Topic: [GUIDE] How to Safely Download and Verify Electrum [Guide] - page 4. (Read 51183 times)

Yes, I’m sure you won’t need it, so just act like you never created your own pair.

Leave them there so you can verify the next Electrum released and/or other software. There is no point in uninstalling it after all the work you did, IMO.

Thanks Tryninja.  I don't plan to use it to sign my own message/files.  I mean I'm not sure how I would even do that and what purpose it would be for me?  Someone said only if you want to send encrypted messages to someone? 


But there is no point of me uninstalling Gpg4win and kleoptra right?  Might as well leave it in the computer?

It's only useful if you're ever thinking about signing your own messages/files. So if all you want to do is verify Electrum's signature, you don't have to.

When I was setting the Gpg4win up on the computer, it eventually ask me to type in a name and an email address.  I just put in a name and just a fake email address.  The youtube video for this part mentioned this didn't matter so I did that.  In all the other instructions... there was not anything mentioned at all about this.  Neither direwolf or the other instructions even addressed this at all.  Then after I clicked enter, it gave me a long code which I assume is the keypair seed?  Its very long.


I am not sure if you could click cancel during this process but I didn't.


What I want to know is... do I need to keep a copy of this very long key?  I did write it down but is it needed?  Again, there is zero mentioning of this at all even in this thread which I find disappointing. 

No. If you got a successful verification, then it means the signature you downloaded from electrum.org is valid, given the public key you imported to Kleopatra. You didn't do anything incorrectly as long as you imported the correct public key.

Depends on what you want to do. Did you just create it to verify Electrum? If yes, then go ahead and delete the whole Kleopatra. However, you may find it interesting to learn what's all about these key pairs. It may also help you do something you couldn't before. For instance, you can now send encrypted messages if you find others who use GPG.

Yea it showed the signature that I posted.  But again, i basically did a ton of trial and error clicking import the same asc file again and then clicked certify when I believe a bit earlier it didn't work.  Then eventually that popup showed up with the three ThomasV email addresses with the three check marks and I click okay. 


I just know at the end, I right clicked on the electrum setup exe file and clicked  More GpgEx options -> Verify.  Then I got the signed signature verification.  But I was concerned if it could still get that message with me doing all this via trial and error.


Also, do I need that keypair long code that was created for me when I typed in my name and fake email address?  Seems to be like a keypair seed or something but that is completely useless right?

Yes. If it showed you that the signature is valid it means it checked the .asc signature file, the executable and Thomas' public key, did the process of verification and find nothing faulty. Your Electrum is ready to be installed.

Right now I'm going to verify electrum on my main pc.  


Download and install Gpg4win on the pc.  After all this is done, kleopatra opens up now.


Go to electrum site.  Is the first thing you are suppose to do download ThomasV key first?  I just took a look at the instructions and it has him import ThomasV key first BEFORE even downloading electrum windows installer and the signatures link right next to it?


What I did earlier was I downloaded electrum first before even downloading the Gpg4win.  Does it matter which order you download it?


I ended up downloading electrum windows installer, the signature link to the right of it... and finally the ThomasV file in blue all together.  I then imported the asc file to it.  For some reason few times it doesn't seem to import correctly?  Kept showing 0 imported but eventually afterwards it got imported after some trial and error.  I had created name and fake email.  But you need to make sure the user id gets certified first right before you right click electrum-4.1.5-setup.exe -> More GpgEx options -> Verify?


Because when I kept on right clicking the electrum-4.1.5-setup.exe -> More GpgEx options -> Verify.  I can't getting unsigned signatures.


But then I right clicked on the Thomas Voeglin imported certificates and clicked certified and then it certified.  Then after some other clicking, I got that popup box with it showing three Thomas and three check marks and I click okay.


Then went back to the  electrum-4.1.5-setup.exe -> More GpgEx options -> Verify.  It finally shows the message of




Verify Files - Kleopatra
All Operations Completed

Verified electrum-4.1.5 setup.exe.asc' : 3 valid signatures                                        Import  637DBXXXXXXXXXXXXX
                                                                                                                           Import  0EEDCXXXXXXXXXXXXX
                                                                                                                           Search  637DBXXXXXXXXXXXXX
Signature created on Thursday July 22, 2021                                                          Search  0EEDCXXXXXXXXXXXXX

With unavailable certificate
ID:  Ox637DBXXXXXXXXXXXXXXXXXXXXXXXXXX
You can search the certificate on a keyserver or import it from a file


Signature created on Monday July 19, 2021
With unavailable certificate
ID:  Ox0EEDXXXXXXXXXXXXXXXXXXXXXXXXX
You can search the certificate on a keyserver or import it from a file


Signature created on Monday July 19. 2021
With certificate
Thomas Voegtlin (https://electrum.org) <[email protected]. (2BD5 824B 7F94 70E6)
The signature is valid and the certificate's validity is fully trusted.



