[GUIDE] How to Safely Download and Verify Electrum [Guide]

[Chikito]

I'm trying to acquire a "nested segwit address" from electrum but i guess it's hard for a newbie like me to download such a thing.

in the fact you are a senior member.

Open electrum wallet select already seed > select option > tick BIP39 > then select p2wpkh-p2sh:

or export your native private key then select import private key on beginning electrum then put p2wpkh-p2sh: on front.

[1713920527]

1713920527

[1713920527]

1713920527

[btcb3g1nn3r]

great post, still one short question for Windows users: it's not enough to download the .exe (either installer or standalone) and to check its properties for digital signature, to see the certificates used? Can an attacker resign such .exe files with new certificates to mimic the original ones?

[BlackHatCoiner]

great post, still one short question for Windows users: it's not enough to download the .exe (either installer or standalone) and to check its properties for digital signature, to see the certificates used? Can an attacker resign such .exe files with new certificates to mimic the original ones?

You're verifying the signature of ThomasV using his public key which is outside of the software. There is no reason to remove the certificate from the software, because the hacker's signature won't be verified using ThomasV's public key.

[ranochigo]

great post, still one short question for Windows users: it's not enough to download the .exe (either installer or standalone) and to check its properties for digital signature, to see the certificates used? Can an attacker resign such .exe files with new certificates to mimic the original ones?

Good question. No and no. Hackers wouldn't be able to sign the file after modifying it's code which would result in the signature not matching for the file.

I wouldn't trust using the digital signature of the software as a guarantee that the software hasn't been modified in a malicious manner. CAs has been compromised before and some of them were able to issue fake certification to state actors or hackers. PGP is the only way to ensure that you're downloading the version that is signed by ThomasV.

Also, some of the binaries during the Electrum phishing were actually digitally signed by the hackers using some presumably compromised CA.

[NotATether]

Also, some of the binaries during the Electrum phishing were actually digitally signed by the hackers using some presumably compromised CA.

There is a tool included with Visual Studio that lets you sign any executable before you distribute it. Most people just make a self-signed certificate and those cannot be trusted by themselves because those certificates aren't signed by a chain of CAs.

When windows displays a warning about running a program from an "unknown publisher" then it used a self-signed certificate. That's why the embedded signature can't be relied upon for Electrum integrity. Unless somebody is willing to pay hundreds of dollars for a CA to sign it.

[ranochigo]

There is a tool included with Visual Studio that lets you sign any executable before you distribute it. Most people just make a self-signed certificate and those cannot be trusted by themselves because those certificates aren't signed by a chain of CAs.

When windows displays a warning about running a program from an "unknown publisher" then it used a self-signed certificate. That's why the embedded signature can't be relied upon for Electrum integrity. Unless somebody is willing to pay hundreds of dollars for a CA to sign it.

I don't think it was self-signed. I analysed it on my VM (on an old computer, to be safe) and it appeared to be issued by DigiCert, IIRC and it didn't throw a warning to me. I don't want to download it again but I've found the MalwareBytes analysis.

https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/

[NotATether]

I strongly believe this thread should be stickied by a global mod or admin. It will save us from having to repeat that using Electrum without verifying it is unsafe to use. People generally only read the first few results on a page, whether it's bitcointalk or Google, and this page doesn't even appear in google search results (well it looks something like a footnote and not an actual result).

Before people come to this board and ask a new question, this will reduce the number of people that need hand-holding.

You all agree that this should be stickied or what?

[Dabs]

This is Thomas V public key as gotten from the website:

Code:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBE34z9wBEACT31iv9i8Jx/6MhywWmytSGWojS7aJwGiH/wlHQcjeleGnW8HF
Z8R73ICgvpcWM2mfx0R/YIzRIbbT+E2PJ+iTw0BTGU7irRKrdLXReH130K3bDg05
+DaYFf0qY/t/e4WDXRVnr8L28hRQ4/9SnvgNcUBzd0IDOUiicZvhkIm6TikL+xSr
5Gcn/PaJFS1VpbWklXaLfvci9l4fINL3vMyLiV/75b1laSP5LPEvbfd7W9T6HeCX
63epTHmGBmB4ycGqkwOgq6NxxaLHxRWlfylRXRWpI/9B66x8vOUd70jjjyqG+mhQ
+1+qfydeSW3R6Dr2vzDyDrBXbdVMTL2VFXqNG03FYcv191H7zJgPlJGyaO4IZxj+
+O8LaoJuFqAr8/+NX4K4UfWPvcrJ2i+eUkbkDJHo4GQK712/DtSLAA+YGeIF9HAn
zKvaMkZDMwY8z3gBSE/jMV2IcONvpUUOFPQgTmCvlJZAFTPeLTDv+HX8GfhmjAJY
T5rTcvyPEkoq9fWhQiFp5HRpYrD36yLVrpznh2Mx7B1Iy8Rq/7avadwVn87C6scJ
ouPu+0PF3IeVmYfCScbfxtx1FaEczm8wGBlaB/jkDEhx0RR8PYKKTIEM7T2LH2p6
s/+Ei4V7mqkcveF/DPnScMPBprJwuoGNFdx2qKmgCKLycWlSnwec+hdyTwARAQAB
tBlUaG9tYXNWIDx0aG9tYXN2MUBnbXguZGU+iQI4BBMBAgAiBQJN+M/cAhsDBgsJ
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAr1YJLf5Rw5hlhD/9T4I/sBCleS9nH
njTJqcOnG28c9C3CRYIizjEui/pKmXz9fB1N9QrCaruPUQx2UacDVCl6dKxac+7s
s3/a6lsjaRn0/2OM/sCVLScyxNPNPQs2b6jkodSNPIM8zv51g+flhwtfrO6h6B4j
IhZgSjFdvqtZd5jaly9rA0uMX045CC4K6HGnq8n4F2p31z0L0LaHBf5EcsCM0MMp
QVkY0aUrNg9uVMGXBHn3osHnOtQaODqcIbpa/OG+Tlt6pVOiDJ7i8TkpQKT7sOaM
VdL//TEoDIOC7qVCN82q2q/gtiBXbziaERVs/eU0O52aX5qUhXu3VIjXTp/riRim
R/f9BPB1dgDZbF2aPZ/rJm26v82ft7gP1Sf52E9MrAaZATTfI0/TUHXeBzN93EA9
xb6/ENAMTX74u+NjlynWPD+hl64eBzJ2ionZF1bJFTgBkMfRYnhllvleCjcq9YfX
md5HKCwtxfygBIujUQSwyUzn0f5DbVCJ7/B19bKdvHGSSBgBEjxqXWQskm2wc0In
ww63goZAGDQliKhIT8xnwOBbLkqSobq4tD9zpQyxvMA2rhy7/gfFRp7TTak7MZHf
lTJ37S5LvcWHm/ccWUZDUN7akoEDc+m6jX3uIEPMD3PQvcHhWv0amco3zDr1qb/+
rXM7TJKd7DPX0E2dRzKu6aYRMTbklbQhVGhvbWFzIFZvZWd0bGluIDx0aG9tYXN2
MUBnbXguZGU+iQI4BBMBAgAiBQJTQDaRAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
AQIXgAAKCRAr1YJLf5Rw5hOBD/9o/NqHLvjhrCfy6/SblSC/udV9ujFnvhZZZprb
r8Oe6GdMwfw+ktZd2nYb09KjxXYmGoZeZKmvCb0LoMKSVWgisH1rgzDzI6UzFL4b
pV2+PqCSiWaekfnBm+oHbGgJCuAXebGXjVL8JsvhAl0HQZzTA1RX0u8TEAHOxOI5
l+mXSN+cwVZuDMpt5v+JDyPGHM/KqaXCw1WJY50mqlan6/15XHilmvY/CaxmbXNH
ZOXucmPxyCTeiQTqyhHsIBb4RxWYCaUXv9+svriotv2HZpQ110NN09ml1K1kDlNL
Zh3jNqMsbImFArbN8GikjqhRBV3K77Np4lccnsBPllQMqqQULG7UshcQTatkmTMb
j2TQ0oQWEZt0uJmnmxgz18ijs6m2fJZhlH0QYVYOwUvK6GfAFluHwOZHIXonv8Ck
uTW+P90lOB/9ZnREZeYb2wlvV6fCTMHxptIbT31kbLTzu4KEI6+ShQXT+YAKiC5S
JC9heheaeApH3wcLiZJcCKYv6ubY+3Uf/EoXcqWywwpS/nWkSpMSYjq+V9xCcGHI
MZ4vZkiZ6OS5Mu739rgGfP7Yi3pqUYLIpUa5QiNOMEhPtWbj/oH5ldaZowwgZ4MK
2Mzxex8IhFppPtZgqJfu9NZQLICpxcd2hUe3XWvB+jcvboZ1p7RO7ax3Vo9zy1fy
YEFML7Q9VGhvbWFzIFZvZWd0bGluIChodHRwczovL2VsZWN0cnVtLm9yZykgPHRo
b21hc3ZAZWxlY3RydW0ub3JnPokCOAQTAQIAIgUCVMYFygIbAwYLCQgHAwIGFQgC
CQoLBBYCAwECHgECF4AACgkQK9WCS3+UcOZ7BQ//VJuRmM7kQd5DcJS76BKpMtKt
gUNV3hi2h8kNGtkIeKhpeiK+PeweFJCb0nQDiEYsg5Xd/l5ZwN34cqlhgaQ8uWBY
rmNnSYGECLrxejx6WTWHp2AtD9BXrj73HEox2abC0Bdky39aCTyuRhSzbFnV2unh
L7IarKqr5bat6ywFZWsOcaisEjWXlTSD/hYqnkRX8vnBZRnRgHyi1yOvHsXGFB3x
O+P7JUb4E7BVzVRDJzMgcBhY5vTZ4Mnc8eIplNVI1TaF2hmhmnezvRF6XNYV1Ew9
t2/HE85+DqIBikUWYPTTxJiWUOwxXP9dVOEmNTcAgVThvMN7W+WoF7//qcNKmbPI
DyGU5xb/MLNrM+MWfavtkHNqcY0+cFf27z4mOxd2eEMDVxN/Fhq0HipugMEawaZ0
G9xsF/rZBzKgpu7+SvqRqxUn36vNz59vDlBYEXSng6nJobUdNb6iHo/rpZ6ZYHKx
mzrK5ROpmKs6zpPTOn8Hw29jxx07auzEIVEa8hzZaiqTfwI9yBwzhFQwNxmNaKRE
adxosvU1VyTvaEVmMmTx227MF1qhwq9yrSXtmKZJGiHRzyL4B4vAGrf9uK9GwzS2
TlyksRdjapw6Cqp8sUB2PUzHqYNWs0wSsZuxwVt6JSD4N8vpYTTF00LONKe2oLhj
GNxpH+BV3SqMHXQl9Ki5Ag0ETfjP3AEQAL5LYJiX5S4PG891TMihejh5KVgc36/R
zgWYJkE26K855t+WdAa6spHKR1RmpTTsnaTXaC/bNxJZq+0vi9GKlw94twEueu0v
Cniinpy6AFeydveCi+qdr5XQ4hx1DY11kntGBL2wMOtrZ4oAeFnntHYcAMYaMBY5
p8gd3WVR2dgIvpOcezQBLwhoMHnN6A+JEQ27ZHcolwDO9ic+t4YAtl552DP1xKbc
T4D1JD0J6W6FbUJElOXReSjNGCuSLZZTsCzMg0P6RHwWUKtDvRKrK/M3Nh/L2EsW
5mAQnYps6a+hyVkVd9kLsogtHPE4xv33pzbDB5Yj+2zqdjYUqO/ODfkP+HjNRvyj
uHL6W3bjU6FnuJQXX4llskls4hlKDPawa3cuWnsdafouAZOxWwBlGysRZ7BaHOFE
TOlAeUN1EYfFrckcfkYzTX7NDA0S99aX730z/c9XrnqM52OO9LrSFRnYZ+K3M8z2
FFvo9/ZtqqTDH0/oH+ay0CwtowSovZUoljAQ8zmmi8CtPDFHg4srae8YxW4fetn7
QtP6rOVRwQCyP12LztC7oYGOectU5G9GkVDubNW48Vuex0/upP9RORjKN8atBroS
cmomR5hShxmgdJBy4I/TDkVFbZq/hRPSTAHgnciEC67TYhszzXP3nTn5/Ah0wCGC
d3HfiNX6G7MdABEBAAGJAh8EGAECAAkFAk34z9wCGwwACgkQK9WCS3+UcOaJRA//
dLHRBjeAkNbRsY5GNTWUZzXr3VC5vNqpwpP9rK4QTAmpl3iU5F+wsgMG78iS2XOV
+ijZA8KvishletQJoNMxS1PU4sA4Y34hYb61ptHs+PmwNpcdgjAX+mCh9xQ0816G
yIaXtxtxacJJW3K07fqKIkJjISPOyTLSd+wl1LtRE2fA67pMmpMHG8t+RPq1dp/e
3qp6L7jc6X3U+bn2m7u2cgEVbuAnSaKGoMSMnsd71Ltf1b6/DwvZz/HBttEgcgSm
PleHUVyBD4LDrcjTDK7zdEMw7b/cPBnu6CmTcogFEqvB4n9Yodo+4ij7AndUTz4J
j1p8vFlnHvhRg82MDfGUPJ+ujBjbYXROs+WAmaCQ8TgjZ3dAFNFrOqAbYu6QlY2x
fu7vj+ruc6ArdmBrOlsJFmNsxFRJfgdUug5JFIUN77GbjisHjWem8cY3szuyEke8
H2pi803CAuVtkaoNmNDHsEBieft34Zo0V+A/q2wkix3S9vyRjOKqhGrW30qxnV6Z
FexueWuO3qOQ0ZU5/TIH0kft2n45/RexeBq/Ip52zE1vEvTkQmBCfCGZmqTu+9Ro
8qsjecxVNxyVPlwhlimryiQ+dPaJYaOSfiwEEMh2MyV5c6t6qN9n6jFdiCLOlmmH
ZFA8xDodsofQEmlv+I/xyEZ7na6nxbpZVuPC3B0JFtY=
=sUYl
-----END PGP PUBLIC KEY BLOCK-----

Please do not use this without checking from another source that it matches the same key from another source or someone else quotes this and says it's matched.

Fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

I copied it here so we have another source that's not changed if the official website gets compromised.

[DireWolfM14]

April showers bring may flowers, and allowed me some time to work on this tutorial.  I've updated the OP to include "BAD" signatures.  I also rearranged the post to consolidate instructions based on operating system.  I think it flows better this way.

Suggestions are always welcome.

[BlackHatCoiner]

Can't Thomas provide a signed hash of each executable? Why should one, that isn't familiar with GPG, go though all this procedure just to verify a signature since he/she could do that really easily?

[NotATether]

April showers bring may flowers, and allowed me some time to work on this tutorial.  I've updated the OP to include "BAD" signatures.  I also rearranged the post to consolidate instructions based on operating system.  I think it flows better this way.

That's great, it means I don't have to wait until a rainy November to update the Bitcoin Wiki page. It's already rainy season here anyway

Can't Thomas provide a signed hash of each executable? Why should one, that isn't familiar with GPG, go though all this procedure just to verify a signature since he/she could do that really easily?

I remember asking this before and the answer I got is that the risk of checksum collision with a bad executable is mitigated if it's signed with GPG.

[BlackHatCoiner]

I remember asking this before and the answer I got is that the risk of checksum collision with a bad executable is mitigated if it's signed with GPG.

Specifically with GPG? How could that happen, I don't understand. Once you hash an executable, don't you hash its binaries?

[NotATether]

Specifically with GPG? How could that happen, I don't understand. Once you hash an executable, don't you hash its binaries?

GPG uses RSA-2048 or RSA-4096 keypairs to encrypt and decrypt messages. It just so happens that it is also possible to sign a message using RSA keypairs, where the "message" here is the binary file contents, and this makes an RSA signature along with some metadata that GPG adds. There's also a verification process[1] that exists for RSA which GPG uses to verify these signatures (which are also binary data).

[1]: https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php

[Dabs]

I like hashes such as SHA256. But it's more like a super secure checksum that your download is not corrupted. You'd still need to verify the hash using the GPG signature.

It's a quick way to see if something is good, but without verifying the signature anyway, it's possible that the site was compromised and showing a hash that matches the executable or binary.

[BlackHatCoiner]

You'd still need to verify the hash using the GPG signature.

There are other simpler ways to verify a signed message, but GPG does fine, yes.

