Electrum is one of the most popular Bitcoin wallet that is available for Windows, Mac, Linux and Android. It is safe, fast and simple to use. Anybody can download the wallet and start using it right away. Moreover the wallet is open source. This is one reason why more number of users trust and use electrum to store and manage their Bitcoins.
- Download electrum wallet from official website: https://electrum.org/#download
- Also you can download and find the source code of the software at their GitHub page: https://github.com/spesmilo/electrum
Now before you install the wallet or update electrum you need to verify signature and check the authenticity of electrum binaries / sources.
This should be done every time you download or update your existing wallet. Also not just electrum wallet but any software that you install on your computer. Especially Bitcoin and cryptocurrency wallets that handles your private keys should be verified before using.
Here in this beginners guide we’ll show you how to verify electrum signature. But first let us understand why users should verify the authenticity of the wallet downloads before using them.
Why to verify wallet?
The main reason why you should verify the authenticity of electrum or any wallet software is to reduce the risk of running malware.
Since electrum and other Bitcoin wallet software’s are open source they are highly susceptible to phishing attacks. A hacker can easily modify the source code and distribute the software across the web which looks identical as the original wallet. Whoever downloads and uses it is at high risk of losing their Bitcoins.
This has happened previously where the hacker stole 100s of Bitcoin from electrum users by distributing a malicious copy of electrum wallet. All users who have downloaded and installed the fake wallet have lost all of their Bitcoins.
But, wait? I’ve downloaded electrum from official website electrum.org. Should I still need to verify PGP signatures?
Yes, what if the hacker gets access to the server and modifies the download files. This is why even if you download software from official source you should verify signatures and check whether if the wallet is legitimate or not.
Verifying hash files and GPG signatures
So how do you verify the wallet file that you downloaded is legit and is not modified by a hacker? Thanks to cryptography. There are two ways to verify the integrity and authenticity of wallet software’s.
- Verifying the hashes of the software file.
- Verifying GPG signatures.
Most developers provide both the hashes as well as GPG signatures to allow users to identify whether they are installing a genuine copy of the software or a modified malicious one.
Think of hashes as an immutable, unique identifier which is only assigned to a particular file. If in case the hacker modifies the program files then it will not match with the hash value provided by the original developer. In which case you can come to a conclusion that the downloaded software is fake and corrupted.
We’ve already made a tutorial on how to verify MD5, SHA256 checksum of a wallet /software
But the problem what that method is that the hacker can create a valid hash for a fake version and publish it online. This does not bring any security at all.
This is why electrum and other wallet developers do not publish hashes. Instead they sign and share their digital signatures.
Verifying GPG signatures
GPG in short refers to GNU Privacy Guard is a cryptography based on key pairs. GPG is used to encrypt or sign data to ensure its authenticity.
Think of GPG digital signature as a hand written signature but with the additional benefit of being tamper resistant.
So the idea is; before releasing the binaries to the public the developer signs the download files with their private key. Users can then verify the download by using the developers public key. If the downloaded file is modified or tampered then the signature verification will fail.
For example Electrum wallet sources and executables are signed by ThomasV. Users who are downloading electrum wallet software will use ThomasV’s public key to check the signature and verify the fingerprint. If the file is forged or modified then the signature verification would fail and the fingerprint does not match.
Alright! Let’s now see how to verify electrum wallet signature.
How to verify electrum signature
This tutorial describes how to verify electrum signatures on Windows. For Mac you can follow the same tutorial. The steps are quite similar as Windows. Only the application varies. To verify signatures in Windows we’ll be using Gpg4win. In Mac you need to use the popular PGP implementation GPG suite.
We’ll make a separate guide for Android, Linux and Tails OS.
Download:
- Windows Gpg4win: https://www.gpg4win.org/
- Mac GPG suite: https://gpgtools.org/
1. Download and Install Gpg4win
Go ahead and download Gpg4win to your Windows PC. Once downloaded you need to check the integrity of the downloaded file.
It is optional but it is better that you verify it before installing.
To verify whether the copy of your Gpg4win is authentic you don’t need to verify its signatures. Because to do so we need to install Gpg4win. Instead you can just verify the installers hash value which you can find it here: https://gpg4win.org/package-integrity.html
Refer to this guide if you are not sure how to verify SHA256 checksum.
Alright! Once you have checked the integrity of the downloaded gpg4win installer go ahead and install it.
When installing uncheck all other components except Kleopatra.
Kleopatra is a universal crypto GUI and a certificate manager. You can create and manage OpenPGP certificates.
Once this installation wizard is complete Kleopatra should launch automatically. If not then go to the installation directory Gpg4win >> bin and open kleopatra.exe.
Now leave that open and start downloading the electrum wallet and its PGP (Pretty Good Privacy) signature.
2. Download Electrum installer &signature
Go ahead and now download electrum executables to your PC. It can be portable version, windows installer or a standalone executable.
Whichever you download make sure you also download the appropriate PGP signature which is available next to it.
