Author

Topic: How to verify Electrum that comes preinstalled on Tails? (Read 252 times)

legendary
Activity: 3472
Merit: 10611
~
I know, but I use it offline, so I don't need to send transactions from it, I just sign transactions.
i can think of at least 5 different ways that a malicious wallet can steal your funds without even needing any internet connection. it goes from simplest way of changing your payto field to advanced cryptographic ways of revealing your private key to the hacker without you even noticing since the transaction wouldn't look any different.

I was not talking about implications of running potentially malicious client offline, of course that would be stupid. bob123 was saying that Electrum that comes with tails is outdated, meaning that it probably can't send transactions, since servers would reject them to incentivize users to upgrade to newest versions that don't have the infamous phishing vulnerability. But it works for signing transactions or creating new wallets just fine.

oh yeah of course, that is the only thing that matters as long as you are sure that the preinstalled version is legit. but i was just pointing out the main question here regarding "verification of the already installed Electrum on Tails." and how you couldn't be sure about it so there are still ways to lose money even if you were offline.
legendary
Activity: 3024
Merit: 2148
~
I know, but I use it offline, so I don't need to send transactions from it, I just sign transactions.
i can think of at least 5 different ways that a malicious wallet can steal your funds without even needing any internet connection. it goes from simplest way of changing your payto field to advanced cryptographic ways of revealing your private key to the hacker without you even noticing since the transaction wouldn't look any different.

I was not talking about implications of running potentially malicious client offline, of course that would be stupid. bob123 was saying that Electrum that comes with tails is outdated, meaning that it probably can't send transactions, since servers would reject them to incentivize users to upgrade to newest versions that don't have the infamous phishing vulnerability. But it works for signing transactions or creating new wallets just fine.

legendary
Activity: 3472
Merit: 10611
~
I know, but I use it offline, so I don't need to send transactions from it, I just sign transactions.
i can think of at least 5 different ways that a malicious wallet can steal your funds without even needing any internet connection. it goes from simplest way of changing your payto field to advanced cryptographic ways of revealing your private key to the hacker without you even noticing since the transaction wouldn't look any different.

Quote
I'm thinking, maybe there's some way to get a hash of the installed Electrum, than match it with a hash of another installed Electrum that I verified beforehand? Or is it all just not worth it, and I should just download and verify Electrum, save it on a USB stick and use it with my cold storage?
downloading, verifying and installing that is always the safest option. anything else is a workaround and is not as safe since you may miss many things.
as for hashes there are about 400-500 files in the tarball that you install on Linux and you'll have to calculate hash of each file and check it against the real files!
legendary
Activity: 2030
Merit: 1569
CLEAN non GPL infringing code made in Rust lang
I've played with Electrum on Tails not so long ago, so I can help with links.

Indeed, the Electrum from Tails is too old, you need to put a new one onto persistent storage. For that, the easiest tutorial is the official one.

While it didn't help me much on install side, this (too) detailed tutorial tells all you need about verifying (the new) Electrum.

Persistence is not really needed, but you will of course need to reinstall it again on every boot. This is important for paranoid people that don't want any sort of writing.
legendary
Activity: 3024
Merit: 2148
The version of electrum on tails is outdated.

Simply download the new version and verify this one.
If you don't have tails connected to the internet, use a mounted drive / USB.


I know, but I use it offline, so I don't need to send transactions from it, I just sign transactions.

Normally you can't verify application which already installed, whether it's on Windows or Linux, unless it's portable application which only have file and you can compare/verify it's hash/signature.


I'm thinking, maybe there's some way to get a hash of the installed Electrum, than match it with a hash of another installed Electrum that I verified beforehand? Or is it all just not worth it, and I should just download and verify Electrum, save it on a USB stick and use it with my cold storage?
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
I've played with Electrum on Tails not so long ago, so I can help with links.

Indeed, the Electrum from Tails is too old, you need to put a new one onto persistent storage. For that, the easiest tutorial is the official one.

While it didn't help me much on install side, this (too) detailed tutorial tells all you need about verifying (the new) Electrum.
legendary
Activity: 1624
Merit: 2481
The version of electrum on tails is outdated.

Simply download the new version and verify this one.
If you don't have tails connected to the internet, use a mounted drive / USB.

And if you don't want to do this each time you boot up tails, create some persistence storage on your bootable drive (assuming you are using tails on a live-usb) and save the .AppImage there.

The persistence storage will not be deleted once you shut down tails.


P.s. Make sure to have a physical backup of your mnemonic code.
The wallet file is saved in a location which will be deleted upon shutdown.
If you don't want to enter your seed each time, move the wallet file to the persistence storage too.
legendary
Activity: 3682
Merit: 1580
you can't since it was packaged by the tails developers. so if you trust the tails developers you can verify the gpg sig of the ISO file you downloaded against their signing key.

note that the version of electrum they include with tails is obsolete so you can no longer use it. you will have to update: http://docs.electrum.org/en/latest/tails.html
legendary
Activity: 3024
Merit: 2148
I usually install and verify Electrum manually, but the last time I've used Electrum that comes with Tails (the OS itself was verified though), and I just realized that I didn't verify it, and simply trusted that it's the genuine version. How can I check that it was signed by Electrum devs? I'm not very experienced with Linux, so please, be detailed when you describe the steps.
Jump to: