Verifying signature and other things

[Sumarokov]

I set up an Electrum wallet before I learnt about verifying the signature.

Even though I typed in the name of the website on my browser (i.e. did not do a Google search), I still want to be cautious, so it looks like I will have to start all over again... 

Will I be protected as long as I delete all my Electrum files on my computer and start all over again? Or is there anything else I should be aware of in terms of securing myself?

Also, are there any other things like this that I should be aware of regarding Electrum? I had never verified other downloads before, so this was not something I even thought about. As I just heard about it by chance, I wonder if there are other things people are not aware of and only find out after they have set up their wallet, for example? I will admit that I am not one of the most web-savvy people, so I am probably in a minority here...

[Charles-Tim]

So far you did not google search nor used any search engine, and enter the URL directly and correctly which is electrum.org in a safe computer, that should not be an issue. You can still decide to verify the signature, but I do not think you need to delete your wallet before doing that because the website is not compromised. But, making it just a norm in case for protection purposes in case the website is compromised, the verification will fail after original electrum wallet download file is changed to compromise ones on the website which will indicate the file to download is not the original but a fake/malacious one.

https://electrum.org/#download

GPG signatures are a proof that distributed files have been signed by the owner of the signing key. For example, if this website was compromised and the original Electrum files had been replaced, signature verification would fail, because the attacker would not be able to create valid signatures. (Note that an attacker would be able to create valid hashes, this is why we do not publish hashes of our binaries here, it does not bring any security).

In order to be able to verify GPG signatures, you need to import the public key of the signer. Electrum binaries are signed with ThomasV's public key. On Linux, you can import that key using the following command: gpg --import ThomasV.asc. Here are tutorials for Windows and MacOS. When you import a key, you should check its fingerprint using independent sources, such as here, or use the Web of Trust.

[Sumarokov]

So far you did not google search nor used any search engine, and enter the URL directly and correctly which is electrum.org in a safe computer, that should not be an issue. You can still decide to verify the signature, but I do not think you need to delete your wallet before doing that because the website is not compromised. But, making it just a norm in case for protection purposes in case the website is compromised, the verification will fail after original electrum wallet download file is changed to compromise ones on the website which will indicate the file to download is not the original but a fake/malacious one.

Is there any way to verify a download AFTER it has been installed and the programme is already up and running?

But, making it just a norm in case for protection purposes in case the website is compromised, the verification will fail after original electrum wallet download file is changed to compromise ones on the website which will indicate the file to download is not the original but a fake/malacious one.

I am not sure what you mean here. Does anyone else have any opinions?

Further question: are all the files in the Program Files (x86) folder (where I can see the Electrum folder) or can they be elsewhere?

[Rath_]

Is there any way to verify a download AFTER it has been installed and the programme is already up and running?

As far as I know, the answer is no. It looks like only the executables located at the website are signed. I guess you could ask someone who verified the installer to provide you a checksum for each file in the Electrum folder.

I am not sure what you mean here. Does anyone else have any opinions?

There is a slight chance that Electrum's website might be hacked one day. As a result, all installation files could be replaced with a malicious version which could steal your coins once you open or fund your wallet.

Next time, follow this guide before installing Electrum again.

Further question: are all the files in the Program Files (x86) folder (where I can see the Electrum folder) or can they be elsewhere?

There is also a data directory (%appdata%/Electrum).

[Abdussamad]

So far you did not google search nor used any search engine, and enter the URL directly and correctly which is electrum.org in a safe computer, that should not be an issue. You can still decide to verify the signature, but I do not think you need to delete your wallet before doing that because the website is not compromised. But, making it just a norm in case for protection purposes in case the website is compromised, the verification will fail after original electrum wallet download file is changed to compromise ones on the website which will indicate the file to download is not the original but a fake/malacious one.

Is there any way to verify a download AFTER it has been installed and the programme is already up and running?

But, making it just a norm in case for protection purposes in case the website is compromised, the verification will fail after original electrum wallet download file is changed to compromise ones on the website which will indicate the file to download is not the original but a fake/malacious one.

I am not sure what you mean here. Does anyone else have any opinions?

Further question: are all the files in the Program Files (x86) folder (where I can see the Electrum folder) or can they be elsewhere?

just look for the URL in your browser history. it should be download.electrum.org. if the URL checks out then the chances of malware are very low

as for verifying the file after installation if you have the original download file you can download it's signature and verify it. it's listed next to the file : https://electrum.org/#download

[Sumarokov]

Thank you. What I plan to do is uninstall Electrum, eliminate the Electrum folders in the Program Files (x86) folder and the data directory (%appdata%/Electrum).

Is there anything else I should know about uninstalling Electrum, so I can start again on the same PC?

I do not want to leave anything behind from the old system, just in case.

[Rath_]

What I plan to do is uninstall Electrum, eliminate the Electrum folders in the Program Files (x86) folder and the data directory (%appdata%/Electrum).

Keep in mind that wallets are also stored in that directory. Make a backup of "wallets" folder and put it back in that directory after you have reinstalled Electrum. This way, you won't have to type in your recovery seed to be able to access your wallet again.

I do not want to leave anything behind from the old system, just in case.

You should be fine if you use some reputable software to scan your computer (e.g. Malwarebytes).

The chances that you downloaded a fake version are very slim. If you were overly paranoid, you could reinstall your OS and move your coins to a new wallet generated by the verified version of Electrum.

[NotATether]

I do not want to leave anything behind from the old system, just in case.

Then, you should be fine if you use some reputable software to scan your computer (e.g. Malwarebytes).

If OP's system is known to be clean then there is no use of scanning with an AV to remove leftovers of programs after uninstallation. Actually, if that is what you're trying to do (scrubbing the data directories and the registry), you would use software like IObit Uninstaller or Revo Uninstaller Pro, but these also install adware so I wouldn't recommend using them.

Electrum doesn't even use the registry so if you want to truly destroy all leftover files, get the Electrum portable binary for Windows and delete the program and Electrum's AppData folder when you're finished.


Is anyone else bothered by the fact that Windows doesn't bundle any kind of PGP program with it? Now we have to go telling people who want to verify Electrum to install Kleopatra, GPG4win or something else, and some people even install WSL or Cygwin with the gpg package just to get the verifying functionality. It's definitely a good feature to lobby Microsoft to add, à la the Windows Insider Program.

[o_e_l_e_o]

Is there any way to verify a download AFTER it has been installed and the programme is already up and running?

Just verify the installer file that you downloaded and used if you still have it. If it verifies correctly, then the version you have installed is safe to continue using, and there is no need to uninstall and re-download.

Make a backup of "wallets" folder and put it back in that directory after you have reinstalled Electrum. This way, you won't have to type in your recovery seed to be able to access your wallet again.a

If OP is reinstalling Electrum, then better for him to create new wallets and move all the funds from his old wallets to the new ones. If he cannot verify the version of Electrum he used to create his old wallets was legit, then they could potentially have been created from pre-determined seed phrases and an attacker could sweep them at a later date.

Is anyone else bothered by the fact that Windows doesn't bundle any kind of PGP program with it?

Windows is designed to appeal to the masses, and the vast majority of Windows users probably haven't even heard of PGP, let alone have any idea what it is or how to use it. Anyone who is serious about security and encryption probably isn't using Windows, but is more than capable of downloading Gpg4win or similar.

[Sumarokov]

Just verify the installer file that you downloaded and used if you still have it. If it verifies correctly, then the version you have installed is safe to continue using, and there is no need to uninstall and re-download.

Can you tell me how to verify the installer file? I still have it, although I did not download the signature at the time, just the installer file.

I have since downloaded and verified Gpg4win.

[I have not moved any coins to my Electrum wallet yet, so all is good and well in that sense]

[Rath_]

Can you tell me how to verify the installer file? I still have it, although I did not download the signature at the time, just the installer file.

I have posted a link to a decent step-by-step guide above. Now, it doesn't matter if you downloaded the signature before or after the installation; you need to verify the exact same installer you used, though. I shouldn't have assumed that you got rid of the installer. Most of the people would probably do it.

[Sumarokov]

Can you tell me how to verify the installer file? I still have it, although I did not download the signature at the time, just the installer file.

I have posted a link to a decent step-by-step guide above. Now, it doesn't matter if you downloaded the signature before or after the installation; you need to verify the exact same installer you used, though. I shouldn't have assumed that you got rid of the installer. Most of the people would probably do it.

Thank you. I went through the whole process, but when I got to this part:

In Kleaopatra, click on the "Decrypt/Verify" button, and browse to the location of the .exe and .asc files you saved.  Select the .asc file, and click "Open."

I can only click on the .exe file, as I do not have the signature file. When I do, I get this message:

Failed to find encrypted or signed data in one or more files.
You can manually select what to do with the files now.
If they contain signed or encrypted data please report a bug (see Help->Report Bug).

When I go ahead and press on deciphyer/verify, I get told "Cannot determine whether input data is Open PGP or CMS: conflicting use".

Below this, the step-by-step guide says:

The software will check the integrity of the .exe file and compare it to the signature file.  If the signature matches the .exe file you'll see a window like this pop up:

But I cannot compare, as I do not have the signature file.

Is there a way that I can verify just my downloaded installer file on Kleopatra, as that is all I have?

[Rath_]

But I cannot compare, as I do not have the signature file.

Is there a way that I can verify just my downloaded installer file on Kleopatra, as that is all I have?

No, you need to download the signature from the Electrum's website. There's a different signature for each file. As I wrote earlier, it doesn't matter when you download it. You will see an error if either the signature or the installation file was replaced. There is nothing to worry about since you have downloaded ThomasV's PGP Key from a different source.

[o_e_l_e_o]

You just need to download the signature file from https://electrum.org/#download which matches the Electrum file you originally downloaded, which I assume in your case will be the "Windows Installer". Put it in the same directory as your installer file and try again.

This is assuming you installed Electrum 4.0.9. If not, you'll need to locate the correct signature file for your version and type of installer from here: https://download.electrum.org/

[bob123]

Do you still have the original file you have downloaded?
If so, you can simply just verify that one. If the signature matches, you don't need to uninstall / delete anything.

What I plan to do is uninstall Electrum, eliminate the Electrum folders in the Program Files (x86) folder and the data directory (%appdata%/Electrum).

If the file you have downloaded indeed is malware, removing any folders or files doesn't help you at all.
In this case, you should format your hard drive. "Uninstalling" and deleting files won't remove any potential malware. However, the chances are rare if you typed in the url correctly.
The best would definitely be if you had the original downloaded file.

[Sumarokov]

Thank you to everyone who responded, now it verifies.  

As I am new to this and prefer not to follow my own logic or what I think goes, I did not consider that the signature file would be the same, whenever it was downloaded.

That is a handy step-by-step guide, by the way, especially the small things like the advice on stopping Windows saving .asc as .text files and the like.