Now, you might be thinking “Why bother? Can’t I just trust the developers and download their precompiled binaries without any hassle?” Well, bro, that would be a big mistake! You see, in this day and age of cyber threats and malicious actors, it’s always better to err on the side of caution.
So let me walk you through the process step by step:
1. Before anything else make sure you have GPG installed on your system. If not, head over to https://www.gnupg.org/ and download the appropriate version for your operating system. Once it’s installed, open up a terminal window (or command prompt if you’re using Windows) and type in:
# Check if GPG is installed by running the "gpg --version" command
# If GPG is not installed, go to https://www.gnupg.org/ and download the appropriate version for your operating system
# Once installed, open a terminal window (or command prompt for Windows) and run the following command:
gpg --version # This command checks the version of GPG installed on the system
# If GPG is installed, the response will include the version information
# If GPG is not installed, the response will indicate that the command is not found
# If GPG is not installed, go to https://www.gnupg.org/ and download the appropriate version for your operating system
# Once installed, open a terminal window (or command prompt for Windows) and run the following command:
gpg --version # This command checks the version of GPG installed on the system
# If GPG is installed, the response will include the version information
# If GPG is not installed, the response will indicate that the command is not found
This will show you which version of GPG is currently installed on your machine. If you see something like “gpg (GnuPG/MacGPG2) 2.1.16” or similar, then you’re good to go!
2. Next, head over to the official Electrum website and download the latest version of the software for your operating system. Make sure it matches the version number that is currently being signed by the developers (you can check this on their GitHub page).
3. Once you’ve downloaded the binary file, open up a terminal window again and navigate to the directory where you saved it. Then type in:
# This line uses the gpg command to verify the authenticity of the Electrum binary file.
gpg --verify electrum-x.y.z.exe.asc electrum-x.y.z.exe
# The first argument is the signature file (.asc) and the second argument is the binary file (.exe).
# This ensures that the binary file has not been tampered with and is from the developers.
# Make sure to replace x.y.z with the version number of the binary file you downloaded.
# You can check the version number on the developers' GitHub page.
# Once the verification is complete, you can proceed to use the binary file for installation.
# If the verification fails, do not proceed with the installation as it may be a malicious file.
# Instead, try downloading the binary file again or contact the developers for assistance.
Replace “electrum-x.y.z” with the actual version number of the binary file you downloaded, and make sure to include both the “.exe” extension (if you’re using Windows) AND the corresponding signature file that ends in “.asc”.
4. If everything is set up correctly, GPG will now verify the digital signature on the binary file and display a message similar to this:
bash
# This script is used to verify the digital signature of a binary file using GPG.
# It assumes that the binary file and its corresponding signature file are both present in the current directory.
# Prompt the user to enter the name of the binary file to be verified.
read -p "Enter the name of the binary file (including the .exe extension): " binary_file
# Prompt the user to enter the name of the signature file.
read -p "Enter the name of the signature file (including the .asc extension): " signature_file
# Verify the digital signature of the binary file using GPG.
gpg --verify $signature_file $binary_file
# Display a message indicating a successful verification.
echo "Digital signature successfully verified!"
# Expected output:
# gpg: Signature made Fri Apr 5 12:30:06 2019 UTC using RSA key ID EFCDABDE
# gpg: Good signature from "Electrum Developer <[email protected]>"
If you see something like this, then congratulations! Your binary file is safe to use and has not been tampered with by any malicious actors.
5. But wait what if the signature doesn’t match? Or worse yet, what if there’s no signature at all?! In that case, you might want to consider downloading a precompiled binary from a different source or compiling it yourself using the official Electrum Git repository. Trust me, it’s worth the extra effort!