How To Verify The Integrity Of Electrum Wallet Executable On Windows?

in #bitcoin7 years ago

When you install a program on your computer, there are always risks it has been compromised. It could happen for various reasons. We can classify those risks into 2 categories:

  • Integrity: Has the software been altered in any way, compared to the original version of the author? Between the download server and your computer, an attacker could have modified the stream of bits on the fly the bits and inject a virus in the program.
  • authenticity: Is the author of the software really the person he/she claims to be? For example, there are phishing websites which pretend to be another organisation or person. Users download software from those websites, thinking they are dealing with an official, safe organization. However, they are infecting their computers with malware.

Fortunately, thanks to modern cryptography we can protect ourselves against both those risks. PGP is a private/public key system that was created by a private company in the 90's. OpenPGP is a public standard for PGP. There are a couple of open source implementations based on the openPGP standard. GPG4Win is one of those implementations, built for Windows.

Let's learn how to use GPG4Win to make sure we download the real, safe version of the Bitcoin Electrum Wallet, with the following those steps:

  1. Install GPG4Win
  2. Download Electrum Installer & PGP Signature
  3. Open Windows Command Line
  4. Import Author PGP Public Key
  5. Check Executable PGP Signature

1. Install GPG4Win

It can be downloaded on this link. Once downloaded, you can click on it to install it. You can pick all options during the install process.

2. Download Electrum Installer & PGP Signature

  1. Electrum can be downloaded on the official electrum.org website on this link. Select the Windows Installer. DONT INSTALL YET, just download it. We need to check the executable is safe first!
  2. The PGP signature of the executable can be seen by clicking on the signature link, next to the Windows installer, on the download page of the electrum website. You need to copy this PGP signature into a file on your computer, preferably in the same directory as the installer. The suffix .asc is standard for PGP signatures. .asc.txt works also. For example, when I wrote this article, electrum was at version 2.9.3, so I called my PGP signature file electrum-2.9.3-setup.exe.asc.txt.

3. Open Windows Command Line

To open the Windows command line, you can press Windows key + r then enter. Navigate to your download directory with the cd command. For example, if you run Windows 8 and your user is bob, your download directory will be C:\Users\bob\Downloads. In this case, you would type:

cd C:\Users\bob\Downloads

4. Import Author PGP Public Key

At the top of the download page of the Electrum website you will see a mention reading:
Sources and executables are signed by [Someone name here]
Click the link on the right of this mention. It will show you details of the PGP public key of the author, including the keyId. Copy this keyId. (for example, at the time of writing this article, it was signed by Thomas V, and its keyID is 7F9470E6).

In the Windows command-line, type this, and replace [keyId] by the keyId you found before:

gpg --keyserver pool.sks-keyservers.net --recv-keys [keyId]

A succesful add will look like this:

gpg: requesting key 695506FD from hkp server pool.sks-keyservers.net
gpg: key 695506FD: public key "Animazing <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

5. Check Executable PGP Signature

Replace [name-of-installer-signature] by the name of the file you created in step 2, and [name-of-installer] by the name of the installer you downloaded:

pgp --verify [name-of-installer-signature] [name-of-installer]


In my case, I called the signature file electrum-2.9.3-setup.exe.asc.txt, and I downloaded the installer electrum-2.9.3.setup.exe, so my command was:

pgp --verify electrum-2.9.3-setup.exe.asc.txt electrum-2.9.3.setup.exe


If it worked, you should see:

Good signature from ...


Congrats, the executable you downloaded is safe to use!

#cryptocurrency #crypto #wallet #electrum
7 years ago in #bitcoin by
$0.00
    5 votes
    • and 5 more
    Reply 3
    Sort:  
  • Trending
    • [-]
     6 years ago 

    Thank you. Just a few comments to help other users:

    1. Do not use elevated command line.
    2. Replace pgp with gpg.
    $0.00
      Reply
      [-]
       6 years ago 

      Congratulations @jklepatch! You have received a personal award!

      1 Year on Steemit
      Click on the badge to view your Board of Honor.

      Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

      $0.00
        Reply
        [-]
         5 years ago 

        Congratulations @jklepatch! You received a personal award!

        Happy Birthday! - You are on the Steem blockchain for 2 years!

        You can view your badges on your Steem Board and compare to others on the Steem Ranking

        Vote for @Steemitboard as a witness to get one more award and increased upvotes!
        $0.00
          Reply

          Coin Marketplace

          STEEM 0.20
          TRX 0.12
          JST 0.028
          BTC 65275.00
          ETH 3569.29
          USDT 1.00
          SBD 2.47