker would have to gain access to multiple unconnected servers.  Not impossible, but highly unlikely.

[ranochigo]

I don't want to speak for Dabs, but I think that's the point he's trying to make.  If you only rely on checksum hashes and the site is compromised, the checksums could easily be replaced by the hackers.  If we rely on GPG signatures the hacker wouldn't be able to sign the releases (or a list of checksums) with ThomasV's key, and we would know something was wrong.  To defeat this type of security the hacker would have to gain access to multiple unconnected servers.  Not impossible, but highly unlikely.

This assumes that the attacker won't also replace the PGP public key for ThomasV as well. PGP is best used in conjunction with an established web of trust which can be hard to get for some users and I would probably recommend users to at least get another source of information to validate if the imported public key is also correct.

I agree with the above sentiments as well. Using solely the hash of the files as a validation is insecure. There is a reason why Bitcoin Core hash sums are included within a PGP signed message and users are encouraged to verify them first before trusting it. Using the hashes as it is would merely serve as a way to verify data integrity but not guarantee its security.

[BlackHatCoiner]

Using solely the hash of the files as a validation is insecure. There is a reason why Bitcoin Core hash sums are included within a PGP signed message and users are encouraged to verify them first before trusting it.

This is exactly what I said. To upload a signed message containing the hash instead of leaving a hash solely.

There shouldn't be anything wrong with this and it's quite faster than the other method.

[DireWolfM14]

This is exactly what I said. To upload a signed message containing the hash instead of leaving a hash solely.

There shouldn't be anything wrong with this and it's quite faster than the other method.

I might be misunderstanding your question/comment, so I'll try to get a handle on it:

You're suggesting that (like the bitcoin core dev team) the Electrum dev team should post a PGP signed list of checksums, correct?  Although there's nothing wrong with that, I fail to see how that's faster.  GPG can verify the 28 megabyte windows installer file in just a few second (if that,) it takes me longer to type out the command.  

If the dev team only published a signed list of checksums, I would still verify the PGP signed list, and then I would have to verify the checksums of the binary file.  I would have to verify two files, which takes longer.

And, like NotATether already mentioned; the question was posed to the Electrum dev team.  They don't like that approach due to slight risk of checksum collisions.  Obviously checksum collisions are HIGLY unlikely, but if you have the tools to mitigate a potential issue why not employ them?

[BlackHatCoiner]

Although there's nothing wrong with that, I fail to see how that's faster.  GPG can verify the 28 megabyte windows installer file in just a few second (if that,) it takes me longer to type out the command.  

I meant faster for the newbies who want to verify their executables. I don't know about the others but when I firstly verified electrum using this tutorial, I wasn't completely sure of what I was doing. I was feeling secure with the replies and with the greatly described steps, but I considered the method kinda complex. To be honest, I wasn't into anything related with Bitcoin a year ago, as you can see in the first page of this thread, so this is maybe why. 

Or I may simply have this weirdly paranoid symptom in which you want to understand every-single-thing you're doing, on a disgustingly detailed way, such as understanding the maths behind RSA/ECC. Anyway. Signed checksums might had a shorter tutorial than this one. Although, you're explaining everything perfectly.

They don't like that approach due to slight risk of checksum collisions.

While, they may prefer not to do this with the checksum-way, I personally find it ridiculous for them to justify it with the collisions. Despite the fact that it's never going to happen you're essentially failing the function your entire project relies on. It's ironic...

[Dabs]

Internally, GPG signatures already use a hash or checksum, most likely either SHA1 or SHA256, so it's not any more likely than the signature itself to have a collision. The signature could be SHA512 (that's what I set mine to) so the "unlikelyness" of a collision is effectively and for all practical purposes, zero, unless something is broken.

With a GPG signature, the file is first hashed, then that hash is then signed. It does not "sign" the whole file.

I think the files should be both signed and also include a hash (and the hashes are also signed). More work maybe, but what's another page to sign? If not, just accept what is available. GPG signatures alone are more than enough. Hashes just make it convenient and easy to verify download integrity.

[NotATether]

And, like NotATether already mentioned; the question was posed to the Electrum dev team.

Minor correction: I did not ask the dev team, but I made a thread about it here and those were the answers I got (it's a good throwback read).

[DireWolfM14]

when I firstly verified electrum using this tutorial, I wasn't completely sure of what I was doing. I was feeling secure with the replies and with the greatly described steps, but I considered the method kinda complex.

Thank you for saying that, this is actually the type of feedback I want.  Would you be willing to take some time and tell me what you found to be complicated?  I would really like this tutorial to be simple enough for folks who aren't what we would call "computer savvy," and those who are new to cryptography.

It can be hard for us who enjoy these types of technical projects to put things into the perspective of the masses who don't.  But, we need to keep in mind that we all started someplace.  No one is born with knowledge of cryptography, we all started with a lot less knowledge than we have today.  I've been playing and working with computers since 1985 and considered myself among the more advanced users in my circle of acquaintances and collogues.  But, when I showed up here I felt like a complete dunce.  It had been nearly 20 years since I had used a Unix style OS, and found myself struggling with simple shell commands.  I still get lost reading the technical boards, and realize I've only scratched the surface of how much knowledge exists here.

And, I don't think you and I are alone.  Look at how many newbie accounts pop up asking pertinent, pointed technical questions.  I have a feeling many of these "newbies" are actually long time members who are embarrassed to ask questions from their main account.

Or I may simply have this weirdly paranoid symptom in which you want to understand every-single-thing you're doing, on a disgustingly detailed way, such as understanding the maths behind RSA/ECC.

Lol.  Don't stop.

[BlackHatCoiner]

Thank you for saying that, this is actually the type of feedback I want.  Would you be willing to take some time and tell me what you found to be complicated?

There aren't many things to be mentioned about the complexity of the tutorial. As I said, you guided the reader step-by-step of how to verify the signature of the binaries, but what I find missing from this tutorial and generally from almost every tutorial on the internet is the lack of explanation. Don't get me wrong! Not the explanation that will make you succeed on verifying the signature. I'm talking about the answer to "why?".

You do not need your own private key to verify a signature, but you will need one to certify the public keys of others.

Why would I need a private key to certify the public keys of others?

Chose the email address you want to certify, there's no reason not to select them all.  Click Certify.

Why would I need to certify someone just to ensure that my electrum binaries aren't malicious? Why will I have to deal with an email address and how is it resulted from a file of non-sense characters?

Once installation is completed, and Kleopatra launches I recommend you create a private key.

Why would you recommend me to create a private key? Note that this can be very confusing for a newbie. Do I need a private key for the certification of Thomas' identity or is it just recommended after all?

[pooya87]

I think the files should be both signed and also include a hash (and the hashes are also signed). More work maybe, but what's another page to sign? If not, just accept what is available. GPG signatures alone are more than enough. Hashes just make it convenient and easy to verify download integrity.

That would be pointless because it is like saying each transaction should both contain the signature and the hash it signed. We already know how to serialize the transaction and hash it to verify that signature in that transaction, similarly we already know how to read the file binary and hash it to then sign.

On top of that providing the hash is increasing the risk of newbies getting scammed because it encourages lazy people to only verify the hash instead of the signature (even if the signature is also provided). Down the line we could see someone downloading a fake Electrum and only verifying its hash the scammer provided!

File hashes should ONLY be used for integrity validation NOT authenticity. Integrity validation is also not needed because it is leftover concept from the dial up model days when the  downloaded file could get corrupted.

[NotATether]

Once installation is completed, and Kleopatra launches I recommend you create a private key.

Why would you recommend me to create a private key? Note that this can be very confusing for a newbie. Do I need a private key for the certification of Thomas' identity or is it just recommended after all?

You don't need a private key or to certify anything to verify stuff, the certify process is only to remove the bogus "This key is not trusted" warnings. Some suites may not even display it at all (GPGtools does insist on making a keypair though, I wonder if you can skip that part).

[pooya87]

Once installation is completed, and Kleopatra launches I recommend you create a private key.

Why would you recommend me to create a private key? Note that this can be very confusing for a newbie. Do I need a private key for the certification of Thomas' identity or is it just recommended after all?

You don't need a private key or to certify anything to verify stuff, the certify process is only to remove the bogus "This key is not trusted" warnings. Some suites may not even display it at all (GPGtools does insist on making a keypair though, I wonder if you can skip that part).

They whole point of using PGP keys to sign stuff for others to verify them is to utilize the Web of Trust which is the correct way of using PGP too. That warning is mandatory (it is not bogus, and should not be hidden) since it is telling you that you have forgotten a very important step in verifying digital signatures which is to first import a trusted public key the correct way not just copy it from the internet without putting much thought into it.

By adding the public key of the signer and adding it to your trusted keys (you should have your own key here) you are confirming that you DO actually trust this public key.
Otherwise a malicious attacker can create a fake software, a fake public key and a valid signature with that fake public key. An unaware user downloading all 3 from the same place would see a valid signature but has a fake/malicious software.

[Dabs]

People getting lazy for any reason on verifying signatures, that's on them. If a hash is provided, verify hash for integrity. (some people still use dial up modems today or are on choppy intermittent satellite connections). If a GPG signature is provided, verify it too.

As to why?, aside from all the other reasons stated, why not? How else do you know if a particular public key is trusted if no one else signs it? Very few people actually trust my own public key (or more accurately, few signed it and uploaded the signed key to the keyserver) but I've tried to put it in more than one place.

[DireWolfM14]

Since the Electrum releases are now being signed by multiple builders I thought it was a good time to update the OP to mention that fact, and also add the following link:

Electrum Builders' Signing Keys: https://github.com/spesmilo/electrum/tree/master/pubkeys

[BlackHatCoiner]

Electrum Builders' Signing Keys: https://github.com/spesmilo/electrum/tree/master/pubkeys

Wouldn't it be wiser to publish those keys on separate places? For example, they could also upload them onto Google Drive, Gitlab etc. It doesn't offer a greater security if in the same place Thomas' public key is, you put the others' too, because the compromiser could just generate seven keys more.

There might be a reason behind this I can't think of at the moment. Anyway, thanks for doing it.

[DireWolfM14]

Electrum Builders' Signing Keys: https://github.com/spesmilo/electrum/tree/master/pubkeys

Wouldn't it be wiser to publish those keys on separate places? For example, they could also upload them onto Google Drive, Gitlab etc. It doesn't offer a greater security if in the same place Thomas' public key is, you put the others' too, because the compromiser could just generate seven keys more.

There might be a reason behind this I can't think of at the moment. Anyway, thanks for doing it.