Tip: Right click the signature and click save link as. Save the signature to the same directory as the installer.
Now you should have two files. The wallet application and the open PGP text file.
For example if you downloaded electrum-4.0.4-portable.exe then you should also have electrum-4.0.4-portable.exe.asc.
Don’t install or open electrum yet! We are yet to verify the signature.
3. Obtain ThomasV Public GPG key
To verify the electrum signature you need the public GPG key for ThomasV
ThomasV (Thomas Voegtlin) is the founder and the lead developer of Electrum wallet. Electrum binaries are signed with ThomasV’s public key.
So to verify the signature you need to import the public key of ThomasV.
You can find ThomasVs gpg / pgp public key linked here at https://electrum.org/#download at the top.
You can also find it here: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc
Right click the link and save link as ThomasV.asc file to the same directory where you have already downloaded electrum exe and the signature file.
Alright! Now you have the executable file, its signature and the author’s PGP public key. Let’s now verify your electrum download.
Verify electrum download by verifying GPG signatures
First we need to import the public key of the signer.
1. Import developers PGP public key
Open Gpg4win’s signature / certificate utility Kleopatra.
Now go to file >> import and open ThomasV.asc file.
Once the public key is imported a popup window will open with the following message:
“In order to mark the certificate as valid (green) it needs to be certified.
Certifying means that you check the Fingerprint.
Some suggestions to do this are:
A phone call to the person.
Using a business card.
Confirming it on a trusted website.”
Basically we need to check if the fingerprint is correct. Just click no and proceed to the next step.
2. Validating Fingerprint
Thomas Voegtlin’s PGP fingerprint:
- PGP fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
- Fingerprint without space: 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Valid source:
https://www.youtube.com/watch?v=7D83IpdiF-U
We need to now verify if this fingerprint matches with the public key which we just imported.
To do so right click the developers imported certificate on Kleopatra and click details. At the bottom you should see the fingerprint.
If it matches with the one shared about then the key is legitimate. Now let’s verify the wallet signature.
3. Verify wallet signature
To verify the signature click on Decrypt / Verify on the Kleopatra toolbar. Now navigate to wallet folder and either open the .exe file or the .asc file.
Kleopatra will now verify both the files and produce results.
After successful verification you should see the following window.
All operations completed:
verified ‘electrum.4.0.4-setup.exe’ with ‘electrum.4.0.4-setup.exe.asc’: The data could not be verified.
Signature created on Thursday, October 15, 2020 11:51:39 PM
With certificate:
Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org> (2BD5 824B 7F94 70E6)
The used key is not certified by you or any trusted person.
Note: The version number and the date may vary on your end.
Also do not worry about the bold text that says “The data could not be verified”. It simply means that you haven’t manually trusted ThomasV’s key which we’ll show in next step.
You can safely ignore this warning message. What matters is the fingerprint.
Click on show audit log and you should see the primary key fingerprint. If it matches then it is a valid signature. You’ve verified your electrum download and you can now safely install or update the wallet.
For example if the signature is invalid then after verification Kleopatra will warn you with a big red message like this with the following message:
The signature is invalid: Bad signature
Optional: Certifying the developer’s key
Now that you’ve validated signature and verified fingerprint you can go ahead and trust the electrum developer’s public key.
To do so right click the certificate and click certify.
You should see the following message:
To certify other certificates, you first need to create an OpenPGP certificate for yourself.
Do you wish to create one now?
Click Yes. Then enter your name, email and click create. Now you’ll be asked to enter the passphrase to protect your new key.
Choose a password and click create to successfully create a new key pair. Once done, click finish and click certify. Enter the password again and you’ll see a message that says certified.
You’ve successfully certified ThomasV’s public key.
Now if you decrypt / verify electrum file you’ll get the following message:
Verified:
Valid signature by thomasv@electrum.org
The signature is valid and the certificate’s validity is fully trusted.
That’s it! You’ve successfully verified the signature of your electrum wallet. You are good to install.
Note: The key which you created for yourself is your personal key.
Next time when you download or update electrum you don’t have to import ThomasV’s public key again as you’ve already imported and validated the certificate.
Just check for valid signature. That’s all it matters.
Also in future Thomas V may not be the maintainer of electrum client. In which case you need to import the public key of the developer whoever is maintaining the project.
Hope you’ve learned how to verify GPG signatures and you now know how to check electrum download is legit.
This is exactly how you verify signatures for basically any software. It is essential that you verify digital signatures before installing any software.
Hi. After importing the asc file (downloaded as described here, right-click etc.), I get this message:
Detailed results of importing C:\…\electrum-4.0.9-setup.exe.asc:
Total number processed: 0
Imported: 0
After I click OK, I don’t get the prompts that you described in your instructions.
I downloaded both the standalone and setup version for Windows, with the same result.
Any idea how to change that?
I’ve been using Kleopatra before for other tasks than PGP signature checking, it worked fine.
Where can I find the Linux guide for signature check?