[GUIDE] How to Safely Download and Verify Electrum [Guide]
⭐ Merited by pooya87 (50) ,ABCbits (26) ,Welsh (20) ,LoyceV (15) ,BlackHatCoiner (12) ,BitCryptex (10) ,hosseinimr93 (9) ,o_e_l_e_o (8) ,EFS (8) ,Pmalek (5) ,bones261 (4) ,hugeblack (4) ,NotATether (4) ,DdmrDdmr (4) ,OmegaStarScream (3) ,Heisenberg_Hunter (3) ,ETFbitcoin (3) ,vapourminer (3) ,tyKiwanuka (2) ,Abdussamad (2) ,infofront (2) ,Lucius (1) ,efialtis (1) ,Last of the V8s (1) ,mocacinno (1) ,Husna QA (1) ,Leviathan.007 (1) ,OcTradism (1) ,JayJuanGee (1) ,nc50lc (1) ,Mahdirakib (1) ,mole0815 (1)
Table of Contents
Introduction
Resources
Install GPG
Download and Import ThomasV's PGP Key
Download and Verify Electrum
.
Introduction
Electrum is one of, if not the most popular lightweight bitcoin clients around. The software is incredibly useful, and includes several options and tools that allow ultimate control of your bitcoin. Electrum can be used to access any type of bitcoin wallet, including legacy, p2sh, or bech32. Existing wallets can be imported into Electrum by using a private key, an extended private key, or a Bip39 seed phrase. It can create new wallets of any type as well, including multi-signature wallets. Electrum can be used to access the popular brands of hardware wallets, too. It's also handy for creating watch-only versions of your cold or hardware wallets. On top of all that, It's open source, which allows anyone to audit the software, removing the need to solely trust the developers.
The unfortunate thing about open source software; it can easily be copied by nefarious individuals, and made to look like the real thing. Electrum's popularity and widespread use make it a prime target for these hackers and scammers. So how does one ensure that he has downloaded the official, authentic version, and not a malicious fake? First and foremost, make sure you download it only from the official Electrum website, but don't stop there. The only way you can be certain you have downloaded an official release to check if the file was digitally signed by the developer. Here's how to do that:
.
Resources
Electrum website: https://electrum.org/#home
Electrum Git: https://github.com/spesmilo/electrum
Electrum Documentation: https://electrum.readthedocs.io/en/latest/index.html#
The GnuPG Project: https://gnupg.org/
ThomasV's PGP fingerprint: 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Source: https://electrum.readthedocs.io/en/latest/gpg-check.html
Redundant links to ThomasV's public key:
https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
http://keys.gnupg.net/pks/lookup?search=0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6&fingerprint=on&op=index
Third-party binary installations that include GnuPG:
Windows: https://gpg4win.org/download.html
Mac: https://gpgtools.org/
.
Choose, Install, and Setup GPG
First you'll need to download and install Gnu Privacy Guard (GPG,) the successive implementation of the OpenPGP standard. The link in the resources section above provides download links for the tar ball, and links to third-party binary releases. If you download the tar ball, you'll have to compile binaries for your operating system. If you aren't comfortable doing that, I recommend the third-party binary downloads. GPG4Win provides the option to install Kleopatra, a GUI application which is very user friendly. Mac GPG is also a user friendly application with a GUI Frontend. I won't go into too much detail on installing GnuPG on your system, there are plenty of resources on the internet that can guide you through that, but the following paragraphs will help you get started.
Navigate to The GnuPG Project's download page, chose the appropriate third-party binary for your operating system, and install GnuPG according to instructions provided with the distribution.
Note that Debian Linux distributions include GPG preinstalled, however they may not have a GUI Frontend. A Debian distro running on Windows Subsystem for Linux will also have GPG preinstalled.
Once you've installed GPG you may be prompted to create or import a key pair. If you already have a private key you can import it. If you do not have a private key, I recommend that you create a new key pair. Again, there are plenty of instructional sites on the internet that you can reference to guide you through creating your own key pair. You do not need your own private key to verify a signature, but you will need one to certify the public keys of others.
