about GPG signature

[new19980]

hi surry for the dump question but i wont to know if its possible for a hacker if he did hack electrum.org website and put his fake electrum version
but he kept the original signature file in this case even if you verified the signature file you will lose your btc since the hacker kept the original file
and only changed the electrum.exe file to his fake version

[1714315739]

1714315739

[1714315739]

1714315739

[Charles-Tim]

If the Electrum that you downloaded is not signed by the developer, the signature will be invalid. If the signature is not valid, then you will know that the file is not signed by the right developer and likely the site has been compromised.

If you use the signature from the developer and it is valid, you have nothing to be worried about, the wallet is not fake.

[new19980]

If the Electrum that you downloaded is not signed by the developer, the signature will be invalid. If the signature is not valid, then you will know that the file is not signed by the right developer and likely the site has been compromised.

If you use the signature from the developer and it is valid, you have nothing to be worried about, the wallet is not fake.

you mean that we can verify the electrum.exe file i thought what we can verify is the signature file .gz.asc since in this case the hacker can keep the original

[Stalker22]

you mean that we can verify the electrum.exe file i thought what we can verify is the signature file .gz.asc since in this case the hacker can keep the original

Even the smallest change to the exe file will invalidate the signature, and the archive (tar.gz) will also be affected. This is because the signature is specific to the entire file you download from the server, including the archive. If the exe file (or archive) has been modified, the signature verification will fail.

GPG signatures are a proof that distributed files have been signed by the owner of the signing key. For example, if this website was compromised and the original Electrum files had been replaced, signature verification would fail, because the attacker would not be able to create valid signatures. (Note that an attacker would be able to create valid hashes, this is why we do not publish hashes of our binaries here, it does not bring any security).

[Husires]

you mean that we can verify the electrum.exe file i thought what we can verify is the signature file .gz.asc since in this case the hacker can keep the original

Any change in any file will corrupt the signature and make it invalid, but if the hacker hacks electrum.org, he will most likely change the public key to his address and put it in electrum.org. always download the developer’s key from a trusted place outside electrum.org, and it is best to make sure that it is the same key is from several sites.

[o_e_l_e_o]

you mean that we can verify the electrum.exe file i thought what we can verify is the signature file .gz.asc since in this case the hacker can keep the original

You are confused about how signatures work.

The .asc file you verify contains a signature from a developer pointing to a specific file. The signature is generated using both the file in question and the developer's private key. If even a single byte in the file is changed, then the signature is no longer valid.

You can test this yourself by downloading the signatures for an older version of Electrum (such as 4.4.5) and trying to use those signatures to verify the latest version (4.4.6). Although the signatures are valid signatures from the devs, they will fail to verify because you are using them to verify a different file.

If an attacker uploads a malicious version of Electrum, then the signatures from the devs will not verify. If they replace the signatures with their own, then it will be obvious that it was not signed by the devs but by someone else.

[Husna QA]

hi surry for the dump question but i wont to know if its possible for a hacker if he did hack electrum.org website and put his fake electrum version
but he kept the original signature file in this case even if you verified the signature file you will lose your btc since the hacker kept the original file
and only changed the electrum.exe file to his fake version

In this case, you need to pay attention to the Electrum developer's original signature.

If the Electrum website is hacked and all wallet files, including the previous developer's signature, are changed, you should be wary of it.
However, suppose only the wallet file is changed while the developer signature is still from the original Electrum developer. When you try to verify it, you will get the message 'BAD signature...' and it is recommended that you do not use the wallet file.

Below are two examples of GPG signature verification results that I have made;
- Original Electrum files:

-snip-

- Fake Electrum files:

-snip-

[Pmalek]

Everything needed for the verification needs to be replaced to trick you into believing that you have a genuine piece of software, while you are engaging with a malicious copy. The fake software needs to be signed with a fake key of the scammer. And your verification tool mustn't contain the original one, so that there is no error informing you that the verification process failed. As long as you have the developer's real key, a wrongly signed app shouldn't cause you any issues.

[NotATether]

hi surry for the dump question but i wont to know if its possible for a hacker if he did hack electrum.org website and put his fake electrum version
but he kept the original signature file in this case even if you verified the signature file you will lose your btc since the hacker kept the original file
and only changed the electrum.exe file to his fake version

The PGP fingerprint will definitely be different, and the hacker cannot impersonate that, only create a new fingerprint.

Also, if you have you used your own PGP key to trust the original Electrum signing key, then when you try to verify a binary signed by a malicious PGP key then the program will display a warning during verification: "Warning: this key is not trusted" or words to that effect.