I don't think it's a big deal that they're all in the same Git repository.  The odds of both the Electrum site and the Git repository getting hacked at the same time are extremely remote.  If one or the other gets hacked the binary signatures wouldn't verify. 

I do think it adds security to have a couple of sources from which one could download the keys, just in case one of those sources is hacked.  In the OP I included redundant sources for ThomasV's key.  If you're in the habit of storing other people's public keys yourself, this really only helps when you download someone's key for the first time.  It would allow you to confirm that the multiple sources provide the same key, which helps confirm the key's authenticity.  Once the key has been downloaded and a signature confirmed, you should store the key locally.  Again, this is based on the theory that it's unlikely for multiple sites to get hacked simultaneously.

[NotATether]

Wouldn't it be wiser to publish those keys on separate places? For example, they could also upload them onto Google Drive, Gitlab etc. It doesn't offer a greater security if in the same place Thomas' public key is, you put the others' too, because the compromiser could just generate seven keys more.

Or just upload all the public keys on a public PGP server. There are several of them on the internet that sync with each other, and finding one having a working page that lets you upload keys isn't too hard. These keys can't get "hacked" in the traditional sense because most clients that download these keys have a list of mirrors to try.

[Dabs]

He should just post his key here and sticky it, have a few others quote it, then lock the thread. It's not perfect, as bitcointalk accounts can get hacked, but it will work as an additional source.

[Maus0728]

I know this is a very dumb question but this is the first time I encountered this issue where I always need to rename the signature file similar to the name of the corresponding windows installer.

I've downloaded the signature file with a file name of:

Code:

electrum-4.1.5-setup.exe.developername.asc

Then I renamed the file to make the verification of the signature become possible using Kleopatra.

Code:

electrum-4.1.5-setup.exe

Am i doing this correctly? Because if I did not changed it there is an error that keeps popping out.

[BlackHatCoiner]

Am i doing this correctly? Because if I did not changed it there is an error that keeps popping out.

I had encountered this, too. It seems that Kleopatra has to somehow find the executable by the name of the .asc file. Anyway, it doesn't matter with the verification and yes, you did it properly. The names of those files aren't related at all. There must be a setting where you choose both the signature and the executable and not just the signature.

It has quite confusing UI if I remember correctly.

[nc50lc]

-snip- There must be a setting where you choose both the signature and the executable and not just the signature.

Actually, there is.

Here's how to enable it:

• Open Kleopatra's configuration - "Settings->Configure Kleopatra..."
• Go to "Crypto Operations" and uncheck "Automatically start operation based on input detection for decrypt/verify"; then Apply/OK.
• With that, every time you open an ".asc" file, you'll be prompted to select the file to verify using that signature file.

Image (after opening the signature):

[HCP]

With that, every time you open an ".asc" file, you'll be prompted to select the file to verify using that signature file.

And just to clarify, because it may not be immediately obvious... after you double click the .asc file and get the dialog shown, You click the folder icon labelled #1 and select the .exe that you're trying to verify (that is the "signed data"). Then you click "Decrypt/Verify".


ps. that get's my vote for post of the year!

[Coin-Keeper]

-snip- There must be a setting where you choose both the signature and the executable and not just the signature.

Actually, there is.

Here's how to enable it:

• Open Kleopatra's configuration - "Settings->Configure Kleopatra..."
• Go to "Crypto Operations" and uncheck "Automatically start operation based on input detection for decrypt/verify"; then Apply/OK.
• With that, every time you open an ".asc" file, you'll be prompted to select the file to verify using that signature file.

Image (after opening the signature):

Fantastic post and find!!!!!  Works perfectly for me after 6 test runs with different stuff.  Also, the asc file name is not important at all because kleopatra will match the signing key to the actual file you are trying to verify as noted a post or two above this one.

I simply name the signature file as sig.asc on my Desktop.  I like keeping things simple.  This is so easy I may stop using command lines in a terminal for this process.

GREAT find and post worth merits!!!!!!

[saraariel]

The guide has instructions for three operating systems, you only need to follow the instruction for your OS.  I do recommend you complete all the steps, as it makes abundantly clear that you have the authentic version and not malware.  There are three steps to complete,

Here're links to the instructions for windows:

Install:	https://bitcointalk.org/index.php?topic=5240594.msg54467820;topicseen#post_WinInstall
Import.ThomasV's.Key:	https://bitcointalk.org/index.php?topic=5240594.msg54467820;topicseen#post_WinImport
Verify:	https://bitcointalk.org/index.php?topic=5240594.msg54467820;topicseen#post_WinVerify

"In Kleaopatra, click on the "Decrypt/Verify" button, and browse to the location of the .exe and .asc files you saved.  Select the .asc file, and click "Open.""

When I do that, it says An error occurred, could not open file: input/output error. I did all the steps, but here is where it stops.

[DireWolfM14]

~

The Electrum development group has started issuing signatures from multiple developers, so now the signature files have different names than the executable file.  That's what's causing your problem.  I'm sorry I haven't had time to update the OP with the new instructions yet, but look at post number 57 of this thread.  nc50lc shows how to configure Kleopatra so it'll prompt you to select the .exe file separately.  Once configured properly, and you double-click an .asc file, Kleopatra will open a dialogue  box.  There under the field marked "Signed Data" brows to and select the electrum .exe file.

[saraariel]

Thank you 

That was easy and simple and it did the job.

[DireWolfM14]

Just thought I'd provide an update here on the status of the original post;

Based on the contents of a previous post on the subject of multiple signature files, I submitted an issue on Electrum's git:
https://github.com/spesmilo/electrum/issues/7579

I didn't realize it would be so complicated, but it's obvious the dev team is putting the effort into implementing an aggregated signature file.  It appears that ThomasV has found a solution, so it may be implemented by the next release.  I'll determine then if the OP needs any updates.

[m2017]

Is it necessary to verify Electrum when using a hardware wallets?
What are the consequences of using a compromised Electrum with hardware wallets?

[DireWolfM14]

Is it necessary to verify Electrum when using a hardware wallets?

YES!

What are the consequences of using a compromised Electrum with hardware wallets?

There have been malicious versions in the past that will send all your coins to the scammer's address.  It creates a serupticious transaction that will remain invisible to you.  You'll be under the impression that you're creating a typical transaction, then next thing you know, all your coins are gone.  A hardware wallet will display the actual (malicious) transaction, but if you aren't paying close attention, and you approve the transaction on your hardware wallet you'll send all your money to the scammer.

[Lucius]

Is it necessary to verify Electrum when using a hardware wallets?
What are the consequences of using a compromised Electrum with hardware wallets?

It is always wise to verify the file before installation, but even if you have a malicious wallet every action you take should be confirmed by pressing a hardware button. Therefore, if you pay attention to every step while doing a transaction, you will notice that something is not as it should be and you will not sign the transaction.

You can read more on this topic -> Fake Electrum version 4.0 and hardware wallets

[Pmalek]

What are the consequences of using a compromised Electrum with hardware wallets?

First of all, will your hardware wallet even be able to connect to a fake Electrum wallet? Ledger and Trezor devices can establish connections to Electrum, but a phishing version of Electrum is not Electrum.

But let's say they can connect.
If you have a receiving address that you are intending to send the coins to, you should notice a difference if the fake Electrum app is trying to make you send your funds to another address. The receiving address has to be displayed on the screen of your HW. If you are generating a new address, do it from the native client whose hardware wallet you are using, and copy the address from there into Electrum if you are sending to yourself, doing a consolidation, or something like that. Again, you should notice a difference if the address changes while you are creating the transaction.

[Lucius]

First of all, will your hardware wallet even be able to connect to a fake Electrum wallet? Ledger and Trezor devices can establish connections to Electrum, but a phishing version of Electrum is not Electrum.

The answer is actually on the link from my previous post, because @DaveF did an experiment with fake Electrum in combination with Trezor and ColdCard, both HW did not recognize fake Electrum. The assumption is that hackers used older versions of Electrum, or they did not try to make fake versions compatible with hardware wallets knowing they can’t automatically empty such a wallet. Of course, this does not mean that fake versions of Electrum cannot work with HW, I believe that it is possible to achieve.

[jerry0]

Is there a reason verifying electrum is this complicated?


First off, you need to


Install GPG
Download and Import ThomasV's PGP Key
Download and Verify Electrum



So you need to make sure you are downloading the official GPG and ThomasV PGP Key.  You also need to download kleoptra from another website.  Does downloading many of these things concern anyone here since it increase the chance of a mistake?


Is there a reason why verifying electrum just doesn't require you to download electrum.  Then just right click the program/properties and command prompt and just type letters and words to command prompt and they display the hash just like that... similar to like how you verify ledger live?  I found the verifying ledger live a bit confusing but after I did, it isn't that complicated... but for the average user... it is complicated.  


To verify electrum seems much more complicated since you need to download a bunch of things.  How do you know all these things you downloading now doesn't have malware and all these things?


Now has there ever been a case where someone downloaded electrum from the official electrum site... and got hacked or malware?  Assuming you download electrum and then start using it whether creating a seed or restoring an old seed, can you always verify if your electrum is the real electrum even after started using it?  


I was checking youtube to see if there is a video to do this and found one

https://www.youtube.com/watch?v=lCG3c8a7HZI


In your instructions of

Install Windows


Kleopatra is the GUI front end that's included with Gpg4win, and I recommend you install it.  If you don't, you'll have to use command prompts to manage the GnuPG app.  Another optional feature is a shell extension which I find handy, and an Outlook extension.  If you use you use outlook the integration is pretty seamless, and actually quite useful.

Once installation is completed, and Kleopatra launches I recommend you create a private key.  If you already have one, you can import it at this time.



What do you mean you recommend you create a private key?  I do not understand this and in the youtube video, I do not even see this part mentioned.  I thought the private key was Thomas key.  So what exact private key are you creating here?




Also in the video, there is a part where it says Key Pair Creation Wizard where it ask you to put name/email though it shows optional.  So you just click next and leave it empty and skip it?  Then it ask you to create a password.  I assume this video is outdated and thus none of this applies now?





This is the other instructions I found below for verifying electrum.  On this, it mentions only make sure kleopatra is checked.  So you need to uncheck the other two GPgOL and GPgEX?  Direwolf and the youtube video have you just click next as it auto check all three of these?

https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

[chentron]

trying to verify signature of electrum, but i get a error when Obtaining public GPG key for ThomasV

keys.gnupg.net: host not found   ...
Are we under attack ??

[n0nce]

trying to verify signature of electrum, but i get a error when Obtaining public GPG key for ThomasV

keys.gnupg.net: host not found   ...
Are we under attack ??