.
Install on Windows
For Windows systems I recommend Gpg4win. Browse to their downloads page, and install the latest version. Once the installation directory is chosen, the installer will allow you to choose components:
Kleopatra is the GUI front end that's included with Gpg4win, and I recommend you install it. If you don't, you'll have to use command prompts to manage the gnupg app. Anther optional feature is a shell extension which I find handy, and an OutLook extension. If you use you use outlook the integration is pretty seamless, and actually quite useful.
Once installation is completed, and Kleopatra launches I recommend you create a private key. If you already have one, you can import it at this time.
Download and Import ThomasV's PGP Key
.
Install on Mac
I'm no expert on Macs, I've only used them sparingly off and on, so please bear with me for these instructions. I recommend using the Mac GPG suite from GPGtools.org. It creates a GPG Keychain app that's very user friendly, and walk you through creating a private key pair.
Browse to gpgtools.org site, and download the .dmg file, and unpack it to start installation.
Once installation has reached the "Installation Type" page, click "Customize."
Mac GPG is free to use, except for the mail clients. They come with a 30-day free trial if you care to try them, or you may choose to deselect them.
Once installation is complete, the system will launch the GPG Keychain app, and prompt you to create a key pair. You'll need a secret key to certify other peoples keys, if you should choose.
Download and Import ThomasV's PGP Key
.
Install on Linux
As far as I know all Debian distributions of Linux include GnuPG by default. This includes Ubuntu, which I'll be using for my examples.
If for somereason you don't have GnuPG installed run the following command:
Download and Import ThomasV's PGP Key
.
Download and Import ThomasV's PGP Key
Once you've created or imported your own private key you can now import ThomasV's public key. On the download's page of the official Electrum website, you'll find a link to ThomasV's public PGP key. For redundancy I've posted that link in the references section above. Clicking on the link will take you to a page that displays the public key. Right-click on the page, then click "save as" (Ctrl+S.) Save the file as "ThomasV.asc". Windows users take note; Windows likes to save .asc files as .txt files. To avoid this pitfall open an explorer window, click on the View tab, Folder Options, and under the view menu disable hidden extensions of known file types.
.
Import on Windows
Import ThomasV's PGP Key using Kleopatra:
Start Kleopatra, if it's not already running. Click the Import button, and navigate to the location where "ThomasV.asc" was saved, select the file, and click Open.
Kleopatra will ask you to certify the public key, select Yes.
Chose the email address you want to certify, there's no reason not to select them all. Click Certify.
Download and Verify Electrum
.
Import on Mac OS
If it's not already running, launch the GPG Keychain app, and click the import button. Browse to the location where you saved the ThomasV.asc file, and select it.
The Keychain should now list ThomasV's public key.
Double click on ThomasV's key and set the trust level to "full."
Download and Verify Electrum
.
Import using Terminal Commands
Terminal commands are a more powerful way to interact with GPG. They can be used on any of the operating systems mentioned in this post. I will demonstrate using an VM running Ubuntu 18.04 Desktop. You can run these same commands in Windows using PowerShell, and in Mac OS using the Terminal app.
Import ThomasV's public key:
Example:
The response should look like this:
Refresh your keyring:
You should now see ThomasV's key in your keyring, the entry should look like this:
If you choose to, you can now certify the key. You must have created or imported a secret key. If you created one, it will automatically be set as the default and trust level will be set to ultimate. If you imported an existing secret key, you'll have to set the trust level and defaults manually. Refer to the GnuPG documentation for instructions.
Optionally, if you have multiple secret keys, or don't have one set as a default, use this command to certify ThomasV's public key:
Select y and press enter at the two following prompts. You'll be prompted for the GPG password that you set when creating your key pair. ThomasV's key trust level will be set to "full."
Check the trust level of the public key by refressing the keyring:
The results for ThomasVs key should look like this:
Download and Verify Electrum
.
Download and Verification
Browse to the official Electrum website, and then to the downloads page. Make sure it's the official site. I know, it sounds easy, right? But this is the riskiest part of the whole process. Scammers want you to mistake their site for the real one, so they do everything they can to lure you into their trap.
Download the package or binary for your system, and save it somewhere you'll remember. Download the corresponding signature file, and save it in the same location.
Windows users; pay close attention to the file extension. Windows wants to save it as a .txt file, but we want it saved as .asc.
.
Verify on Windows
In Kleaopatra, click on the "Decrypt/Verify" button, and browse to the location of the .exe and .asc files you saved. Select the .asc file, and click "Open."
The software will check the integrity of the .exe file and compare it to the signature file. If the signature matches the .exe file you'll see a window like this pop up:
Conclusion
.
Verify on Mac OS
Verification on a Mac is easy, just open a Finder window, navigate to the location where you save the Electrum .dmg file, and the .asc signature file, and double click the signature file.
Mac GPG will launch the verification tool, and compare the .dmg file to the signature file. Once the verificaiton tool has competed it's diagnostic it'll pop up a window like this:
Conclusion
.
Verify using Terminal Commands
To verify the downloaded AppImage enter the following command:
Example:
If you have certified ThomasV's public key the result should look like this:
Conclusion
.
Conclusion
That's it, you did it! Now you have the tools and the skill to verify that the Electrum installation files you download are authentic, and not the work of some malicious scammer.
Stay safe, and happy bicoining!
Introduction
Resources
Install GPG
Download and Import ThomasV's PGP Key
Download and Verify Electrum
.
Introduction
Electrum is one of, if not the most popular lightweight bitcoin clients around. The software is incredibly useful, and includes several options and tools that allow ultimate control of your bitcoin. Electrum can be used to access any type of bitcoin wallet, including legacy, p2sh, or bech32. Existing wallets can be imported into Electrum by using a private key, an extended private key, or a Bip39 seed phrase. It can create new wallets of any type as well, including multi-signature wallets. Electrum can be used to access the popular brands of hardware wallets, too. It's also handy for creating watch-only versions of your cold or hardware wallets. On top of all that, It's open source, which allows anyone to audit the software, removing the need to solely trust the developers.
The unfortunate thing about open source software; it can easily be copied by nefarious individuals, and made to look like the real thing. Electrum's popularity and widespread use make it a prime target for these hackers and scammers. So how does one ensure that he has downloaded the official, authentic version, and not a malicious fake? First and foremost, make sure you download it only from the official Electrum website, but don't stop there. The only way you can be certain you have downloaded an official release to check if the file was digitally signed by the developer. Here's how to do that:
.
Resources
Electrum website: https://electrum.org/#home
Electrum Git: https://github.com/spesmilo/electrum
Electrum Documentation: https://electrum.readthedocs.io/en/latest/index.html#
The GnuPG Project: https://gnupg.org/
ThomasV's PGP fingerprint: 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Source: https://electrum.readthedocs.io/en/latest/gpg-check.html
Redundant links to ThomasV's public key:
https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
http://keys.gnupg.net/pks/lookup?search=0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6&fingerprint=on&op=index
Third-party binary installations that include GnuPG:
Windows: https://gpg4win.org/download.html
Mac: https://gpgtools.org/
.
Choose, Install, and Setup GPG
First you'll need to download and install Gnu Privacy Guard (GPG,) the successive implementation of the OpenPGP standard. The link in the resources section above provides download links for the tar ball, and links to third-party binary releases. If you download the tar ball, you'll have to compile binaries for your operating system. If you aren't comfortable doing that, I recommend the third-party binary downloads. GPG4Win provides the option to install Kleopatra, a GUI application which is very user friendly. Mac GPG is also a user friendly application with a GUI Frontend. I won't go into too much detail on installing GnuPG on your system, there are plenty of resources on the internet that can guide you through that, but the following paragraphs will help you get started.
Navigate to The GnuPG Project's download page, chose the appropriate third-party binary for your operating system, and install GnuPG according to instructions provided with the distribution.
Note that Debian Linux distributions include GPG preinstalled, however they may not have a GUI Frontend. A Debian distro running on Windows Subsystem for Linux will also have GPG preinstalled.
Once you've installed GPG you may be prompted to create or import a key pair. If you already have a private key you can import it. If you do not have a private key, I recommend that you create a new key pair. Again, there are plenty of instructional sites on the internet that you can reference to guide you through creating your own key pair. You do not need your own private key to verify a signature, but you will need one to certify the public keys of others.
.
Install on Windows
For Windows systems I recommend Gpg4win. Browse to their downloads page, and install the latest version. Once the installation directory is chosen, the installer will allow you to choose components:
Kleopatra is the GUI front end that's included with Gpg4win, and I recommend you install it. If you don't, you'll have to use command prompts to manage the gnupg app. Anther optional feature is a shell extension which I find handy, and an OutLook extension. If you use you use outlook the integration is pretty seamless, and actually quite useful.
Once installation is completed, and Kleopatra launches I recommend you create a private key. If you already have one, you can import it at this time.
Download and Import ThomasV's PGP Key
.
Install on Mac
I'm no expert on Macs, I've only used them sparingly off and on, so please bear with me for these instructions. I recommend using the Mac GPG suite from GPGtools.org. It creates a GPG Keychain app that's very user friendly, and walk you through creating a private key pair.
Browse to gpgtools.org site, and download the .dmg file, and unpack it to start installation.
Once installation has reached the "Installation Type" page, click "Customize."
Mac GPG is free to use, except for the mail clients. They come with a 30-day free trial if you care to try them, or you may choose to deselect them.
Once installation is complete, the system will launch the GPG Keychain app, and prompt you to create a key pair. You'll need a secret key to certify other peoples keys, if you should choose.
Download and Import ThomasV's PGP Key
.
Install on Linux
As far as I know all Debian distributions of Linux include GnuPG by default. This includes Ubuntu, which I'll be using for my examples.
If for somereason you don't have GnuPG installed run the following command:
Code:
sudo apt install gnupg
Download and Import ThomasV's PGP Key
.
Download and Import ThomasV's PGP Key
Once you've created or imported your own private key you can now import ThomasV's public key. On the download's page of the official Electrum website, you'll find a link to ThomasV's public PGP key. For redundancy I've posted that link in the references section above. Clicking on the link will take you to a page that displays the public key. Right-click on the page, then click "save as" (Ctrl+S.) Save the file as "ThomasV.asc". Windows users take note; Windows likes to save .asc files as .txt files. To avoid this pitfall open an explorer window, click on the View tab, Folder Options, and under the view menu disable hidden extensions of known file types.
.
Import on Windows
Import ThomasV's PGP Key using Kleopatra:
Start Kleopatra, if it's not already running. Click the Import button, and navigate to the location where "ThomasV.asc" was saved, select the file, and click Open.
Kleopatra will ask you to certify the public key, select Yes.
Chose the email address you want to certify, there's no reason not to select them all. Click Certify.
Download and Verify Electrum
.
Import on Mac OS
If it's not already running, launch the GPG Keychain app, and click the import button. Browse to the location where you saved the ThomasV.asc file, and select it.
The Keychain should now list ThomasV's public key.
Double click on ThomasV's key and set the trust level to "full."
Download and Verify Electrum
.
Import using Terminal Commands
Terminal commands are a more powerful way to interact with GPG. They can be used on any of the operating systems mentioned in this post. I will demonstrate using an VM running Ubuntu 18.04 Desktop. You can run these same commands in Windows using PowerShell, and in Mac OS using the Terminal app.
Import ThomasV's public key:
Code:
gpg --import /<path>/<to>/<file>/<location>/ThomasV.asc
Example:
Code:
gpg --import ~/Downloads/ThomasV.asc
The response should look like this:
Quote
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: Total number processed: 1
gpg: imported: 1
Refresh your keyring:
Code:
gpg -k
You should now see ThomasV's key in your keyring, the entry should look like this:
Quote
pub rsa4096 2011-06-15 [SC]
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid [ unknown] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid [ unknown] ThomasV <thomasv1@gmx.de>
uid [ unknown] Thomas Voegtlin <thomasv1@gmx.de>
sub rsa4096 2011-06-15 [E]
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid [ unknown] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid [ unknown] ThomasV <thomasv1@gmx.de>
uid [ unknown] Thomas Voegtlin <thomasv1@gmx.de>
sub rsa4096 2011-06-15 [E]
If you choose to, you can now certify the key. You must have created or imported a secret key. If you created one, it will automatically be set as the default and trust level will be set to ultimate. If you imported an existing secret key, you'll have to set the trust level and defaults manually. Refer to the GnuPG documentation for instructions.
Code:
gpg --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Optionally, if you have multiple secret keys, or don't have one set as a default, use this command to certify ThomasV's public key:
Code:
gpg -u <yourfingerprint> --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Select y and press enter at the two following prompts. You'll be prompted for the GPG password that you set when creating your key pair. ThomasV's key trust level will be set to "full."
Check the trust level of the public key by refressing the keyring:
Code:
gpg -k
The results for ThomasVs key should look like this:
Quote
pub rsa4096 2011-06-15 [SC]
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid [ full ] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid [ full ] ThomasV <thomasv1@gmx.de>
uid [ full ] Thomas Voegtlin <thomasv1@gmx.de>
sub rsa4096 2011-06-15 [E]
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid [ full ] Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>
uid [ full ] ThomasV <thomasv1@gmx.de>
uid [ full ] Thomas Voegtlin <thomasv1@gmx.de>
sub rsa4096 2011-06-15 [E]
Download and Verify Electrum
.
Download and Verification
Browse to the official Electrum website, and then to the downloads page. Make sure it's the official site. I know, it sounds easy, right? But this is the riskiest part of the whole process. Scammers want you to mistake their site for the real one, so they do everything they can to lure you into their trap.
Download the package or binary for your system, and save it somewhere you'll remember. Download the corresponding signature file, and save it in the same location.
Windows users; pay close attention to the file extension. Windows wants to save it as a .txt file, but we want it saved as .asc.
.
Verify on Windows
In Kleaopatra, click on the "Decrypt/Verify" button, and browse to the location of the .exe and .asc files you saved. Select the .asc file, and click "Open."
The software will check the integrity of the .exe file and compare it to the signature file. If the signature matches the .exe file you'll see a window like this pop up:
Conclusion
.
Verify on Mac OS
Verification on a Mac is easy, just open a Finder window, navigate to the location where you save the Electrum .dmg file, and the .asc signature file, and double click the signature file.
Mac GPG will launch the verification tool, and compare the .dmg file to the signature file. Once the verificaiton tool has competed it's diagnostic it'll pop up a window like this:
Conclusion
.
Verify using Terminal Commands
To verify the downloaded AppImage enter the following command:
Code:
gpg --verify /<path>/<to>/<file>/<location>/<filename>.AppImage.asc
Example:
Code:
gpg --verify ~/Downloads/electrum-3.3.8-x86_64.AppImage.asc
If you have certified ThomasV's public key the result should look like this:
Quote
gpg: assuming signed data in '/home/<usernam>/Downloads/electrum-3.3.8-x86_64.AppImage'
gpg: Signature made Thu 11 Jul 2019 07:26:15 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
gpg: aka "ThomasV <thomasv1@gmx.de>" [full]
gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [full]
gpg: Signature made Thu 11 Jul 2019 07:26:15 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [full]
gpg: aka "ThomasV <thomasv1@gmx.de>" [full]
gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [full]
Conclusion
.
Conclusion
That's it, you did it! Now you have the tools and the skill to verify that the Electrum installation files you download are authentic, and not the work of some malicious scammer.
Stay safe, and happy bicoining!