How to verify your Electrum download

It’s important that after you download Electrum you verify it to ensure that it is the real deal and not some malware. The way to do that is to verify the GPG signature of the maintainer Thomas Voegtlin. Here’s how you do that on various platforms.

Windows

  1. Start by downloading GPG4Win and the install it. When installing you only need the Kleopatra component so you can skip the other things included with the software.
  2. Download Electrum and also the signature for the file you downloaded. Save both to the same folder.
  3. Run Kleopatra by double clicking on its icon on the desktop. Then click on “lookup on server” on the toolbar and enter Thomas’ GPG public key fingerprint: 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 . It should return only one result. Click on that and then click on import at the bottom of the window.
  4. Click on Decrypt/verify on the toolbar. A file open dialog box will appear. Navigate to the folder where you saved the Electrum download files and select the signature file. In the Win 10 file dialog box it should have a type of “OpenPGP Text File”.

    Select the signature file
  5. Once the signature has been successfully verified you should see this result in the window:
    Valid Signature

    Don’t worry about the text in bold about data not verified. What matters is that it says that the signature was created with the certificate of ThomasV.

    For the record an invalid sig looks like this:

    Invalid Signature

Linux

On Linux GPG is included by default so you can do the verification on the command line. Open up a terminal app and download Thomas’ public key:

thomasv_pubkey="0x6694D8DE7BE8EE5631BED9502BD5824B7F9470E6"
gpg --keyserver pgp.mit.edu --recv-keys $thomasv_pubkey

If that keyserver is down try another one. Google for addresses of other keyservers. As long as you use the correct fingerprint given above it doesn’t matter which key server you download form.

To verify the files place both the tarball and the signature in the same directory, cd to that directory and verify like so:

gpg --verify sigfile.asc tarball.tar.gz

Replace sigfile.asc and tarball.tar.gz as appropriate. You should get a result like this:

gpg:                using RSA key 2BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

You are good to go as long as it is says Good signature from Thomas and the fingerprint matches. You can ignore the warning at the bottom.

Android

On Android all downloads are verified by the play store so you don’t have to do anything.

Mac OS

Instructions for Mac are given on Bitzuma.