Topic: [GUIDE] How to Safely Download and Verify Electrum [Guide] - page 6. (Read 22025 times)

Okay so Im watching that youtube video again and it seems like the box I closed was this message....


Certificate Not Possible Cleopatra

To View other certificates, you first need to create an OpenPGP certificate for yourself.

Do you wish to create one now?


Yes or No



So how do i get back there?  Do i close kleopatra and open kleopatra again and repeat what I did earlier and then click Yes here?

Yes, that's what it should show. Did you successfully import it?

I just did that and then clicked on import from kleoptra and opened the ThomasV file to it.  Then it showed a message and I closed it.  Did I need to see what that message said?



Now I see



Thomas Voegtin      his email     not certified  user id    valid from  June 15 2011 date but doesn't show valid until to.    Then it shows key id.

Correct.

Okay I did not see your post on the creating a private key to verify electrum part.  That part literally would confuse most people.


So to download ThomasV keys, I need to right click on the blue ThomasV... click save link as... then it should save as ThomasV and ASC file to my pc/downloads correct?

That's indeed a valid query of your side. I had already told him that it may confuse those who'll ask why. The short answer is that you don't need key pairs to verify a signature.

After your kleopatra has imported Thomas' public key, then yes. You have to open the signature file with kleopatra and it'll verify it automatically. Also, make sure the signature file's name is the same as your installer's. For instance, if it's electrum-4.1.5-setup.exe, make sure it's electrum-4.1.5-setup.exe.asc.

Okay I will disregard the key pair part as that is confusing.  I just don't understand why you mentioned you could create your own key pair... where I have no idea what percentage of the population would even know how to do that.  Thus using ThomasV public key to verify would sound very simple.


I am stuck right now.


This is what I just did now


I downloaded electrum


I downloaded gpg4win and got to the part where its opened kleoptra and it shows

New Key Pair or Import


Next step in direwolf instructions are

Import ThomasV's PGP Key on Windows
Import ThomasV's PGP Key using Kleopatra:
Download ThomasV's PGP Key from a trusted source.  Start Kleopatra, if it's not already running.  Click the Import button, and navigate to the location where "ThomasV.asc" was saved, select the file, and click Open.


I completely ignore clicking on the signatures link next to Windows installer correct?  So just click on ThomasV in blue... which has ThomasV, SomberNight, Emzy next to it?  When you click on ThomasV the blue highlighted, all it does is open up a page with a bunch of keys.  Are you suppose to right click that and save link as?  


The thing is if I were to right click ThomasV and click save link as... it would show saving it to file name as ThomasV and ASC file.  But when it does that, it would save to this pc - downloads where nothing it showing up there.  Like before you click on save, you look at the top where there is no other downloaded files you had downloaded.  Is this normal or not?  If I were to click on desktop/downloads/documents, there is literally no files showing.  Is that normal?  I would have thought I would see electrum exe file I downloaded earlier somewhere here?  So me right click and save as link... that is why I don't see any other files?  Just want to make sure im doing this correctly.

As mentioned, keys.gnupg.net isn't around anymore.  Try running one of the commands below from your terminal app.  

---

From our previous conversations, I recall you're running Windows.  GPG4Win has a Microsoft authentication certificate, so the application won't flag Windows' anti-virus software.  It also checks if the code has been altered since signed by the publisher.  If the package you downloaded doesn't match the certification checksums it'll throw up a big red warning when you try to install it.

For various reasons a lot of open source apps don't use Microsoft's authentication tools.  I believe there are costs associated with maintaining the certificate, so it may be a financial decision.  GnuPG is open source, powerful, secure, and free.  It's a great alternative, especially if the developers want to port port their application to many different OSs.



You import ThomasV's public key, not his private key.  His private key allows him to sign the releases, and the public key allows all of us to verify that the download was indeed signed my ThomasV.  It's a lot like a bitcoin keypair, in that way.  I can also use GPG to sign messages that others can verify as having come from me, and with someone's public key I encrypt secret messages that can only be decrypted by the holder of the matching private key.  But in order to do so, I need to have a keypair also; a private one, and a public key that I can share with the world.

You don't really need your own keypair to verify that the Electrum download was actually signed my ThomasV.  GPG will tell you that the file was signed by ThomasV's, but it'll also say something to the affect that the key is not "Trusted."  It's really just a formality, but if you're using Kleopatra it won't show the green results page unless the public key has been trusted by your system.  To sign someone else's public key as "trusted" you'll need to have a private key of your own.


That sounds right, those are typical options for creating a keypair.  You should definitely have a password if you plan on using GPG to sign or encrypt messages.  I use it regularly to encrypt backups of sensitive information that I want available on multiple devices.  I can store them on the cloud with some measure of additional security.



Whatever.  One is the Microsoft Outlook extension, and other is a Windows Explorer Shell (right click) extension.  I like the shell extension, myself.

This guide is from 2020; since then, keys.gnupg.net was deprecated.
I found this similar question answered in a quick web search.

