It’s important that after you download Electrum you verify it to ensure that it is the real deal and not some malware. The way to do that is to verify the GPG signature of the maintainer Thomas Voegtlin. Here’s how you do that on various platforms.
- Start by downloading GPG4Win and the install it. When installing you only need the Kleopatra component so you can skip the other things included with the software.
- Download Electrum and also the signature for the file you downloaded. Save both to the same folder.
- Run Kleopatra by double clicking on its icon on the desktop. Then click on “lookup on server” on the toolbar and enter Thomas’ GPG public key fingerprint: 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 . It should return only one result. Click on that and then click on import at the bottom of the window.
- Click on Decrypt/verify on the toolbar. A file open dialog box will appear. Navigate to the folder where you saved the Electrum download files and select the signature file. In the Win 10 file dialog box it should have a type of “OpenPGP Text File”.
- Once the signature has been successfully verified you should see this result in the window:
Don’t worry about the text in bold about data not verified. What matters is that it says that the signature was created with the certificate of ThomasV.
For the record an invalid sig looks like this:
On Linux you can use this script to do the download, verification and install for you. Download it and run it with the version of electrum you want to install:
wget https://github.com/AbdussamadA/electrum-install/raw/master/electrum-install chmod +x electrum-install ./electrum-install 3.3.4 #replace 3.3.4 with the version of electrum you want to install
The script will only offer to install electrum for you if the GPG sig checks out.
On Android all downloads are verified by the play store so you don’t have to do anything.
Instructions for Mac are given on Bitzuma.