It’s important that after you download Electrum you verify it to ensure that it is the real deal and not some malware. The way to do that is to verify the GPG signature of the maintainer Thomas Voegtlin. Here’s how you do that on various platforms.
- Start by downloading GPG4Win and the install it. When installing you only need the Kleopatra component so you can skip the other things included with the software.
- Download Electrum and also the signature for the file you downloaded. Save both to the same folder.
- Run Kleopatra by double clicking on its icon on the desktop. Then click on “lookup on server” on the toolbar and enter Thomas’ GPG public key fingerprint: 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6. It should return only one result. Click on that and then click on import at the bottom of the window.
If looking up the key via its fingerprint does not work download Thomas’ key from github instead, save it somewhere convenient and use the import button on the main kleopatra window to import it. This should create a new entry for Thomas’ key. Right click on that, click details and verify that the fingerprint matches 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6.
- Click on Decrypt/verify on the toolbar. A file open dialog box will appear. Navigate to the folder where you saved the Electrum download files and select the signature file. In the Win 10 file dialog box it should have a type of “OpenPGP Text File”.
- A new window will popup with the verification results. Click on “gpg audit” in that window to see the results from gpg:There are three signatures in the signature file you downloaded. You need only verify one developer’s signature. In our case that is Thomas’. It should say good signature from Thomas in the gpg audit log. Don’t worry about the warning. What matters is that it says that the signature was created with the certificate of ThomasV.
For the record an invalid sig looks like this. It should say invalid signature:
Note that the next time you want to verify an electrum download you can skip step 3 since you already have Thomas’ key in your key ring.
On Linux you can use this script to do the download, verification and install for you. Download it and run it with the version of electrum you want to install:
wget https://github.com/AbdussamadA/electrum-install/raw/master/electrum-install chmod +x electrum-install ./electrum-install 3.3.4 #replace 3.3.4 with the version of electrum you want to install
The script will only offer to install electrum for you if the GPG sig checks out.
On Android all downloads are verified by the play store so you don’t have to do anything.
Instructions for Mac are given on Bitzuma.