As long as I see this message above, even if I did some trial and error clicking to get there... that proves the electrum is genuine right?  I just kept clicking import, certify, and eventually got here at the end.

Hey.  Well I did not know that it displays the last 8 bytes.  That would be completely new to me as I didn't read that in any guide at all etc.


Well I was looking through many guides.  This one, youtube, few ones online, not one of them seem to be hassle free.  Each one always has an issue where at some point, you go how come it doesn't go smoothly etc.



I am now going to do install electrum on my main pc now.  I had tested this on my other windows pc. 



Tryninja, before you listed those steps you posted, is there anything you recommend me not do before I get there to where I was at... before what you said basically confirmed the electrum I downloaded is legit?



Thanks.

You do see it:


In this UI it only shows the last 8 bytes, but it doesn't really need to show you all of them, since it already computed and compared everything for you and this is just a nice, readable output of this information.

Also sorry for my earlier comment; I was assuming enough good guides exist on this topic already, seeing how popular Electrum is - I mean this topic started as a guide for safely downloading and verifying Electrum. But maybe some things can be made clearer by OP.

TryNinja thanks. 


Do you agree that the instructions that were given aren't that clean and concise?  I had a feeling when I saw you post, I knew I was going to figure out how to verify it soon because always you, HCP and a few others... are very clear and then I figure it out.  Of course the other posters here are helpful but i just kept getting stuck each time.


Also one last question.  To set up electrum right now, do i click on the electrum setup or the electrum setup.exe to set electrum up right now?   Okay that was a stupid question.  The electrum setup exe file is the signature.  Do I delete it or just leave it there?  Don't remove the gpg4win right?

---

is there a reason I did not see any of this in the verification?


6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 which is ThomasV public key?  I thought at some point i would compare this on electrum with this code to see it match?

[moderator's note: consecutive posts merged]

The above message says so. Congrats, you did it...

I believe the file is also signed by other contributors, but you only see/recognize the one from Thomas, since his key was the only one you downloaded (and marked as trusted).

Okay i downloaded the signatures file next to the windows installer file


I see in my downloads folder right now


Thomas V
gpg4win-4.0.0
electrum-4.1.5 setup
electrum-4.1.5 setup.exe


I then right click on electrum-4.1.5 setup.exe and clicked VERIFY



It shows


Verify Files - Kleopatra
All Operations Completed

Verified electrum-4.1.5 setup.exe.asc' : 3 valid signatures                                        Import  637DBXXXXXXXXXXXXX
                                                                                                                           Import  0EEDCXXXXXXXXXXXXX
                                                                                                                           Search  637DBXXXXXXXXXXXXX
Signature created on Thursday July 22, 2021                                                          Search  0EEDCXXXXXXXXXXXXX

With unavailable certificate
ID:  Ox637DBXXXXXXXXXXXXXXXXXXXXXXXXXX
You can search the certificate on a keyserver or import it from a file


Signature created on Monday July 19, 2021
With unavailable certificate
ID:  Ox0EEDXXXXXXXXXXXXXXXXXXXXXXXXX
You can search the certificate on a keyserver or import it from a file


Signature created on Monday July 19. 2021
With certificate
Thomas Voegtlin (https://electrum.org) <[email protected]. (2BD5 824B 7F94 70E6)
The signature is valid and the certificate's validity is fully trusted.




For the ID:..... I just typed in the first few characters and just put XXXXXXXXXXXXX for the rest.



So does this mean my electrum is legit?  How come in the direwolf instructions, you don't see like three signatures and only one and its the last one which is the email?

Yes, the setup file is an executable (.exe). If you are on windows and you can run it, chances are that it's an executable.

From the beginning:

1. https://electrum.org/#download
2. Click "Windows Installer" to download electrum-4.1.5-setup.exe
3. Right next to it, you also have a "Signatures" link that downloads electrum-4.1.5-setup.exe.asc (make sure to click the right "Signatures" link next to "Windows Installer")
4. After both files finish downloading, they should be on the same Downloads folder.
5. Right click electrum-4.1.5-setup.exe -> More GpgEx options -> Verify.

P.S: NOT decrypt and verify, but verify.

Hey Tryninja.  Thanks for responding to me in the thread.  I remember you always being very clear with everything like HCP when helping me out.



Are you talking about the electrum-4.1.5 setup file in my downloads folder?  I am not sure if its an exe file or not.  It does not display the words exe in the title of it.  I had downloaded this electrum file at the beginning of this process and clicked on windows installer. 

---

TryNinja.  I already posted this earlier when someone asked. 


When I right click on the electrum downloaded file and verify... i get a new box that opens


Decrypt/Verify Files - Kleopatra


Choose operations to be performed
Here you can check and, if needed, override the operations kleopatra detected for the input given



Input file:  c:/users/myname/downloads/electrum-4.1.5-setup.exe


No check mark on   Input files is a detached signature
Signed Data (But its greyed out along with a whole line where there is a folder icon at the end)     If you check the input for this, you can click on a file tho choose for signed data.


No check mark on   Input file is an archive:  unpack with




Check mark on      Create all output files in a single folder


Output folder:  c:/users/myname/downloads




The only thing i can do on this page is either click on Decrypt/Verify... or cancel


Or


Click on those two input files and make it a check mark...If I do check the Input file is a detached signature, right under it... Signed data which is greyed out is no longer greyed out and you can click on a folder and pick a file

[moderator's note: consecutive posts merged]

There are different ways to verify GPG signatures and different programs can be used but the concept is the same.
Stick to one guide so you don't get confused.

If this guide is too complicated for you then I recommend the YouTube video by Binance Academy.

Did everyone here get asked to create a passphrase during this process after entering a name and email?  I checked the comments of the earlier youtube link i posted and someone said this and the video creator was shocked and surprised on this and said that is over odds.


There is zero information on any of the guides besides the youtube video guide that ask you to enter a name and an email password.  And they have the passphrase to create in the video which for some reason doesn't appear for me.  Someone mentioned yes thats in the process... yet no discussion at all about this earlier.  That is why this is frustrating.



Also what has me confused now is in the youtube video, you see the guy download the windows electrum file by clicking on installer.  Yet how come that files shows like an exe file though?  Literally every guide that i looked at, if you follow each of them, you will get stuck at one point or another because they either use confusing words or omitted a step or two. 

@jerry0

Right click the Electrum installer .exe -> More GpgEx options -> Verify. What happens?

I'm frustrated man.  For something that should take few minutes only from what others say, this isn't even simple at all.


I literally followed direwolf instructions here and multiples times i got stuck.  I mentioned there were two other guides... one was a youtube guide... yet the way they did it is different.  The other guide said to only check kleopatra only and uncheck the other two things. 


Then look at this other guide.


https://coinguides.org/verify-electrum-signature/


This one has you download the signature file early on.   Yet none of the other guides even tell you to do this early or at all.


I am frustrated there is no instruction guide where you could follow it step by step and everything would be a breeze.  When I followed direwolf guide, towards the middle/end of it, I get stuck and khaled tells me you suppose to have the electrum exe file and the electrum asg file after he ask me to right click electrum and verify and he tells me now i should see if its verified or not.  I tell him i see something completely different.


Thats when I wondered.. where in the instructions did it say to download electrum file by clicking on the standalone executable in direwolfs guide?  Anyone that is told to download a file would click on windows installer.  I am just frustrated how come there isn't simple easy to follow instructions for something as important as verifying electrum.  I have been using computer for many years on windows.  But anything I download I just use it.   So im not like a computer newbie. 

---

What I don't get is why steps aren't simplified easier.  Imagine something like this.


Go to electrum.org and download it.  If you have windows, click on windows installer or standalone executable.  Leave no doubt what download means.
Go to Gpg4win website... of course put that the exact website link... then click on download


Obviously having pictures would be helpful as well. 



But let say I figured out how to do verify electrum.  If I were to create a thread on verifying electrum... the steps i write down in a guide would be as clear as possible to anyone on this forum.  I would leave almost zero doubt to someone... who would go... i'm confused or I'm stuck etc.  I cannot believe the guide to verify electrum is this complicated when people say it should take minutes. 








[moderator's note: consecutive posts merged]

What is this dude?

What's that?

Look at it, yes, look at it! Whitespace! I screenshotted it from your post. Tons of it! Yes, I'm wasting someone's disk space as well as your bandwidth - to prove my point! It's annoying!
Why do you have to smash that enter button 42 times after every 2 words? It's annoying and unnecessary. Some whitespace, sure, better than a wall of text. But you're overdoing it!