This is the way: Don’t trust, verify…
After you have download Electrum wallet from Electrum.org, it’s very important that you check it to make sure it’s genuine software and not a malware. Verifying the GPG signature of the maintainers Thomas Voegtlin (ThomasV) , Sombernight and Emzy is one technique to do so.
This is the way on linux:
- Download software (AppImage in this case) from electrum.org
- Download the pub key of the ThomasV, Sombernight and Emzy from electrum.org:
wget https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
wget https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/sombernight_releasekey.asc
wget https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/Emzy.asc
- Then you have to import the keys:
gpg –import ThomasV.asc
gpg –import sombernight_releasekey.asc
gpg –import Emzy.asc
- Then you have to download the signature of the software (AppImage in this case):
wget https://download.electrum.org/4.2.1/electrum-4.2.1-x86_64.AppImage.asc
- Then you have to verify the software:
gpg –verify electrum-4.2.1-x86_64.AppImage.asc electrum-4.2.1-x86_64.AppImage.
In general: gpg –verify (electrum file.asc) (electrum file)
The message should say:
Good signature from “Thomas Voegtlin (https://electrum.org) thomasv@electrum.org
and
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
You can ignore this:
WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
as it simply means you have not established a web of trust with other GPG users
ThomasV fingerprint is uploaded on Youtube video, where you can find ThomasV speaking with his fingerprint behind him. So now you know that the fingerprint is genuine.