This guide is from 2020; since then, keys.gnupg.net was deprecated.
I found this similar question answered in a quick web search.

You can look up his key on any other keyserver though; that's the beauty of this decentralized, federated GPG network. Just enter his ID into any keyserver. For example:
https://keys.openpgp.org/vks/v1/by-fingerprint/6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

If you use gpg via command-line, it should be possible to omit the --keyserver, like this:

Code:

gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

Alternatively:

Code:

gpg --keyserver keys.openpgp.org --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg --keyserver keyserver.ubuntu.com--recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg --keyserver pgp.mit.edu--recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

[DireWolfM14]

trying to verify signature of electrum, but i get a error when Obtaining public GPG key for ThomasV

keys.gnupg.net: host not found   ...
Are we under attack ??

As mentioned, keys.gnupg.net isn't around anymore.  Try running one of the commands below from your terminal app.  

Code:

gpg --keyserver hkp://keyserver.ubuntu.com --receive-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

Or

Code:

gpg --keyserver hkp://keys.openpgp.org --receive-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

~

From our previous conversations, I recall you're running Windows.  GPG4Win has a Microsoft authentication certificate, so the application won't flag Windows' anti-virus software.  It also checks if the code has been altered since signed by the publisher.  If the package you downloaded doesn't match the certification checksums it'll throw up a big red warning when you try to install it.

For various reasons a lot of open source apps don't use Microsoft's authentication tools.  I believe there are costs associated with maintaining the certificate, so it may be a financial decision.  GnuPG is open source, powerful, secure, and free.  It's a great alternative, especially if the developers want to port port their application to many different OSs.

What do you mean you recommend you create a private key?  I do not understand this and in the youtube video, I do not even see this part mentioned.  I thought the private key was Thomas key.  So what exact private key are you creating here?

You import ThomasV's public key, not his private key.  His private key allows him to sign the releases, and the public key allows all of us to verify that the download was indeed signed my ThomasV.  It's a lot like a bitcoin keypair, in that way.  I can also use GPG to sign messages that others can verify as having come from me, and with someone's public key I encrypt secret messages that can only be decrypted by the holder of the matching private key.  But in order to do so, I need to have a keypair also; a private one, and a public key that I can share with the world.

You don't really need your own keypair to verify that the Electrum download was actually signed my ThomasV.  GPG will tell you that the file was signed by ThomasV's, but it'll also say something to the affect that the key is not "Trusted."  It's really just a formality, but if you're using Kleopatra it won't show the green results page unless the public key has been trusted by your system.  To sign someone else's public key as "trusted" you'll need to have a private key of your own.

Also in the video, there is a part where it says Key Pair Creation Wizard where it ask you to put name/email though it shows optional.  So you just click next and leave it empty and skip it?  Then it ask you to create a password.  I assume this video is outdated and thus none of this applies now?

That sounds right, those are typical options for creating a keypair.  You should definitely have a password if you plan on using GPG to sign or encrypt messages.  I use it regularly to encrypt backups of sensitive information that I want available on multiple devices.  I can store them on the cloud with some measure of additional security.

This is the other instructions I found below for verifying electrum.  On this, it mentions only make sure kleopatra is checked.  So you need to uncheck the other two GPgOL and GPgEX?  Direwolf and the youtube video have you just click next as it auto check all three of these?

https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

Whatever.  One is the Microsoft Outlook extension, and other is a Windows Explorer Shell (right click) extension.  I like the shell extension, myself.

[jerry0]

Okay I will disregard the key pair part as that is confusing.  I just don't understand why you mentioned you could create your own key pair... where I have no idea what percentage of the population would even know how to do that.  Thus using ThomasV public key to verify would sound very simple.


I am stuck right now.


This is what I just did now


I downloaded electrum


I downloaded gpg4win and got to the part where its opened kleoptra and it shows

New Key Pair or Import


Next step in direwolf instructions are

Import ThomasV's PGP Key on Windows
Import ThomasV's PGP Key using Kleopatra:
Download ThomasV's PGP Key from a trusted source.  Start Kleopatra, if it's not already running.  Click the Import button, and navigate to the location where "ThomasV.asc" was saved, select the file, and click Open.


I completely ignore clicking on the signatures link next to Windows installer correct?  So just click on ThomasV in blue... which has ThomasV, SomberNight, Emzy next to it?  When you click on ThomasV the blue highlighted, all it does is open up a page with a bunch of keys.  Are you suppose to right click that and save link as?  


The thing is if I were to right click ThomasV and click save link as... it would show saving it to file name as ThomasV and ASC file.  But when it does that, it would save to this pc - downloads where nothing it showing up there.  Like before you click on save, you look at the top where there is no other downloaded files you had downloaded.  Is this normal or not?  If I were to click on desktop/downloads/documents, there is literally no files showing.  Is that normal?  I would have thought I would see electrum exe file I downloaded earlier somewhere here?  So me right click and save as link... that is why I don't see any other files?  Just want to make sure im doing this correctly.

[BlackHatCoiner]

When you recommend you can also create a private key, I do not understand that part.  How is 99% of the population going to know how to even create a private key to verify electrum.  Because ThomasV key is what is needed to verify electrum.

That's indeed a valid query of your side. I had already told him that it may confuse those who'll ask why. The short answer is that you don't need key pairs to verify a signature.

Do I now click on the signatures link next to the electrum windows installer link I just downloaded and download that?

After your kleopatra has imported Thomas' public key, then yes. You have to open the signature file with kleopatra and it'll verify it automatically. Also, make sure the signature file's name is the same as your installer's. For instance, if it's electrum-4.1.5-setup.exe, make sure it's electrum-4.1.5-setup.exe.asc.

[jerry0]

Okay I did not see your post on the creating a private key to verify electrum part.  That part literally would confuse most people.


So to download ThomasV keys, I need to right click on the blue ThomasV... click save link as... then it should save as ThomasV and ASC file to my pc/downloads correct?

[BlackHatCoiner]

So to download ThomasV keys, I need to right click on the blue ThomasV... click save link as... then it should save as ThomasV and ASC file to my pc/downloads correct?

Correct.

[jerry0]

I just did that and then clicked on import from kleoptra and opened the ThomasV file to it.  Then it showed a message and I closed it.  Did I need to see what that message said?



Now I see



Thomas Voegtin      his email     not certified  user id    valid from  June 15 2011 date but doesn't show valid until to.    Then it shows key id.

[BlackHatCoiner]

[...]

Yes, that's what it should show. Did you successfully import it?

[jerry0]

Okay so Im watching that youtube video again and it seems like the box I closed was this message....


Certificate Not Possible Cleopatra

To View other certificates, you first need to create an OpenPGP certificate for yourself.

Do you wish to create one now?


Yes or No



So how do i get back there?  Do i close kleopatra and open kleopatra again and repeat what I did earlier and then click Yes here?

[BlackHatCoiner]

[...]

Kleopatra probably wants you to create a pair, even though it's not required if you just want to verify a signature of an executable. Anyway, create it, it's not toilsome. Do it just to move on.

As for your question, you probably need to repeat it, yeah. Would you mind sharing the video?

[jerry0]

https://www.youtube.com/watch?v=lCG3c8a7HZI


So the message that showed up for me after I imported that ThomasV key is what you see right at the beginning of 3:52.  Its the first box you see with the Certificate Import Result- Kleopatra which show the total number processed, imported, changed.  I remember the numbers shown was the exact ones on that video.  That was the box I closed.  I then just X it instead of clicking okay.  But that message of you have imported a new certificate key where it ask you to certify... I never saw this message.



The video... I used it as reference but I am still following direwolf instructions as others suggested to just follow direwolf instructions here.  So what do i do now?  Do I close kleopatra and reopen it and do the samet hing again?

[BlackHatCoiner]

Please don't edit your posts frequently, because I don't know where/if I should respond.

So what do i do now?

Thomas' key is probably imported, even though it didn't prompt you this "certify" message. What does it show you in All Certificates (main form of Kleopatra)? You should see a "Thomas Voegtlin". Right click to it and click "Certify".

Whether you follow DireWolf's instructions or the YouTuber's, you're going to have it verified.

[jerry0]

I closed kleoptra and reopened it.


it displays the same thing before I closed it





Name                                                                 email                               user id                          valid from        valid until    key-id


Thomas Voegtlin (https//electrum.org)                  thomasv@electrum.org       not certified                     6/5/2011                      xxxxxxxxxxxx



The key id contains numbers and letters but i just typed xxxxxxxxx.



I assume I need to right click on the whole thing and delete it?  Then click import and click on the ThomasV.asc file again?  Because if I just import the same file again... it would show like two of these files?

[jerry0]

What I typed above is under imported certificates.  If I click on All certificates, its the same thing there... EXCEPT you can't see the full words not certified and its like not cer...   and you don't see the full key-id... unless you stretch it?



If I rlght click on Thomas Voegitlin under all certificates or imported certificates, yes i can click on certify.



Do i do this under imported certificates or all certificates or it doesn't matter?

[jerry0]

Okay I am on imported certificates and right click certify.


Then i get message to first create an OpenPGP certificate for yourself.  Do you wish to create one now?  I click yes.


I still need to enter a name and email right?  Does the email need to be an email I use and have access to?  It shows optional but I can put a fake name but make sure the email is an email i have access to?  I don't want to use my primary email for this but should I?  I do have a few other emails.  So use that?

[BlackHatCoiner]

Does the email need to be an email I use and have access to?

No, you can just use any combination, you won't be asked to confirm it. Remember, you just need to verify the authenticity of a file. Not, to communicate using PGP. Have you managed to certify Thomas or not yet?

This is supposed to be simple, I don't understand what's the hassle.

[jerry0]

This makes zero sense.


After I entered my name and put in a fake email address.. i just put email@email.com then clicked next.  It showed a key pair i created?  Why does it do that?  I wrote it down on paper anyway.


Then I click next and it shows


Certify Certificate  - Kleoptra


Fingerprint

Only the fingerprint clearly identifieds the key and its owner.


Certify with   -   Shows check mark with my name -  email@email.com (certified, created today's date)   You can click on the dropdown menu on this but its only option



You can't even click on certify.  Its that or cancel.  There is also advanced and when I click it it opens


Certify for everyone to see (exportable)  unchecked

Expiration   unchecked

Certify as trusted introducer   unchecked



What in the world is this?

[jerry0]

Does the email need to be an email I use and have access to?

No, you can just use any combination, you won't be asked to confirm it. Remember, you just need to verify the authenticity of a file. Not, to communicate using PGP. Have you managed to certify Thomas or not yet?

This is supposed to be simple, I don't understand what's the hassle.

I know its supposed to be simple.  Just look at my post above to see what shows up in my next page after i enter a name just fake email address.  It gives me a key pair long key.  Then i just click next and now im in a page where I never seen before in any instruction.

[jerry0]

I right clicked on the Thomas Voegtlin and just deleted it.  Then I clicked import and imported the same ThomasV.asc file.  Now I see what I believe I'm suppose to see



Certify Certificate:  Thomas Voegtlin (https://electrum.org) - kleopatra

Finger print  6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
Only the fingerprint clearly identifies the key and its owner
Certify with    white check mark with green background my name- my fake email


Then you see the three Thomas with check mark on each three of these.




Click certify?

[BlackHatCoiner]

Click certify?

Yes.

[jerry0]

Shows certificate successful.


I now see the user id as certified.  So that is done correctly right?



Now when i click on my certificates, I also see my name and email that i created right above Thomas.  So there is suppose to be my account and Thomas account on all certificates now?


Also, im confused why it shows




All certificates   Imported Certificates  Imported Certificates


Why is there an extra imported certificates tab?  IF you click on either of them, its the same exact thing?




How come I never got to the message  of The software will check the integrity of the .exe file and compare it to the signature file.  If the signature matches the .exe file you'll see a window like this pop up with green text:  Also when am i suppose to click on signatures next to windows installer?  You said I have to do this in the end.

[jerry0]

I just saw a message of shows certificate successful.  But it doesn't look anything like the pictures in direwolf photos with a popup with green text.  There was nothing like this.  It literally shows a small message in a box that said shows certificate successful and that was it...


Also at no point did it even ask me to create a passphrase to protect my key...

[khaled0111]

^^
Because you didn't verify the electrum file yet.
As I suggested in PMs, right click on the Electrum file (you downloaded from electrum.org), you should see more gpgex options -> verify, click on it.
After Kleopatra finishes verifying the file, it should show "valid signature" and that's it!

If it shows a warning saying simething like "This key is not certified with a trusted signature", just ignore it since the fingerprint is correct.

[jerry0]

^^
Because you didn't verify the electrum file yet.
As I suggested in PMs, right click on the Electrum file (you downloaded from electrum.org), you should see more gpgex options -> verify, click on it.
After Kleopatra finishes verifying the file, it should show "valid signature" and that's it!

If it shows a warning saying simething like "This key is not certified with a trusted signature", just ignore it since the fingerprint is correct.

The electrum I file I downloaded is called


electrum-4.1.5-setup



Is that correct?  I clicked on more gpgex options and verify.



Do i just click decrypt/verify as is?  Or do i need to put a check mark to input file is a detached signature?  If you do that, the singed data line opens  up where you can type something to it.


At the bottom theres a check mark on


Create all output files in a single folder


output folder:  c:/uers/myname/downloads

[khaled0111]

The electrum I file I downloaded is called
electrum-4.1.5-setup
Is that correct? 

Yes, this is it.

Do i just click decrypt/verify as is? 

No, click on verify not decrypt/verify.
What do you get?

[jerry0]

The electrum I file I downloaded is called
electrum-4.1.5-setup
Is that correct? 

Yes, this is it.

Do i just click decrypt/verify as is? 

No, click on verify not decrypt/verify.
What do you get?

I got what i posted above...

[jerry0]

When I right click on the electrum downloaded file and verify... i get a new box that opens


Decrypt/Verify Files - Kleopatra


Choose operations to be performed
Here you can check and, if needed, override the operations kleopatra detected for the input given



Input file:  c:/users/myname/downloads/electrum-4.1.5-setup.exe


No check mark on   Input files is a detached signature


No check mark on   Input file is an archive:  unpack with




Check mark on      Create all output files in a single folder


Output folder:  c:/users/myname/downloads




The only thing i can do on this page is either click on Decrypt/Verify... or cancel


Or


Click on those two input files and make it a check mark...


khaled- If you are telling me what I typed below is not what is suppose to show after you right click electrum download setup file and click verify... then I don't know what to say.  


What has me frustrated is when you have people say verifying electrum should not take more than a few minutes, yet the instructions are not even as clear as possible... and three different instruction tutorial shows literally three different ways to verify electrum, that is a problem.


Multiple times already after clicking something or doing something as in the instructions, I get some weird or strange message pop up that I never seen before etc.  I can't believe there isn't an updated video on youtube where someone shows how this is done and you could clearly follow step by step how to do all of this.  That youtube video that I had looked at, even if i followed that video step by step, I would wonder how come it didn't ask me to create a passphrase like in the video after putting in name and a password.

[khaled0111]

Save electrum installer (.exe) and the signature file (.asc) on the same directory and make sure they have the same name (electrum-4.1.5-setup.exe and electrum-4.1.5-setup.asc). Try again and see if this solves the problem.

The proper way to solve this is explained here, though. But, just for the moment, try what I suggested so we don't complicate things any further.

[jerry0]

Save electrum installer (.exe) and the signature file (.asc) on the same directory and make sure they have the same name (electrum-4.1.5-setup.exe and electrum-4.1.5-setup.asc). Try again and see if this solves the problem.

The proper way to solve this is explained here, though. But, just for the moment, try what I suggested so we don't complicate things any further.

In what part of direwolf instructions had you download electrum installer exe?  There was zero mention of this.  All it said was download electrum so I clicked in the installer and then it downloaded.  You are telling me I'm not suppose to click on windows installer and click on standalone executable instead?



Anytime i ever downloaded electrum, I always clicked on windows installer.  I never even heard of anyone clicking on standalone executable to download electrum since the preferred way is always windows installer.  



When you say save electrum installer exe and the signature file asc files on the same directory, can you explain it in a way where someone that isn't that tech savy could understand?  Do i just left it and thats all or i need right click it and save link as?   I had wondered why in the youtube video and in the other instruction they mentioned these two files... since I thought how do you even get an exe file.

[n0nce]

~

What is this dude?

What's that?

Look at it, yes, look at it! Whitespace! I screenshotted it from your post. Tons of it! Yes, I'm wasting someone's disk space as well as your bandwidth - to prove my point! It's annoying!
Why do you have to smash that enter button 42 times after every 2 words? It's annoying and unnecessary. Some whitespace, sure, better than a wall of text. But you're overdoing it!

[jerry0]

I'm frustrated man.  For something that should take few minutes only from what others say, this isn't even simple at all.


I literally followed direwolf instructions here and multiples times i got stuck.  I mentioned there were two other guides... one was a youtube guide... yet the way they did it is different.  The other guide said to only check kleopatra only and uncheck the other two things. 


Then look at this other guide.


https://coinguides.org/verify-electrum-signature/


This one has you download the signature file early on.   Yet none of the other guides even tell you to do this early or at all.


I am frustrated there is no instruction guide where you could follow it step by step and everything would be a breeze.  When I followed direwolf guide, towards the middle/end of it, I get stuck and khaled tells me you suppose to have the electrum exe file and the electrum asg file after he ask me to right click electrum and verify and he tells me now i should see if its verified or not.  I tell him i see something completely different.


Thats when I wondered.. where in the instructions did it say to download electrum file by clicking on the standalone executable in direwolfs guide?  Anyone that is told to download a file would click on windows installer.  I am just frustrated how come there isn't simple easy to follow instructions for something as important as verifying electrum.  I have been using computer for many years on windows.  But anything I download I just use it.   So im not like a computer newbie. 


What I don't get is why steps aren't simplified easier.  Imagine something like this.


Go to electrum.org and download it.  If you have windows, click on windows installer or standalone executable.  Leave no doubt what download means.
Go to Gpg4win website... of course put that the exact website link... then click on download


Obviously having pictures would be helpful as well. 



But let say I figured out how to do verify electrum.  If I were to create a thread on verifying electrum... the steps i write down in a guide would be as clear as possible to anyone on this forum.  I would leave almost zero doubt to someone... who would go... i'm confused or I'm stuck etc.  I cannot believe the guide to verify electrum is this complicated when people say it should take minutes. 








[moderator's note: consecutive posts merged]

[TryNinja]

@jerry0

Right click the Electrum installer .exe -> More GpgEx options -> Verify. What happens?

[jerry0]

Did everyone here get asked to create a passphrase during this process after entering a name and email?  I checked the comments of the earlier youtube link i posted and someone said this and the video creator was shocked and surprised on this and said that is over odds.


There is zero information on any of the guides besides the youtube video guide that ask you to enter a name and an email password.  And they have the passphrase to create in the video which for some reason doesn't appear for me.  Someone mentioned yes thats in the process... yet no discussion at all about this earlier.  That is why this is frustrating.



Also what has me confused now is in the youtube video, you see the guy download the windows electrum file by clicking on installer.  Yet how come that files shows like an exe file though?  Literally every guide that i looked at, if you follow each of them, you will get stuck at one point or another because they either use confusing words or omitted a step or two. 

[bot0111]

There are different ways to verify GPG signatures and different programs can be used but the concept is the same.
Stick to one guide so you don't get confused.

If this guide is too complicated for you then I recommend the YouTube video by Binance Academy.

[jerry0]

@jerry0

Right click the Electrum installer .exe -> More GpgEx options -> Verify. What happens?

Hey Tryninja.  Thanks for responding to me in the thread.  I remember you always being very clear with everything like HCP when helping me out.



Are you talking about the electrum-4.1.5 setup file in my downloads folder?  I am not sure if its an exe file or not.  It does not display the words exe in the title of it.  I had downloaded this electrum file at the beginning of this process and clicked on windows installer. 


TryNinja.  I already posted this earlier when someone asked. 


When I right click on the electrum downloaded file and verify... i get a new box that opens


Decrypt/Verify Files - Kleopatra


Choose operations to be performed
Here you can check and, if needed, override the operations kleopatra detected for the input given



Input file:  c:/users/myname/downloads/electrum-4.1.5-setup.exe


No check mark on   Input files is a detached signature
Signed Data (But its greyed out along with a whole line where there is a folder icon at the end)     If you check the input for this, you can click on a file tho choose for signed data.


No check mark on   Input file is an archive:  unpack with




Check mark on      Create all output files in a single folder


Output folder:  c:/users/myname/downloads




The only thing i can do on this page is either click on Decrypt/Verify... or cancel


Or


Click on those two input files and make it a check mark...If I do check the Input file is a detached signature, right under it... Signed data which is greyed out is no longer greyed out and you can click on a folder and pick a file

[moderator's note: consecutive posts merged]

[TryNinja]

Are you talking about the electrum-4.1.5 setup file in my downloads folder?  I am not sure if its an exe file or not.  It does not display the words exe in the title of it.

Yes, the setup file is an executable (.exe). If you are on windows and you can run it, chances are that it's an executable.

From the beginning:

1. https://electrum.org/#download
2. Click "Windows Installer" to download electrum-4.1.5-setup.exe
3. Right next to it, you also have a "Signatures" link that downloads electrum-4.1.5-setup.exe.asc (make sure to click the right "Signatures" link next to "Windows Installer")
4. After both files finish downloading, they should be on the same Downloads folder.
5. Right click electrum-4.1.5-setup.exe -> More GpgEx options -> Verify.

P.S: NOT decrypt and verify, but verify.

[jerry0]

Okay i downloaded the signatures file next to the windows installer file


I see in my downloads folder right now


Thomas V
gpg4win-4.0.0
electrum-4.1.5 setup
electrum-4.1.5 setup.exe


I then right click on electrum-4.1.5 setup.exe and clicked VERIFY



It shows


Verify Files - Kleopatra
All Operations Completed

Verified electrum-4.1.5 setup.exe.asc' : 3 valid signatures                                        Import  637DBXXXXXXXXXXXXX
                                                                                                                           Import  0EEDCXXXXXXXXXXXXX
                                                                                                                           Search  637DBXXXXXXXXXXXXX
Signature created on Thursday July 22, 2021                                                          Search  0EEDCXXXXXXXXXXXXX

With unavailable certificate
ID:  Ox637DBXXXXXXXXXXXXXXXXXXXXXXXXXX
You can search the certificate on a keyserver or import it from a file


Signature created on Monday July 19, 2021
With unavailable certificate
ID:  Ox0EEDXXXXXXXXXXXXXXXXXXXXXXXXX
You can search the certificate on a keyserver or import it from a file


Signature created on Monday July 19. 2021
With certificate
Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org. (2BD5 824B 7F94 70E6)
The signature is valid and the certificate's validity is fully trusted.




For the ID:..... I just typed in the first few characters and just put XXXXXXXXXXXXX for the rest.



So does this mean my electrum is legit?  How come in the direwolf instructions, you don't see like three signatures and only one and its the last one which is the email?

[TryNinja]

Signature created on Monday July 19. 2021
With certificate
Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org. (@BD5 824B 7F94 70E6)
The signature is valid and the certificate's validity is fully trusted.


So does this mean my electrum is legit?

The above message says so. Congrats, you did it...

How come in the direwolf instructions, you don't see like three signatures and only one and its the last one which is the email?

I believe the file is also signed by other contributors, but you only see/recognize the one from Thomas, since his key was the only one you downloaded (and marked as trusted).

[jerry0]

TryNinja thanks. 


Do you agree that the instructions that were given aren't that clean and concise?  I had a feeling when I saw you post, I knew I was going to figure out how to verify it soon because always you, HCP and a few others... are very clear and then I figure it out.  Of course the other posters here are helpful but i just kept getting stuck each time.


Also one last question.  To set up electrum right now, do i click on the electrum setup or the electrum setup.exe to set electrum up right now?   Okay that was a stupid question.  The electrum setup exe file is the signature.  Do I delete it or just leave it there?  Don't remove the gpg4win right?


is there a reason I did not see any of this in the verification?


6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 which is ThomasV public key?  I thought at some point i would compare this on electrum with this code to see it match?

[moderator's note: consecutive posts merged]

[n0nce]

is there a reason I did not see any of this in the verification?


6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 which is ThomasV public key?  I thought at some point i would compare this on electrum with this code to see it match?

You do see it:

Signature created on Monday July 19. 2021
With certificate
Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org. (@BD5 824B 7F94 70E6) <== here it is
The signature is valid and the certificate's validity is fully trusted.

In this UI it only shows the last 8 bytes, but it doesn't really need to show you all of them, since it already computed and compared everything for you and this is just a nice, readable output of this information.

Also sorry for my earlier comment; I was assuming enough good guides exist on this topic already, seeing how popular Electrum is - I mean this topic started as a guide for safely downloading and verifying Electrum. But maybe some things can be made clearer by OP.

[jerry0]

Hey.  Well I did not know that it displays the last 8 bytes.  That would be completely new to me as I didn't read that in any guide at all etc.


Well I was looking through many guides.  This one, youtube, few ones online, not one of them seem to be hassle free.  Each one always has an issue where at some point, you go how come it doesn't go smoothly etc.



I am now going to do install electrum on my main pc now.  I had tested this on my other windows pc. 



Tryninja, before you listed those steps you posted, is there anything you recommend me not do before I get there to where I was at... before what you said basically confirmed the electrum I downloaded is legit?



Thanks.

[jerry0]

Right now I'm going to verify electrum on my main pc.  


Download and install Gpg4win on the pc.  After all this is done, kleopatra opens up now.


Go to electrum site.  Is the first thing you are suppose to do download ThomasV key first?  I just took a look at the instructions and it has him import ThomasV key first BEFORE even downloading electrum windows installer and the signatures link right next to it?


What I did earlier was I downloaded electrum first before even downloading the Gpg4win.  Does it matter which order you download it?


I ended up downloading electrum windows installer, the signature link to the right of it... and finally the ThomasV file in blue all together.  I then imported the asc file to it.  For some reason few times it doesn't seem to import correctly?  Kept showing 0 imported but eventually afterwards it got imported after some trial and error.  I had created name and fake email.  But you need to make sure the user id gets certified first right before you right click electrum-4.1.5-setup.exe -> More GpgEx options -> Verify?


Because when I kept on right clicking the electrum-4.1.5-setup.exe -> More GpgEx options -> Verify.  I can't getting unsigned signatures.


But then I right clicked on the Thomas Voeglin imported certificates and clicked certified and then it certified.  Then after some other clicking, I got that popup box with it showing three Thomas and three check marks and I click okay.


Then went back to the  electrum-4.1.5-setup.exe -> More GpgEx options -> Verify.  It finally shows the message of




Verify Files - Kleopatra
All Operations Completed

Verified electrum-4.1.5 setup.exe.asc' : 3 valid signatures                                        Import  637DBXXXXXXXXXXXXX
                                                                                                                           Import  0EEDCXXXXXXXXXXXXX
                                                                                                                           Search  637DBXXXXXXXXXXXXX
Signature created on Thursday July 22, 2021                                                          Search  0EEDCXXXXXXXXXXXXX

With unavailable certificate
ID:  Ox637DBXXXXXXXXXXXXXXXXXXXXXXXXXX
You can search the certificate on a keyserver or import it from a file


Signature created on Monday July 19, 2021
With unavailable certificate
ID:  Ox0EEDXXXXXXXXXXXXXXXXXXXXXXXXX
You can search the certificate on a keyserver or import it from a file


Signature created on Monday July 19. 2021
With certificate
Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org. (2BD5 824B 7F94 70E6)
The signature is valid and the certificate's validity is fully trusted.



As long as I see this message above, even if I did some trial and error clicking to get there... that proves the electrum is genuine right?  I just kept clicking import, certify, and eventually got here at the end.

[BlackHatCoiner]

As long as I see this message above, even if I did some trial and error clicking to get there... that proves the electrum is genuine right?

Yes. If it showed you that the signature is valid it means it checked the .asc signature file, the executable and Thomas' public key, did the process of verification and find nothing faulty. Your Electrum is ready to be installed.

[jerry0]

Yea it showed the signature that I posted.  But again, i basically did a ton of trial and error clicking import the same asc file again and then clicked certify when I believe a bit earlier it didn't work.  Then eventually that popup showed up with the three ThomasV email addresses with the three check marks and I click okay. 


I just know at the end, I right clicked on the electrum setup exe file and clicked  More GpgEx options -> Verify.  Then I got the signed signature verification.  But I was concerned if it could still get that message with me doing all this via trial and error.


Also, do I need that keypair long code that was created for me when I typed in my name and fake email address?  Seems to be like a keypair seed or something but that is completely useless right?

[BlackHatCoiner]

Then I got the signed signature verification.  But I was concerned if it could still get that message with me doing all this via trial and error.

No. If you got a successful verification, then it means the signature you downloaded from electrum.org is valid, given the public key you imported to Kleopatra. You didn't do anything incorrectly as long as you imported the correct public key.

Seems to be like a keypair seed or something but that is completely useless right?

Depends on what you want to do. Did you just create it to verify Electrum? If yes, then go ahead and delete the whole Kleopatra. However, you may find it interesting to learn what's all about these key pairs. It may also help you do something you couldn't before. For instance, you can now send encrypted messages if you find others who use GPG.

[jerry0]

When I was setting the Gpg4win up on the computer, it eventually ask me to type in a name and an email address.  I just put in a name and just a fake email address.  The youtube video for this part mentioned this didn't matter so I did that.  In all the other instructions... there was not anything mentioned at all about this.  Neither direwolf or the other instructions even addressed this at all.  Then after I clicked enter, it gave me a long code which I assume is the keypair seed?  Its very long.


I am not sure if you could click cancel during this process but I didn't.


What I want to know is... do I need to keep a copy of this very long key?  I did write it down but is it needed?  Again, there is zero mentioning of this at all even in this thread which I find disappointing. 

[TryNinja]

What I want to know is... do I need to keep a copy of this very long key?  I did write it down but is it needed?

It's only useful if you're ever thinking about signing your own messages/files. So if all you want to do is verify Electrum's signature, you don't have to.

[jerry0]

Thanks Tryninja.  I don't plan to use it to sign my own message/files.  I mean I'm not sure how I would even do that and what purpose it would be for me?  Someone said only if you want to send encrypted messages to someone? 


But there is no point of me uninstalling Gpg4win and kleoptra right?  Might as well leave it in the computer?

[TryNinja]

Thanks Tryninja.  I don't plan to use it to sign my own message/files.  I mean I'm not sure how I would even do that and what purpose it would be for me?  Someone said only if you want to send encrypted messages to someone?

Yes, I’m sure you won’t need it, so just act like you never created your own pair.

But there is no point of me uninstalling Gpg4win and kleoptra right?  Might as well leave it in the computer?

Leave them there so you can verify the next Electrum released and/or other software. There is no point in uninstalling it after all the work you did, IMO.

[jerry0]

Okay I am going to just get rid of the keypair code I wrote down then since I figure it would be no use.


Okay I will not uninstall any of those programs.  Thanks man.