It's a quick way to see if something is good, but without verifying the signature anyway, it's possible that the site was compromised and showing a hash that matches the executable or binary.

But if the site was compromised, and it showed a different hash, the signature using Thomas' key wouldn't be valid.

[DireWolfM14]

It's a quick way to see if something is good, but without verifying the signature anyway, it's possible that the site was compromised and showing a hash that matches the executable or binary.

But if the site was compromised, and it showed a different hash, the signature using Thomas' key wouldn't be valid.

I don't want to speak for Dabs, but I think that's the point he's trying to make.  If you only rely on checksum hashes and the site is compromised, the checksums could easily be replaced by the hackers.  If we rely on GPG signatures the hacker wouldn't be able to sign the releases (or a list of checksums) with ThomasV's key, and we would know something was wrong.  To defeat this type of security the hacker would have to gain access to multiple unconnected servers.  Not impossible, but highly unlikely.

[ranochigo]

I don't want to speak for Dabs, but I think that's the point he's trying to make.  If you only rely on checksum hashes and the site is compromised, the checksums could easily be replaced by the hackers.  If we rely on GPG signatures the hacker wouldn't be able to sign the releases (or a list of checksums) with ThomasV's key, and we would know something was wrong.  To defeat this type of security the hacker would have to gain access to multiple unconnected servers.  Not impossible, but highly unlikely.

This assumes that the attacker won't also replace the PGP public key for ThomasV as well. PGP is best used in conjunction with an established web of trust which can be hard to get for some users and I would probably recommend users to at least get another source of information to validate if the imported public key is also correct.

I agree with the above sentiments as well. Using solely the hash of the files as a validation is insecure. There is a reason why Bitcoin Core hash sums are included within a PGP signed message and users are encouraged to verify them first before trusting it. Using the hashes as it is would merely serve as a way to verify data integrity but not guarantee its security.

[BlackHatCoiner]

Using solely the hash of the files as a validation is insecure. There is a reason why Bitcoin Core hash sums are included within a PGP signed message and users are encouraged to verify them first before trusting it.

This is exactly what I said. To upload a signed message containing the hash instead of leaving a hash solely.

There shouldn't be anything wrong with this and it's quite faster than the other method.

[DireWolfM14]

This is exactly what I said. To upload a signed message containing the hash instead of leaving a hash solely.

There shouldn't be anything wrong with this and it's quite faster than the other method.

I might be misunderstanding your question/comment, so I'll try to get a handle on it:

You're suggesting that (like the bitcoin core dev team) the Electrum dev team should post a PGP signed list of checksums, correct?  Although there's nothing wrong with that, I fail to see how that's faster.  GPG can verify the 28 megabyte windows installer file in just a few second (if that,) it takes me longer to type out the command.  

If the dev team only published a signed list of checksums, I would still verify the PGP signed list, and then I would have to verify the checksums of the binary file.  I would have to verify two files, which takes longer.

And, like NotATether already mentioned; the question was posed to the Electrum dev team.  They don't like that approach due to slight risk of checksum collisions.  Obviously checksum collisions are HIGLY unlikely, but if you have the tools to mitigate a potential issue why not employ them?

[BlackHatCoiner]

Although there's nothing wrong with that, I fail to see how that's faster.  GPG can verify the 28 megabyte windows installer file in just a few second (if that,) it takes me longer to type out the command.  

I meant faster for the newbies who want to verify their executables. I don't know about the others but when I firstly verified electrum using this tutorial, I wasn't completely sure of what I was doing. I was feeling secure with the replies and with the greatly described steps, but I considered the method kinda complex. To be honest, I wasn't into anything related with Bitcoin a year ago, as you can see in the first page of this thread, so this is maybe why. 

Or I may simply have this weirdly paranoid symptom in which you want to understand every-single-thing you're doing, on a disgustingly detailed way, such as understanding the maths behind RSA/ECC. Anyway. Signed checksums might had a shorter tutorial than this one. Although, you're explaining everything perfectly.

They don't like that approach due to slight risk of checksum collisions.

While, they may prefer not to do this with the checksum-way, I personally find it ridiculous for them to justify it with the collisions. Despite the fact that it's never going to happen you're essentially failing the function your entire project relies on. It's ironic...