How To Verify The Integrity Of Electrum Wallet Executable On Windows?
When you install a program on your computer, there are always risks it has been compromised. It could happen for various reasons. We can classify those risks into 2 categories:
- Integrity: Has the software been altered in any way, compared to the original version of the author? Between the download server and your computer, an attacker could have modified the stream of bits on the fly the bits and inject a virus in the program.
- authenticity: Is the author of the software really the person he/she claims to be? For example, there are phishing websites which pretend to be another organisation or person. Users download software from those websites, thinking they are dealing with an official, safe organization. However, they are infecting their computers with malware.
Fortunately, thanks to modern cryptography we can protect ourselves against both those risks. PGP is a private/public key system that was created by a private company in the 90's. OpenPGP is a public standard for PGP. There are a couple of open source implementations based on the openPGP standard. GPG4Win is one of those implementations, built for Windows.
Let's learn how to use GPG4Win to make sure we download the real, safe version of the Bitcoin Electrum Wallet, with the following those steps:
- Install GPG4Win
- Download Electrum Installer & PGP Signature
- Open Windows Command Line
- Import Author PGP Public Key
- Check Executable PGP Signature
1. Install GPG4Win
It can be downloaded on this link. Once downloaded, you can click on it to install it. You can pick all options during the install process.
2. Download Electrum Installer & PGP Signature
- Electrum can be downloaded on the official electrum.org website on this link. Select the Windows Installer. DONT INSTALL YET, just download it. We need to check the executable is safe first!
- The PGP signature of the executable can be seen by clicking on the signature link, next to the Windows installer, on the download page of the electrum website. You need to copy this PGP signature into a file on your computer, preferably in the same directory as the installer. The suffix
.asc
is standard for PGP signatures..asc.txt
works also. For example, when I wrote this article, electrum was at version 2.9.3, so I called my PGP signature fileelectrum-2.9.3-setup.exe.asc.txt
.
3. Open Windows Command Line
To open the Windows command line, you can press Windows key + r
then enter
. Navigate to your download directory with the cd
command. For example, if you run Windows 8 and your user is bob, your download directory will be C:\Users\bob\Downloads
. In this case, you would type:
cd C:\Users\bob\Downloads
4. Import Author PGP Public Key
At the top of the download page of the Electrum website you will see a mention reading:
Sources and executables are signed by [Someone name here]
Click the link on the right of this mention. It will show you details of the PGP public key of the author, including the keyId. Copy this keyId. (for example, at the time of writing this article, it was signed by Thomas V, and its keyID is 7F9470E6).
In the Windows command-line, type this, and replace [keyId] by the keyId you found before:
gpg --keyserver pool.sks-keyservers.net --recv-keys [keyId]
A succesful add will look like this:
gpg: requesting key 695506FD from hkp server pool.sks-keyservers.net
gpg: key 695506FD: public key "Animazing <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
5. Check Executable PGP Signature
Replace [name-of-installer-signature] by the name of the file you created in step 2, and [name-of-installer] by the name of the installer you downloaded:
pgp --verify [name-of-installer-signature] [name-of-installer]
In my case, I called the signature file electrum-2.9.3-setup.exe.asc.txt
, and I downloaded the installer electrum-2.9.3.setup.exe
, so my command was:
pgp --verify electrum-2.9.3-setup.exe.asc.txt electrum-2.9.3.setup.exe
If it worked, you should see:
Good signature from ...
Congrats, the executable you downloaded is safe to use!
Thank you. Just a few comments to help other users:
Congratulations @jklepatch! You have received a personal award!
Click on the badge to view your Board of Honor.
Congratulations @jklepatch! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!