[2647s]

Thanks for making this guide, but i'm still having trouble verifying. The verify terminal command i'm entering is not turning up anything - its not able to find the file. If someone could shed some light on what the exact command needs to be, using the commands given on the guide isn't working; i'm sure i'm entering it wrong, but i can't find where the error is:

sys: linux-manjaro-kde x86_64
file-path: /usr/bin/electrum
file-vers: 4.1.5-2

command: "gpg --verify ~/usr/bin/electrum-4.1.5-2-x86_64.AppImage.asc"

errors using above command:
gpg: can't open '/home/<username>/usr/bin/electrum-4.1.5-2-x86_64.AppImage.asc': No such file or directory
gpg: verify signatures failed: No such file or directory

[DireWolfM14]

errors using above command:
gpg: can't open '/home/<username>/usr/bin/electrum-4.1.5-2-x86_64.AppImage.asc': No such file or directory
gpg: verify signatures failed: No such file or directory

The error seems rather clear; the signature file, which will have the .asc file extension isn't the directory ~/usr/bin.  Could it be in the /usr/bin directory instead?  Do you have the tilde (~) in your command by mistake?

Anyway, the easiest way to verify is the have the signature file in the same directory as the app image, then cd into that directory and run the following command:

Code:

gpg --verify ectrum-4.1.5-2-x86_64.AppImage.asc

Alternatively, you can verify with the files in two separate locations:

Code:

gpg --verify /path/to/ectrum-4.1.5-2-x86_64.AppImage.asc /different/path/to/ectrum-4.1.5-2-x86_64.AppImage

[2647s]

path:  /usr/bin directory  --doesn't exist.

how would you locate the correct path for the sig file?
the sig file gets automatically downloaded/installed together with electrum, right?

also the command was tried with/without (~)... neither work.

[DireWolfM14]

the sig file gets automatically downloaded/installed together with electrum, right?

No, it has to be downloaded separately.  If you downloaded the app image from the website, there's a link to the signature file just to the right of the link to download the app image. 

Otherwise, from the directory where the app image is:

Code:

wget https://download.electrum.org/4.1.5/electrum-4.1.5-x86_64.AppImage.asc

[2647s]

there seems to be a permissions issue for bin directory denying the sig file to be added there.
i'll have to try to get around this, or try your command for dual paths; i'll post the results tomorrow, thanks for helping!

[DireWolfM14]

there seems to be a permissions issue for bin directory denying the sig file to be added there.
i'll have to try to get around this, or try your command for dual paths; i'll post the results tomorrow, thanks for helping!

Try this:

Code:

sudo wget https://download.electrum.org/4.1.5/electrum-4.1.5-x86_64.AppImage.asc

You might have to enter your password.

[2647s]

no luck with that last command; that just downloaded the sig file somewhere, but not in the bin directory. I already have the sig file after you mentioned its a seperate download, i'll just have to force it into bin somehow or try that dual command; i'll post again tomorrow, thanks


it doesn't seem to work;
after managing to force the sig file into the same bin directory as electrum, and running the following command:
"gpg --verify /usr/bin/electrum-4.1.5-x86_64.AppImage.asc"

the following errors come up:
gpg: no signed data
gpg: can't hash datafile: No data

any clues?
-just to check, 'certifying' is completely optional & not necessary to verify, right?

[moderator's note: consecutive posts merged]

[m2017]

there seems to be a permissions issue for bin directory denying the sig file to be added there.
i'll have to try to get around this, or try your command for dual paths; i'll post the results tomorrow, thanks for helping!

Try this:

Code:

sudo wget https://download.electrum.org/4.1.5/electrum-4.1.5-x86_64.AppImage.asc

You might have to enter your password.

Do I understand correctly that if a new electrum update is released, then it is enough to replace the version in the code? For example, 4.1.5 by 4.2, 4.3 etc.
That is, the code will take the form:

Code:

sudo wget https://download.electrum.org/4.2.0/electrum-4.2.0-x86_64.AppImage.asc

[khaled0111]

Do I understand correctly that if a new electrum update is released, then it is enough to replace the version in the code? For example, 4.1.5 by 4.2, 4.3 etc.
That is, the code will take the form:

Code:

sudo wget https://download.electrum.org/4.2.0/electrum-4.2.0-x86_64.AppImage.asc

Most likely, but not necessarily.
They can give any name they want to the Electrum file and they can save it anywhere on the server. But, they probably won't in order to keep things organized and to maintain ease of access.
Just download the latest release directly from the website or copy its address from there and paste it in the command line.

[nc50lc]

That is, the code will take the form:

Code:

sudo wget https://download.electrum.org/4.2.0/electrum-4.2.0-x86_64.AppImage.asc

Based on the previous releases, they have been consistent with the files' naming scheme except on those that needed hardware compatibility like the apk files.
So it will work, but sometime in the future, it could change.

You can actually browse to download.electrum.org using your browser to see the available files.

[DireWolfM14]

I made some significant updates to the OP to include and address the recent changes made by the development team to the way they sign the releases.  I also thought it was appropriate to provide a signature of my own for the tutorial, just in case.

[NeoArkan]

Hello,

Thanks for this interesting post.

I am considering verify Electrum with your method. I have read carefully your tutorial but I still need to start the process.

I am a Mac user and I had several questions :
-I have already downloaded Electrum (from the original website : electrum.org) --> Do I have to uninstall Electrum and install it again after installing GPG, generate private key (I am not sure to understand the reason of the private key either) and Imprt ThomasV's PGP Key on MacOS ? Or I can verify Electrum while it's already on my MacOS ?
-For info, I am using the Electrum version 4.2.1

I had another question concerning :

"Import ThomasV's PGP Key on Mac OS
Download ThomasV's PGP Key from a trusted source.  If it's not already running, launch the GPG Keychain app, and click the import button.  Browse to the location where you saved the ThomasV.asc file, and select it."

Are these links are the trusted source for ThomasV's PGP key (in the beginning of your tutorial) :

"Redundant links to ThomasV's public key:
https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
https://keys.openpgp.org/search?q=6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6694d8de7be8ee5631bed9502bd5824b7f9470e6"

If yes. I have opened the first link and there is indeed a long public key BUT I have no idea how to download it in .asc format. (sorry I'm new in bitcoin AND also in MacOs). Can you explain ?

From first you, it's the only steps that are unclear for the moment.

Thanks for your help.

[DireWolfM14]

Hello,

Thanks for this interesting post.

I am considering verify Electrum with your method. I have read carefully your tutorial but I still need to start the process.

I am a Mac user and I had several questions :
-I have already downloaded Electrum (from the original website : electrum.org) --> Do I have to uninstall Electrum and install it again after installing GPG, generate private key (I am not sure to understand the reason of the private key either) and Imprt ThomasV's PGP Key on MacOS ? Or I can verify Electrum while it's already on my MacOS ?
-For info, I am using the Electrum version 4.2.1

The version of Electrum isn't important, the method I described works for v4.2.1 and should work for future releases as well.  You don't need to uninstall Electrum to verify the .dmg file.  You just need to download the .asc signature file associated with the .dmg file, save it into the same directory as the .dmg file, and then run the verification.  If it passes then you know the software you've already installed is authentic.  If it doesn't pass verification, then you should definitely purge the installation.  Personally, if the verification fails I would purge the entire system, but I'm paranoid.

I had another question concerning :

"Import ThomasV's PGP Key on Mac OS
Download ThomasV's PGP Key from a trusted source.  If it's not already running, launch the GPG Keychain app, and click the import button.  Browse to the location where you saved the ThomasV.asc file, and select it."

Are these links are the trusted source for ThomasV's PGP key (in the beginning of your tutorial) :

"Redundant links to ThomasV's public key:
https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
https://keys.openpgp.org/search?q=6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6694d8de7be8ee5631bed9502bd5824b7f9470e6"

If yes. I have opened the first link and there is indeed a long public key BUT I have no idea how to download it in .asc format. (sorry I'm new in bitcoin AND also in MacOs). Can you explain ?

From first you, it's the only steps that are unclear for the moment.

Thanks for your help.

Yes, those are trusted sources for ThomasV's key.  The easiest way to save the key is by copying the text from that first link, and pasting it into your favorite text editor.  You can then save it on your system with the name that you choose.  The name of the file isn't important, but remember where you saved it so that you can browse back to that location while importing into your GPG app.

[RickDeckard]

Yes, those are trusted sources for ThomasV's key.  The easiest way to save the key is by copying the text from that first link, and pasting it into your favorite text editor.  You can then save it on your system with the name that you choose.  The name of the file isn't important, but remember where you saved it so that you can browse back to that location while importing into your GPG app.

Besides the method provided by DireWolfM14 you can also highlight the link from ThomasV's key and press "CTRL" + Mouse click which should prompt the right click menu on Safari. Then just select the option "Save Link as..." and you'll be able to save directly the file/key (.asc) into a directory of your choosing.

[NeoArkan]

Hello,

Thank you for your quick answer.

I have still 2 questions for Thomas Key :
1. Do I copy all the text ? (including "Begin PGP Public key block" etc ...) Or only the key ?
2. I have tried with TextEdit on Mac BUT when I try to save I don't see the .asc extension. There are .txt, .html, RTF, .docx, .doc, .odt ...
But NOT .asc. There is also "Document d'archive web" and I have saved on doc with it but I don't think that it is and I don't see the extension on the doc ...

Please can you help ?

[BlackHatCoiner]

1. Do I copy all the text ? (including "Begin PGP Public key block" etc ...) Or only the key ?

You copy all the text. Actually, you don't need to copy it at all, just save it as a .asc file.

2. I have tried with TextEdit on Mac BUT when I try to save I don't see the .asc extension.

You can save it as a .txt, if it doesn't allow you directly as .asc, but it should be trivial to change it to .asc later. In the directory you've saved it, doesn't it show you the file extensions? If not, check: https://duckduckgo.com/?q=mac+show+file+extension

[NeoArkan]

1. Do I copy all the text ? (including "Begin PGP Public key block" etc ...) Or only the key ?

You copy all the text. Actually, you don't need to copy it at all, just save it as a .asc file.

2. I have tried with TextEdit on Mac BUT when I try to save I don't see the .asc extension.

You can save it as a .txt, if it doesn't allow you directly as .asc, but it should be trivial to change it to .asc later. In the directory you've saved it, doesn't it show you the file extensions? If not, check: https://duckduckgo.com/?q=mac+show+file+extension

1) I am able to save it (From File>Save as ...) in .txt but not in .asc (you seem to say that it's possible to direct convert in asc. for the link but I don't see the option. Am I wrong somewhere ?
2) I have made my search on internet. To convert a .txt fil in .asc it needs to download again a new software. Do you know which one I can trust (if possible available in the App Store) ?
3) I am wondering in using this tutorial if the solution for verifying Electrum is really good. Indeed, to verify Electrum, I need to download others softwares (PGP and the soft for converting txt into asc). However, how can I be sure that PGP and other are secure and not full of malware. I should also verify PGP and Co. And it's becoming an infinite circle ... What do you think ?