You can look up his key on any other keyserver though; that's the beauty of this decentralized, federated GPG network. Just enter his ID into any keyserver. For example:
https://keys.openpgp.org/vks/v1/by-fingerprint/6694D8DE7BE8EE5631BED9502BD5824B7F9470E6

If you use gpg via command-line, it should be possible to omit the --keyserver, like this:

Alternatively:

trying to verify signature of electrum, but i get a error when Obtaining public GPG key for ThomasV

keys.gnupg.net: host not found   ...
Are we under attack ??

Is there a reason verifying electrum is this complicated?


First off, you need to


Install GPG
Download and Import ThomasV's PGP Key
Download and Verify Electrum



So you need to make sure you are downloading the official GPG and ThomasV PGP Key.  You also need to download kleoptra from another website.  Does downloading many of these things concern anyone here since it increase the chance of a mistake?


Is there a reason why verifying electrum just doesn't require you to download electrum.  Then just right click the program/properties and command prompt and just type letters and words to command prompt and they display the hash just like that... similar to like how you verify ledger live?  I found the verifying ledger live a bit confusing but after I did, it isn't that complicated... but for the average user... it is complicated.  


To verify electrum seems much more complicated since you need to download a bunch of things.  How do you know all these things you downloading now doesn't have malware and all these things?


Now has there ever been a case where someone downloaded electrum from the official electrum site... and got hacked or malware?  Assuming you download electrum and then start using it whether creating a seed or restoring an old seed, can you always verify if your electrum is the real electrum even after started using it?  

---

I was checking youtube to see if there is a video to do this and found one

https://www.youtube.com/watch?v=lCG3c8a7HZI


In your instructions of

Install Windows


Kleopatra is the GUI front end that's included with Gpg4win, and I recommend you install it.  If you don't, you'll have to use command prompts to manage the GnuPG app.  Another optional feature is a shell extension which I find handy, and an Outlook extension.  If you use you use outlook the integration is pretty seamless, and actually quite useful.

Once installation is completed, and Kleopatra launches I recommend you create a private key.  If you already have one, you can import it at this time.



What do you mean you recommend you create a private key?  I do not understand this and in the youtube video, I do not even see this part mentioned.  I thought the private key was Thomas key.  So what exact private key are you creating here?




Also in the video, there is a part where it says Key Pair Creation Wizard where it ask you to put name/email though it shows optional.  So you just click next and leave it empty and skip it?  Then it ask you to create a password.  I assume this video is outdated and thus none of this applies now?





This is the other instructions I found below for verifying electrum.  On this, it mentions only make sure kleopatra is checked.  So you need to uncheck the other two GPgOL and GPgEX?  Direwolf and the youtube video have you just click next as it auto check all three of these?

https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

The answer is actually on the link from my previous post, because @DaveF did an experiment with fake Electrum in combination with Trezor and ColdCard, both HW did not recognize fake Electrum. The assumption is that hackers used older versions of Electrum, or they did not try to make fake versions compatible with hardware wallets knowing they can’t automatically empty such a wallet. Of course, this does not mean that fake versions of Electrum cannot work with HW, I believe that it is possible to achieve.

First of all, will your hardware wallet even be able to connect to a fake Electrum wallet? Ledger and Trezor devices can establish connections to Electrum, but a phishing version of Electrum is not Electrum.

But let's say they can connect.
If you have a receiving address that you are intending to send the coins to, you should notice a difference if the fake Electrum app is trying to make you send your funds to another address. The receiving address has to be displayed on the screen of your HW. If you are generating a new address, do it from the native client whose hardware wallet you are using, and copy the address from there into Electrum if you are sending to yourself, doing a consolidation, or something like that. Again, you should notice a difference if the address changes while you are creating the transaction.

It is always wise to verify the file before installation, but even if you have a malicious wallet every action you take should be confirmed by pressing a hardware button. Therefore, if you pay attention to every step while doing a transaction, you will notice that something is not as it should be and you will not sign the transaction.

You can read more on this topic -> Fake Electrum version 4.0 and hardware wallets

YES!


There have been malicious versions in the past that will send all your coins to the scammer's address.  It creates a serupticious transaction that will remain invisible to you.  You'll be under the impression that you're creating a typical transaction, then next thing you know, all your coins are gone.  A hardware wallet will display the actual (malicious) transaction, but if you aren't paying close attention, and you approve the transaction on your hardware wallet you'll send all your money to the scammer.

Is it necessary to verify Electrum when using a hardware wallets?
What are the consequences of using a compromised Electrum with hardware wallets?

Just thought I'd provide an update here on the status of the original post;

Based on the contents of a previous post on the subject of multiple signature files, I submitted an issue on Electrum's git:
https://github.com/spesmilo/electrum/issues/7579

I didn't realize it would be so complicated, but it's obvious the dev team is putting the effort into implementing an aggregated signature file.  It appears that ThomasV has found a solution, so it may be implemented by the next release.  I'll determine then if the OP needs any updates.

Thank you 

That was easy and simple and it did the job.

The Electrum development group has started issuing signatures from multiple developers, so now the signature files have different names than the executable file.  That's what's causing your problem.  I'm sorry I haven't had time to update the OP with the new instructions yet, but look at post number 57 of this thread.  nc50lc shows how to configure Kleopatra so it'll prompt you to select the .exe file separately.  Once configured properly, and you double-click an .asc file, Kleopatra will open a dialogue  box.  There under the field marked "Signed Data" brows to and select the electrum .exe file.