[GUIDE] How to Safely Download and Verify Electrum [Guide]

[saraariel]

Thank you 

That was easy and simple and it did the job.

[DireWolfM14]

Just thought I'd provide an update here on the status of the original post;

Based on the contents of a previous post on the subject of multiple signature files, I submitted an issue on Electrum's git:
https://github.com/spesmilo/electrum/issues/7579

I didn't realize it would be so complicated, but it's obvious the dev team is putting the effort into implementing an aggregated signature file.  It appears that ThomasV has found a solution, so it may be implemented by the next release.  I'll determine then if the OP needs any updates.

[m2017]

Is it necessary to verify Electrum when using a hardware wallets?
What are the consequences of using a compromised Electrum with hardware wallets?

[DireWolfM14]

Is it necessary to verify Electrum when using a hardware wallets?

YES!

What are the consequences of using a compromised Electrum with hardware wallets?

There have been malicious versions in the past that will send all your coins to the scammer's address.  It creates a serupticious transaction that will remain invisible to you.  You'll be under the impression that you're creating a typical transaction, then next thing you know, all your coins are gone.  A hardware wallet will display the actual (malicious) transaction, but if you aren't paying close attention, and you approve the transaction on your hardware wallet you'll send all your money to the scammer.

[Lucius]

Is it necessary to verify Electrum when using a hardware wallets?
What are the consequences of using a compromised Electrum with hardware wallets?

It is always wise to verify the file before installation, but even if you have a malicious wallet every action you take should be confirmed by pressing a hardware button. Therefore, if you pay attention to every step while doing a transaction, you will notice that something is not as it should be and you will not sign the transaction.

You can read more on this topic -> Fake Electrum version 4.0 and hardware wallets

[Pmalek]

What are the consequences of using a compromised Electrum with hardware wallets?

First of all, will your hardware wallet even be able to connect to a fake Electrum wallet? Ledger and Trezor devices can establish connections to Electrum, but a phishing version of Electrum is not Electrum.

But let's say they can connect.
If you have a receiving address that you are intending to send the coins to, you should notice a difference if the fake Electrum app is trying to make you send your funds to another address. The receiving address has to be displayed on the screen of your HW. If you are generating a new address, do it from the native client whose hardware wallet you are using, and copy the address from there into Electrum if you are sending to yourself, doing a consolidation, or something like that. Again, you should notice a difference if the address changes while you are creating the transaction.

[Lucius]

First of all, will your hardware wallet even be able to connect to a fake Electrum wallet? Ledger and Trezor devices can establish connections to Electrum, but a phishing version of Electrum is not Electrum.

The answer is actually on the link from my previous post, because @DaveF did an experiment with fake Electrum in combination with Trezor and ColdCard, both HW did not recognize fake Electrum. The assumption is that hackers used older versions of Electrum, or they did not try to make fake versions compatible with hardware wallets knowing they can’t automatically empty such a wallet. Of course, this does not mean that fake versions of Electrum cannot work with HW, I believe that it is possible to achieve.

[jerry0]

Is there a reason verifying electrum is this complicated?


First off, you need to


Install GPG
Download and Import ThomasV's PGP Key
Download and Verify Electrum



So you need to make sure you are downloading the official GPG and ThomasV PGP Key.  You also need to download kleoptra from another website.  Does downloading many of these things concern anyone here since it increase the chance of a mistake?


Is there a reason why verifying electrum just doesn't require you to download electrum.  Then just right click the program/properties and command prompt and just type letters and words to command prompt and they display the hash just like that... similar to like how you verify ledger live?  I found the verifying ledger live a bit confusing but after I did, it isn't that complicated... but for the average user... it is complicated.  


To verify electrum seems much more complicated since you need to download a bunch of things.  How do you know all these things you downloading now doesn't have malware and all these things?


Now has there ever been a case where someone downloaded electrum from the official electrum site... and got hacked or malware?  Assuming you download electrum and then start using it whether creating a seed or restoring an old seed, can you always verify if your electrum is the real electrum even after started using it?  


I was checking youtube to see if there is a video to do this and found one

https://www.youtube.com/watch?v=lCG3c8a7HZI


In your instructions of

Install Windows


Kleopatra is the GUI front end that's included with Gpg4win, and I recommend you install it.  If you don't, you'll have to use command prompts to manage the GnuPG app.  Another optional feature is a shell extension which I find handy, and an Outlook extension.  If you use you use outlook the integration is pretty seamless, and actually quite useful.

Once installation is completed, and Kleopatra launches I recommend you create a private key.  If you already have one, you can import it at this time.



What do you mean you recommend you create a private key?  I do not understand this and in the youtube video, I do not even see this part mentioned.  I thought the private key was Thomas key.  So what exact private key are you creating here?




Also in the video, there is a part where it says Key Pair Creation Wizard where it ask you to put name/email though it shows optional.  So you just click next and leave it empty and skip it?  Then it ask you to create a password.  I assume this video is outdated and thus none of this applies now?





This is the other instructions I found below for verifying electrum.  On this, it mentions only make sure kleopatra is checked.  So you need to uncheck the other two GPgOL and GPgEX?  Direwolf and the youtube video have you just click next as it auto check all three of these?

https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

[chentron]

trying to verify signature of electrum, but i get a error when Obtaining public GPG key for ThomasV

keys.gnupg.net: host not found   ...
Are we under attack ??

[n0nce]

trying to verify signature of electrum, but i get a error when Obtaining public GPG key for ThomasV

keys.gnupg.net: host not found   ...
Are we under attack ??

This guide is from 2020; since then, keys.gnupg.net was deprecated.
I found this similar question answered in a quick web search.

You can look up his key on any other keyserver though; that's the beauty of this decentralized, federated GPG network. Just enter his ID into any keyserver. For example:
https://keys.openpgp.org/vks/v1/by-fingerprint/6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

If you use gpg via command-line, it should be possible to omit the --keyserver, like this:

Code:

gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

Alternatively:

Code:

gpg --keyserver keys.openpgp.org --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg --keyserver keyserver.ubuntu.com--recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg --keyserver pgp.mit.edu--recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

[DireWolfM14]

trying to verify signature of electrum, but i get a error when Obtaining public GPG key for ThomasV

keys.gnupg.net: host not found   ...
Are we under attack ??

As mentioned, keys.gnupg.net isn't around anymore.  Try running one of the commands below from your terminal app.  

Code:

gpg --keyserver hkp://keyserver.ubuntu.com --receive-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

Or

Code:

gpg --keyserver hkp://keys.openpgp.org --receive-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

~

From our previous conversations, I recall you're running Windows.  GPG4Win has a Microsoft authentication certificate, so the application won't flag Windows' anti-virus software.  It also checks if the code has been altered since signed by the publisher.  If the package you downloaded doesn't match the certification checksums it'll throw up a big red warning when you try to install it.

For various reasons a lot of open source apps don't use Microsoft's authentication tools.  I believe there are costs associated with maintaining the certificate, so it may be a financial decision.  GnuPG is open source, powerful, secure, and free.  It's a great alternative, especially if the developers want to port port their application to many different OSs.

What do you mean you recommend you create a private key?  I do not understand this and in the youtube video, I do not even see this part mentioned.  I thought the private key was Thomas key.  So what exact private key are you creating here?

You import ThomasV's public key, not his private key.  His private key allows him to sign the releases, and the public key allows all of us to verify that the download was indeed signed my ThomasV.  It's a lot like a bitcoin keypair, in that way.  I can also use GPG to sign messages that others can verify as having come from me, and with someone's public key I encrypt secret messages that can only be decrypted by the holder of the matching private key.  But in order to do so, I need to have a keypair also; a private one, and a public key that I can share with the world.

You don't really need your own keypair to verify that the Electrum download was actually signed my ThomasV.  GPG will tell you that the file was signed by ThomasV's, but it'll also say something to the affect that the key is not "Trusted."  It's really just a formality, but if you're using Kleopatra it won't show the green results page unless the public key has been trusted by your system.  To sign someone else's public key as "trusted" you'll need to have a private key of your own.

Also in the video, there is a part where it says Key Pair Creation Wizard where it ask you to put name/email though it shows optional.  So you just click next and leave it empty and skip it?  Then it ask you to create a password.  I assume this video is outdated and thus none of this applies now?

That sounds right, those are typical options for creating a keypair.  You should definitely have a password if you plan on using GPG to sign or encrypt messages.  I use it regularly to encrypt backups of sensitive information that I want available on multiple devices.  I can store them on the cloud with some measure of additional security.

This is the other instructions I found below for verifying electrum.  On this, it mentions only make sure kleopatra is checked.  So you need to uncheck the other two GPgOL and GPgEX?  Direwolf and the youtube video have you just click next as it auto check all three of these?

https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

Whatever.  One is the Microsoft Outlook extension, and other is a Windows Explorer Shell (right click) extension.  I like the shell extension, myself.

[jerry0]

Okay I will disregard the key pair part as that is confusing.  I just don't understand why you mentioned you could create your own key pair... where I have no idea what percentage of the population would even know how to do that.  Thus using ThomasV public key to verify would sound very simple.


I am stuck right now.


This is what I just did now


I downloaded electrum


I downloaded gpg4win and got to the part where its opened kleoptra and it shows

New Key Pair or Import


Next step in direwolf instructions are

Import ThomasV's PGP Key on Windows
Import ThomasV's PGP Key using Kleopatra:
Download ThomasV's PGP Key from a trusted source.  Start Kleopatra, if it's not already running.  Click the Import button, and navigate to the location where "ThomasV.asc" was saved, select the file, and click Open.


I completely ignore clicking on the signatures link next to Windows installer correct?  So just click on ThomasV in blue... which has ThomasV, SomberNight, Emzy next to it?  When you click on ThomasV the blue highlighted, all it does is open up a page with a bunch of keys.  Are you suppose to right click that and save link as?  


The thing is if I were to right click ThomasV and click save link as... it would show saving it to file name as ThomasV and ASC file.  But when it does that, it would save to this pc - downloads where nothing it showing up there.  Like before you click on save, you look at the top where there is no other downloaded files you had downloaded.  Is this normal or not?  If I were to click on desktop/downloads/documents, there is literally no files showing.  Is that normal?  I would have thought I would see electrum exe file I downloaded earlier somewhere here?  So me right click and save as link... that is why I don't see any other files?  Just want to make sure im doing this correctly.

[BlackHatCoiner]

When you recommend you can also create a private key, I do not understand that part.  How is 99% of the population going to know how to even create a private key to verify electrum.  Because ThomasV key is what is needed to verify electrum.

That's indeed a valid query of your side. I had already told him that it may confuse those who'll ask why. The short answer is that you don't need key pairs to verify a signature.

Do I now click on the signatures link next to the electrum windows installer link I just downloaded and download that?

After your kleopatra has imported Thomas' public key, then yes. You have to open the signature file with kleopatra and it'll verify it automatically. Also, make sure the signature file's name is the same as your installer's. For instance, if it's electrum-4.1.5-setup.exe, make sure it's electrum-4.1.5-setup.exe.asc.

[jerry0]

Okay I did not see your post on the creating a private key to verify electrum part.  That part literally would confuse most people.


So to download ThomasV keys, I need to right click on the blue ThomasV... click save link as... then it should save as ThomasV and ASC file to my pc/downloads correct?

[BlackHatCoiner]

So to download ThomasV keys, I need to right click on the blue ThomasV... click save link as... then it should save as ThomasV and ASC file to my pc/downloads correct?

Correct.

[jerry0]

I just did that and then clicked on import from kleoptra and opened the ThomasV file to it.  Then it showed a message and I closed it.  Did I need to see what that message said?



Now I see



Thomas Voegtin      his email     not certified  user id    valid from  June 15 2011 date but doesn't show valid until to.    Then it shows key id.

[BlackHatCoiner]

[...]

Yes, that's what it should show. Did you successfully import it?

[jerry0]

Okay so Im watching that youtube video again and it seems like the box I closed was this message....


Certificate Not Possible Cleopatra

To View other certificates, you first need to create an OpenPGP certificate for yourself.

Do you wish to create one now?


Yes or No



So how do i get back there?  Do i close kleopatra and open kleopatra again and repeat what I did earlier and then click Yes here?

[BlackHatCoiner]

[...]

Kleopatra probably wants you to create a pair, even though it's not required if you just want to verify a signature of an executable. Anyway, create it, it's not toilsome. Do it just to move on.

As for your question, you probably need to repeat it, yeah. Would you mind sharing the video?

[jerry0]

https://www.youtube.com/watch?v=lCG3c8a7HZI


So the message that showed up for me after I imported that ThomasV key is what you see right at the beginning of 3:52.  Its the first box you see with the Certificate Import Result- Kleopatra which show the total number processed, imported, changed.  I remember the numbers shown was the exact ones on that video.  That was the box I closed.  I then just X it instead of clicking okay.  But that message of you have imported a new certificate key where it ask you to certify... I never saw this message.



The video... I used it as reference but I am still following direwolf instructions as others suggested to just follow direwolf instructions here.  So what do i do now?  Do I close kleopatra and reopen it and do the samet hing again?