 

[BlackHatCoiner]

1) I am able to save it (From File>Save as ...) in .txt but not in .asc (you seem to say that it's possible to direct convert in asc. for the link but I don't see the option. Am I wrong somewhere ?

Choose Finder > Preferences > Advanced. Now you can check "Show all filename extensions." if it isn't already checked. Now go to the directory you've saved your .txt file and rename it to <any_name>.asc.

To convert a .txt fil in .asc it needs to download again a new software.

There's no need to download any software for this. It's as simple as renaming a file.

[NeoArkan]

1) I am able to save it (From File>Save as ...) in .txt but not in .asc (you seem to say that it's possible to direct convert in asc. for the link but I don't see the option. Am I wrong somewhere ?

Choose Finder > Preferences > Advanced. Now you can check "Show all filename extensions." if it isn't already checked. Now go to the directory you've saved your .txt file and rename it to <any_name>.asc.

To convert a .txt fil in .asc it needs to download again a new software.

There's no need to download any software for this. It's as simple as renaming a file.

Indeed that was super easy (However I needed the explanation so thanks a lot)
I am not sure 100% that it works because I can't open the file  (.asc) but I guess it's normal because GPG is not installed yet.

[BlackHatCoiner]

I am not sure 100% that it works because I can't open the file  (.asc) but I guess it's normal because GPG is not installed yet.

Yes, you should first install GPG and then open the file with it.

[NeoArkan]

I have completed it and the signature is verified. So good news Electrum software seems good!

For DireWolf, one complementary info for the tutorial :
-They ask me to create a "secret" sentence (I don't remember in which step sorry but it wasn't in the tutorial I think. except this, the tutorial was gratand really well explained)

Thanks for the help of everyone.

[DireWolfM14]

-They ask me to create a "secret" sentence (I don't remember in which step sorry but it wasn't in the tutorial I think. except this, the tutorial was gratand really well explained)

Electrum does indeed generate a 12-word secret seed phrase, that's the back up for your wallet.  The seed phrase creation part of the process is beyond the scope of my tutorial, which focuses on verifying the PGP signatures.  If you need help using Electrum there is plenty of information in this sub-forum, or feel free to create another thread to ask your specific questions.

[NeoArkan]

-They ask me to create a "secret" sentence (I don't remember in which step sorry but it wasn't in the tutorial I think. except this, the tutorial was gratand really well explained)

Electrum does indeed generate a 12-word secret seed phrase, that's the back up for your wallet.  The seed phrase creation part of the process is beyond the scope of my tutorial, which focuses on verifying the PGP signatures.  If you need help using Electrum there is plenty of information in this sub-forum, or feel free to create another thread to ask your specific questions.

No no you understand me wrongly.

It was not by installing Electrum (NOT seed phrase). It was by verifiyng the signature with GPG just after the "Generate new key pair".
They ask me to create a secret phrase (I had to choose it myself). It was not by using Electrum but well GPG.
I think it's a new step.

[DireWolfM14]

-They ask me to create a "secret" sentence (I don't remember in which step sorry but it wasn't in the tutorial I think. except this, the tutorial was gratand really well explained)

Electrum does indeed generate a 12-word secret seed phrase, that's the back up for your wallet.  The seed phrase creation part of the process is beyond the scope of my tutorial, which focuses on verifying the PGP signatures.  If you need help using Electrum there is plenty of information in this sub-forum, or feel free to create another thread to ask your specific questions.

No no you understand me wrongly.

It was not by installing Electrum (NOT seed phrase). It was by verifiyng the signature with GPG just after the "Generate new key pair".
They ask me to create a secret phrase (I had to choose it myself). It was not by using Electrum but well GPG.
I think it's a new step.

Yes, I must have misunderstood, sorry for that.  You are correct; when you create a GPG keypair the software does prompt you to create a password or a secret phrase.  I'll take a look at the tutorial and make sure it's more clearly mentioned.  Thanks for the suggestion.

[NotATether]

No no you understand me wrongly.

It was not by installing Electrum (NOT seed phrase). It was by verifiyng the signature with GPG just after the "Generate new key pair".
They ask me to create a secret phrase (I had to choose it myself). It was not by using Electrum but well GPG.
I think it's a new step.

GPG keys can be created but with skipping the password step, by using the command line gpg --gen-key and following the on-screen instructions listed.

I believe that verifying the key does not require your own key  (and hence password) either - at least on command-line (I once verified a message from someone else's public key without my own key, but maybe I'm  misremembering. I do know that you have to set the key to be trusted while importing it though.

[DireWolfM14]

GPG keys can be created but with skipping the password step, by using the command line gpg --gen-key and following the on-screen instructions listed.

Correct, when using CLI commands you are prompted for a password, but you can leave it blank and press the enter key.

I believe that verifying the key does not require your own key  (and hence password) either - at least on command-line (I once verified a message from someone else's public key without my own key, but maybe I'm  misremembering. I do know that you have to set the key to be trusted while importing it though.

Partially correct: You won't be able to certify (sign) another persons key without your own, but you can indeed verify signed messages without your own key pair.  Technically you don't even need to download the public signing key.  The results will indicate that the message was signed by xyz key, but also mention that they key is unknown or unavailable.  As long as you're willing to confirm that key xyz is they key you expected to have signed the message you don't actually need any keys in your keyring.

[n0nce]

I believe that verifying the key does not require your own key  (and hence password) either - at least on command-line (I once verified a message from someone else's public key without my own key, but maybe I'm  misremembering. I do know that you have to set the key to be trusted while importing it though.

Partially correct: You won't be able to certify (sign) another persons key without your own, but you can indeed verify signed messages without your own key pair.  Technically you don't even need to download the public signing key.  The results will indicate that the message was signed by xyz key, but also mention that they key is unknown or unavailable.  As long as you're willing to confirm that key xyz is they key you expected to have signed the message you don't actually need any keys in your keyring.

Setting a key to trusted shouldn't normally be done if you don't actually trust it. There are various trust levels and PGP does ask you about the level of confidence you have that this key actually belongs to the person (name and email) provided.

This is necessary to create PGP's web of trust.

Trust in a key's owner

In practice trust is subjective. For example, Blake's key is valid to Alice since she signed it, but she may not trust Blake to properly validate keys that he signs. In that case, she would not take Chloe's and Dharma's key as valid based on Blake's signatures alone. The web of trust model accounts for this by associating with each public key on your keyring an indication of how much you trust the key's owner. There are four trust levels.

unknown: Nothing is known about the owner's judgement in key signing. Keys on your public keyring that you do not own initially have this trust level.

none: The owner is known to improperly sign other keys.

marginal: The owner understands the implications of key signing and properly validates keys before signing them.

full: The owner has an excellent understanding of key signing, and his signature on a key would be as good as your own.

[...]

Using trust to validate keys

The web of trust allows a more elaborate algorithm to be used to validate a key. Formerly, a key was considered valid only if you signed it personally. A more flexible algorithm can now be used: a key K is considered valid if it meets two conditions:

1.) it is signed by enough valid keys, meaning
- you have signed it personally,
- it has been signed by one fully trusted key, or
- it has been signed by three marginally trusted keys; and

2.) the path of signed keys leading from K back to your own key is five steps or shorter.

The path length, number of marginally trusted keys required, and number of fully trusted keys required may be adjusted. The numbers given above are the default values used by GnuPG.

[jerry0]

Downloaded and verified electrum few months ago.  This was with electrum version 4.1.5 on windows ten laptop.  The I entered my old electrum seed phrase to restore the old electrum wallet.  The old electrum wallet does not have any btc.  You do see all the history of transactions from a while back.


Now, do i need to update electrum again if i plan to use it?  Now can you update electrum from electrum settings... or you need to go to electrum site and download the newest electrum version and then have to verify it again?  Or is that not necessary anymore? 


Do you need to verify electrum each time there is a new version and you need to verify it?  Recall with ledger live, once you verify ledger live just once on your windows pc, anytime there is a ledger live update showing in top right corner, you can just click that and update it because ledger live has already been verified.  But is that the same with electrum or you need to verify the hash each and everytime with electrum?

[nc50lc]

-snip- But is that the same with electrum or you need to verify the hash each and everytime with electrum?

Electrum is different,
It's in-app notification will only prompt you to download the latest version from the official website linked in the "update check".
It wont be downloaded and installed by the app itself.

It's basically the same as downloading a new binary that's not linked to your previously verified file.
So it's still recommended to verify the new binary every time there's a new update.

Now, do i need to update electrum again if i plan to use it?

It's up to you if you want the new version's features or need the bug fixes. (release notes)

[jerry0]

How old of an electrum can you still use without it having problems?  For example i mention the electrum version that i have on my windows pc that i installed and verified not that long ago.  But how often does electrum have an update?  Once every... how many months? 


But you could still use it with no issue as long as its at least electrum x.x version?  Back then recall i rarely ever updated it.



Also when did people actually starting verifying electrum.  Back when i used it long time ago, i never did that.  Had no clue you had to do it or even heard of people talk about verifying it.  Did this all come about years ago because of the electrum fake message of telling me people to download the fake electrum which caused this whole you need to verify electrum?  Because if that is the case, that make sense.  But back then, nobody did that?  But as long as you download electrum from the official site... and by that i mean you actually type the address on the address bar yourself as oppose to google.... there hasn't been a case of fake electrum correct?

[nc50lc]

How old of an electrum can you still use without it having problems?  For example i mention the electrum version that i have on my windows pc that i installed and verified not that long ago.  But how often does electrum have an update?  Once every... how many months?  

Not depending on months, it depend if there's a major bug in the version that you're using or if there's a new feature that you need from the latest release.
You can refer to the release notes in my previous post to check what's changed.

Now, it's safe to assume that your currently installed v4.1.5 can work without issues.

Also when did people actually starting verifying electrum.

I can only guess based from the archived page of electrum.org.
Ever since the start, they've added a simple checksum (MD5 Hash) to check if the downloaded binary is the same as the release.
But that's not the verification we're doing now.

If archive.org's dates are accurate, they've started including signatures in 2013.
electrum.org/download: March 2013 - MD5 checksum and signature
electrum.org/download: January 2013 - just MD5 checksum

[Pmalek]

Now, do i need to update electrum again if i plan to use it?

You literally replied to one of my posts a few hours ago saying you don't want to use Electrum anymore because you prefer Ledger Live.

Well i kind of don't want to use electrum anymore.  Haven't used it in years and only used ledger live with the nano ledger s.

And here you are asking whether or not you should verify the newer versions of the software. You should verify each new Electrum version before installing it on your computer no matter how often they come out.

Cypress Hill - Insane In The Brain

[DireWolfM14]

~

Lol, a lot of folks seem to get frustrated with jerry, but he doesn't bother me at all.  I imagine he's not very experienced with computers, and trying to learn general computing and crypto at the same time would be daunting for any of us.  Even if he over-thinks things from time to time, at least he's making the effort and being thorough, which is to be commended. 

Most of us who are more technically capable have probably been using computers for years (or decades, in my case) before getting into crypto.  Obviously that's bound to provide an advantage.

[Pmalek]

Lol, a lot of folks seem to get frustrated with jerry, but he doesn't bother me at all.  I imagine he's not very experienced with computers, and trying to learn general computing and crypto at the same time would be daunting for any of us.

Most people active in the technical boards have stopped responding in his topics altogether. I have no problems helping anyone if I can. The problem with Jerry is that you tell him something yesterday and he asks the same thing today. Next week, he will ask it again. The perfect examples are updates to Ledger Live and the crypto apps. Should I update, when should I update, what percentage of the world population already updated, can I lose my coins if I update, will I get a virus when I update, a new version came out last week, do I need to update this time...

The chances of Bitcoin switching to POS are greater than the chances of Jerry not asking about an update.

[tainted_love]

Can electrum import the wallet from a WIF hdseed?

[nc50lc]

Can electrum import the wallet from a WIF hdseed?

The one from Bitcoin Core dumpwallet file or similar? If so, no.
Electrum only accepts Seed Phrase (Electrum or BIP39), Master private keys or individual WIF private keys (for a single address) to restore a non-watching-only wallet.

[jerry0]

you have to reverify every single time electrum has update?

[DireWolfM14]

you have to reverify every single time electrum has update?

You absolutely should, yes.  Murphy's law; the one time you decide to skip verification will be the time you download malware and lose all your coins.  Once the initial setup is done, verification takes less than a minute.  Git 'er done.

[nc50lc]

you have to reverify every single time electrum has update?

If you already set-up a machine with the necessary GPG tools,
you don't have to set it up all over again so there's not much hassle to verify the new version.

Usually, you'll just have to redo the last step which is the actual verification; in the OP, it's the "Download and Verify Electrum" step.

[Maus0728]

Just want to to verify 

Does the electrum's latest release 4.3.0 only signed by SomberNight and Thomas Voegtlin? Here's the result in terminal.

gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) <somber.night@protonmail.com>" [full]
gpg: Signature made Friday, 05 August, 2022 11:06:27 PM PST
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [full]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [full]

If so, then what happened to Stephan Oeste? Because the last time I updated Electrum, I have 3 valid signatures upon verifiying. Thank you!!

[nc50lc]

Just want to to verify  
-snip-
If so, then what happened to Stephan Oeste? Because the last time I updated Electrum, I have 3 valid signatures upon verifiying. Thank you!!

Yep, the signature file for v4.3.0 only contains two signatures:


Emzy's public key is still in Electrum's Repo: https://github.com/spesmilo/electrum/tree/master/pubkeys; His Github profile is also active: https://github.com/Emzy
It's just the signature file in the website doesn't include his signature but you can still download it from here: github.com/spesmilo/electrum-signatures/tree/master/4.3.0

[DireWolfM14]

~

Apparently the release was ready before Emzy had a chance to review and sign.  I think he's been busy lately with his work as a member of the Bisq team, from what I can tell. Emzy's signatures have been added to all the releases as of this morning.

You can see the timestamp of the files here: https://download.electrum.org/4.3.0/

[DireWolfM14]

I recently made some updates to the guide to clarify Linux instructions, add a list of HockeyPuck servers, and I included a link to the KDE Kleopatra site.

I also updated the signature and listed the changes in this post: https://bitcointalk.org/index.php?topic=5240594.msg54223765#msg54223765

[NotATether]

Bump (I know this conversation was already had, but why the hell isn't this stickied? Nobody's going to find this thread on page 3).

[DireWolfM14]

Bump (I know this conversation was already had, but why the hell isn't this stickied? Nobody's going to find this thread on page 3).

I've reported it to the mods to ask for it to be stickied, but it remains unhandled.  Maybe the active mods want to leave it to ThomasV to decide, but he's not very active so it may have gone unnoticed by him.

@ghost43 has been more active as of late, I'll send him a PM ask him to pass on the message to ThomasV.

[Thomas29]

I've been without access to my desktop computer for awhile so I haven't udpated electrum in roughly 1 year now. I don't remember how I verified the PGP signature before. I'm sure this question has been asked before but if I'm using a hardware wallet with electrum like a ledger nano s for example do I need to worry about my crypto being stolen still or is it just a nuisance to have to deal with it?

[_act_]

I've been without access to my desktop computer for awhile so I haven't udpated electrum in roughly 1 year now. I don't remember how I verified the PGP signature before. I'm sure this question has been asked before but if I'm using a hardware wallet with electrum like a ledger nano s for example do I need to worry about my crypto being stolen still or is it just a nuisance to have to deal with it?

This thread is about how to download Electrum and verify its PGP signature, it is not about connecting hardware wallet to Electrum secure or not. It would have been better if you create a new topic about anything that is not related to this thread.

As for your question, using hardware wallet with Electrum is safe. But you have to be careful about Ledger devices becuase they are one of the worst hardware wallets so far.

[NotATether]

Bump (I know this conversation was already had, but why the hell isn't this stickied? Nobody's going to find this thread on page 3).

I've reported it to the mods to ask for it to be stickied, but it remains unhandled.  Maybe the active mods want to leave it to ThomasV to decide, but he's not very active so it may have gone unnoticed by him.

@ghost43 has been more active as of late, I'll send him a PM ask him to pass on the message to ThomasV.

Congrats to whoever stickied this thread then (maybe theymos while scouring the earth for mixer topics?)

[DireWolfM14]

Congrats to whoever stickied this thread then (maybe theymos while scouring the earth for mixer topics?)

I had sent PMs to the moderators of this board to no avail, but eventually theymos took pity on me.  The OP is a long post with lots of information, so I'm sure it was just a matter of taking the time to scrutinize it for safety and security's sake.

[jon_btc]

What is the most secure way to install electrum to android. Is it via apk or official app from google play . I am not an expert on android so I was wondering if there is any reason not to trust the google play

[_act_]

What is the most secure way to install electrum to android. Is it via apk or official app from google play . I am not an expert on android so I was wondering if there is any reason not to trust the google play

Through the official site and verify its signature. It is recently that fake Electrum apps are not common on Playstore but you can see a fake app on Playstore at anytime.

[jon_btc]

Thank you _act_ . Is there a reason to to trust the official app from google play ?  Verifying the pgp seems not easy on android. Could use a computer for that but I don't want to involve a computer

[Pmalek]

Is there a reason to to trust the official app from google play?

There have been numerous examples of scammers hosting fake wallet apps on the Play Store. You should never search for a wallet by going to the Play/App Store and using the search field there. Always go to the official wallet website, click on the genuine download links, and install the app that way.  

Verifying the pgp seems not easy on android.

I have never tried it, but it's for your own safety that you are doing it. It's better to spend a bit more time on the verification now, then to regret not having done it if something goes wrong.

Could use a computer for that but I don't want to involve a computer

It's OK to use a computer because it's easier. I have verified certain mobile apps on my computer and then sent myself the apk files or the exact download location to my phone.

[jerry0]

When you download and verify electrum on your laptop, what happens when there is a new electrum update?  I currently do not have electrum installed on my windows laptop.  I haven't used electrum in a while and don't remember exactly what happens but you could still use electrum with the older version right?  Anyone know how old version of electrum you can still use before you have to download the newest version?  Also, once you downloaded and verify electrum on your laptop that one time... any new electrum version update downloads... you download from electrum site... but do you still have to verify it or not?  I forgot the answer to this.



Last time on another laptop, I downloaded electrum and verified it.  Then I haven't used it for a while.  Then I noticed there was many updates after that electrum so because of that, I didn't even open the old electrum.  But as long as you download from official electrum site... do you need to verify it though even if you have the verified electrum on your laptop downloaded from a while back?

[Pmalek]

<Snip>

The process remains the same for every version of the Electrum wallet that the developers release. The reason you verify the software is to make sure that you have a legitimate copy that was signed by the real developers of Electrum. You should do it for each new release because the legitimacy of an older version doesn't mean hat future ones are genuine. You could still end up with a fake wallet that someone else created and signed. So, before you upgrade to a newer version, go through the verification process again.

[DireWolfM14]

do you need to verify it though even if you have the verified electrum on your laptop downloaded from a while back?

I verify every time I download an update, regardless of how confident I am about the website or source of the download.  Once you have GPG installed and the developers' keys imported into your keyring, verification becomes very easy and takes less than a minute.

[jerry0]

A while back I downloaded electrum again on my older laptop and installed that GPG that you are talking about.  I no longer use that computer though.  So you are saying download electrum again from the official website on the new computer, then download GPG and do the same exact thing.


Then everytime there is a new electrum update, how do you check the new electrum update is real that takes less than a minute?


However, if you manually enter the electrum website on the address bar, then isn't it pretty much 100% the electrum you download is legit though?  Has there been even one case of electrum downloaded from the official site being fake?  And by that... I mean you manually type in the electrum website address on the address bar and click enter as oppose to going to google and clicking on electrum site which might not be electrum.  Also how often does electrum have an update these days?  Do most people typically wait a while after an update before you download the new electrum? 

[Pmalek]

<Snip>

I hope you are not planning on capturing this thread like you did in the past with everything in the Hardware Wallet sub and your 1001 questions.
Your question has been answered. VERIFY THE SIGNATURES before installing an update EVERY TIME, no matter how many times you did it in the past. It doesn't matter how other people do it. Try and do the right thing on your end.

I am not aware of anyone uploading a fake version of Electrum, which then ended up being installed by the users. Would you like to be the first one to suffer from something like that (if it happened) because you were too lazy to follow simple verification instructions? It's possible that someone gains access to the site and uploads fake versions of Electrum. But if you saved the developer's public keys to Kleopatra in the past, you would notice that during the SIGNATURE VERIFICATION, which would be unsuccessful. That's why you are doing it. 

[BrokenM14]

~

Once you have everything set up, to verify future updates you only need to double click the .asc file.  It's that easy.

And to Pmalek's point, please don't spam this thread with questions that I've already answered in the OP.