Author

Topic: How do i verify Electrum installer on Linux? (Read 232 times)

legendary
Activity: 3682
Merit: 1580
November 16, 2018, 10:52:39 AM
#6
I meant the electrum dependencies that get downloaded from pypy.  These are pip modules written by other authors and not by Thomas V.

legendary
Activity: 1624
Merit: 2481
November 16, 2018, 05:53:37 AM
#5
pip modules are not subject to review. It is indeed possible that backdoors might be introduced via them. 

This itself is not possible IF you trust the developer.

1) PIP is using https. This already elminates some attack vectors (e.g. MITM).

2) PIP is using checksums (MD5 i believe) provided by the author (in this case ThomasV) to be sure it has not been tampered with.
This is not necessarily safe since MD5 is quite broken. But it at least is SOME security.

However, downloading it manually and checking the signature is more secure and eliminates any risk of maliciously replaced packages (this still requires that you trust the developer).
legendary
Activity: 3682
Merit: 1580
November 16, 2018, 04:23:09 AM
#4
pip modules are not subject to review. It is indeed possible that backdoors might be introduced via them. 

legendary
Activity: 1624
Merit: 2481
November 15, 2018, 12:48:13 PM
#3
That's the preferred way, yes.

I am not aware of a way to verify the version PIP installs automatically.

However, i believe PIP is verifying the signature itself. But i'm not sure about this.
legendary
Activity: 1624
Merit: 2481
November 15, 2018, 06:33:42 AM
#2
To verify electrum on linux:

1. Get ThomasV's PGP key:
Code:
gpg --keyserver pool.sks-keyservers.net --recv-keys 2BD5824B7F9470E6

(verify yourself, don't trust me)

2. Get the signature file (from electrum.org)

3. Verify:
Code:
gpg --verify electrum_signature_file.asc electrum_downloaded_file.tar


You should see this line output (among others):
Code:
Good signature from "Thomas Voegtlin (https://electrum.org) "

That's the important line.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
November 15, 2018, 05:27:49 AM
#1
As the title mentioned, how do i verify Electrum on Linux? I'm talking about installing Electrum on Terminal with these command :
Code:
Install dependencies:
sudo apt-get install python3-setuptools python3-pyqt5 python3-pip
Install Electrum:
sudo python3 -m pip install https://download.electrum.org/3.2.3/Electrum-3.2.3.tar.gz#egg=electrum[fast]

or should i just download Electrum's source, verify it's signature and compile it myself?
Jump to: