How to verify Electrum that comes preinstalled on Tails?

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: hatshepsut93 on July 29, 2019, 11:35:48 PM

Quote from: pooya87 on July 29, 2019, 10:54:58 PM

Quote from: hatshepsut93 on July 26, 2019, 02:56:17 PM

~
I know, but I use it offline, so I don't need to send transactions from it, I just sign transactions.

i can think of at least 5 different ways that a malicious wallet can steal your funds without even needing any internet connection. it goes from simplest way of changing your payto field to advanced cryptographic ways of revealing your private key to the hacker without you even noticing since the transaction wouldn't look any different.

I was not talking about implications of running potentially malicious client offline, of course that would be stupid. bob123 was saying that Electrum that comes with tails is outdated, meaning that it probably can't send transactions, since servers would reject them to incentivize users to upgrade to newest versions that don't have the infamous phishing vulnerability. But it works for signing transactions or creating new wallets just fine.

oh yeah of course, that is the only thing that matters as long as you are sure that the preinstalled version is legit. but i was just pointing out the main question here regarding "verification of the already installed Electrum on Tails." and how you couldn't be sure about it so there are still ways to lose money even if you were offline.

hatshepsut93

legendary

Activity: 3024

Merit: 2148

Quote from: pooya87 on July 29, 2019, 10:54:58 PM

Quote from: hatshepsut93 on July 26, 2019, 02:56:17 PM

~
I know, but I use it offline, so I don't need to send transactions from it, I just sign transactions.

i can think of at least 5 different ways that a malicious wallet can steal your funds without even needing any internet connection. it goes from simplest way of changing your payto field to advanced cryptographic ways of revealing your private key to the hacker without you even noticing since the transaction wouldn't look any different.

I was not talking about implications of running potentially malicious client offline, of course that would be stupid. bob123 was saying that Electrum that comes with tails is outdated, meaning that it probably can't send transactions, since servers would reject them to incentivize users to upgrade to newest versions that don't have the infamous phishing vulnerability. But it works for signing transactions or creating new wallets just fine.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: hatshepsut93 on July 26, 2019, 02:56:17 PM

~
I know, but I use it offline, so I don't need to send transactions from it, I just sign transactions.

i can think of at least 5 different ways that a malicious wallet can steal your funds without even needing any internet connection. it goes from simplest way of changing your payto field to advanced cryptographic ways of revealing your private key to the hacker without you even noticing since the transaction wouldn't look any different.

Quote

I'm thinking, maybe there's some way to get a hash of the installed Electrum, than match it with a hash of another installed Electrum that I verified beforehand? Or is it all just not worth it, and I should just download and verify Electrum, save it on a USB stick and use it with my cold storage?

downloading, verifying and installing that is always the safest option. anything else is a workaround and is not as safe since you may miss many things.
as for hashes there are about 400-500 files in the tarball that you install on Linux and you'll have to calculate hash of each file and check it against the real files!

Artemis3

legendary

Activity: 2030

Merit: 1569

CLEAN non GPL infringing code made in Rust lang

Quote from: NeuroticFish on July 26, 2019, 02:39:22 PM

I've played with Electrum on Tails not so long ago, so I can help with links.

Indeed, the Electrum from Tails is too old, you need to put a new one onto persistent storage. For that, the easiest tutorial is the official one.

While it didn't help me much on install side, this (too) detailed tutorial tells all you need about verifying (the new) Electrum.

Persistence is not really needed, but you will of course need to reinstall it again on every boot. This is important for paranoid people that don't want any sort of writing.

hatshepsut93

legendary

Activity: 3024

Merit: 2148

Quote from: bob123 on July 26, 2019, 06:26:11 AM

The version of electrum on tails is outdated.

Simply download the new version and verify this one.
If you don't have tails connected to the internet, use a mounted drive / USB.

I know, but I use it offline, so I don't need to send transactions from it, I just sign transactions.

Quote from: ?? on ??

Normally you can't verify application which already installed, whether it's on Windows or Linux, unless it's portable application which only have file and you can compare/verify it's hash/signature.

I'm thinking, maybe there's some way to get a hash of the installed Electrum, than match it with a hash of another installed Electrum that I verified beforehand? Or is it all just not worth it, and I should just download and verify Electrum, save it on a USB stick and use it with my cold storage?

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

I've played with Electrum on Tails not so long ago, so I can help with links.

Indeed, the Electrum from Tails is too old, you need to put a new one onto persistent storage. For that, the easiest tutorial is the official one.

While it didn't help me much on install side, this (too) detailed tutorial tells all you need about verifying (the new) Electrum.

bob123

legendary

Activity: 1624

Merit: 2481

The version of electrum on tails is outdated.

Simply download the new version and verify this one.
If you don't have tails connected to the internet, use a mounted drive / USB.

And if you don't want to do this each time you boot up tails, create some persistence storage on your bootable drive (assuming you are using tails on a live-usb) and save the .AppImage there.

The persistence storage will not be deleted once you shut down tails.

P.s. Make sure to have a physical backup of your mnemonic code.
The wallet file is saved in a location which will be deleted upon shutdown.
If you don't want to enter your seed each time, move the wallet file to the persistence storage too.

Abdussamad

legendary

Activity: 3682

Merit: 1580

you can't since it was packaged by the tails developers. so if you trust the tails developers you can verify the gpg sig of the ISO file you downloaded against their signing key.

note that the version of electrum they include with tails is obsolete so you can no longer use it. you will have to update: http://docs.electrum.org/en/latest/tails.html

hatshepsut93

legendary

Activity: 3024

Merit: 2148

I usually install and verify Electrum manually, but the last time I've used Electrum that comes with Tails (the OS itself was verified though), and I just realized that I didn't verify it, and simply trusted that it's the genuine version. How can I check that it was signed by Electrum devs? I'm not very experienced with Linux, so please, be detailed when you describe the steps.

Topic: How to verify Electrum that comes preinstalled on Tails? (Read 252 times)