GPG Signature: Verify that your crypto wallet update is genuine - #CryptoTrading

Published in Technical · Labeled as Tech ·

How to do GPG signature verification and checksum verification: A step by step guide on verifying the integrity of crypto wallets, trading apps and other software you download.

This article is about PGP signatures, used to verify you downloaded a genuine copy of a software. For a guide on how to sign or verify a message in Electrum wallet, go here.

In this guide we are going to look at why you should learn how to verify GPG signatures and what is the difference between GPG signatures vs checksum verification.

In the last section of this article, there is a step-by-step guide on how to verify GPG signatures on Mac or Linux. It uses Electrum wallet as an example.

Checksum vs GPG Signature

GPG Signatures: Why are digital signatures important

GPG signature is a digital signature that can be made by someone who owns a private GPG key.

A GPG signature is then a proof that the files you downloaded have been signed by the owner of the GPG key.

Vwerifying GPG signatures will enhance your security. If you do that, you are making sure the software you’re downloading was put up online by the organisation tied to a GPG key.

Typically, developers do not change their GPG key often and they store it safely - just like you store your crypto wallet seed phrases.

If a hacker gains access to a website that provides crypto wallets, they can replace the installer files but they will not be able to recreate the GPG signature. When you download those files, your GPG verification will fail and you will know that you muat not install that software.

Learn how to verify GPG signatures here:

Checksum is not a security feature

If you download open source software, you may have noticed that the developer sometimes provides a checksum alongside the installer files.

This is a common practice in software development especially if the installer file you have to download is a large file. You will also get a checksum for images used for virtual machines.

Checksum is a hash of file. You can take a 2GB file, quickly run a hashing function on it and the output will always be just a short string, no matter how big the file is.

If you download a large file and the hash the developer provided with it, you can then run a hashing function on the big file yourself. If its result matches the hash provided by the developer, you know that the download succeeded and the big file is not corrupted. And that’s all you should use it for.

Checksum verification is not a security practice. If an attacker gets access to a download page and replaces a download file, they will also replace its checksum.

Step by step guide by example

Verify Electrum wallet GPG signature on Mac and Linux

We are going to walk you through the GPG signature verification on the example of Electrum, a popular OG bitcoin wallet.

You will need to use command line for this, but all the commands are listed and explained below.

Scammer Alert: Always download Electrum from the official downloads page, electrum.org/#download. Electrum provides installers for all common operating systems, along with their GPG signatures.

Signature Verification Step by step

  1. Download Electrum from the official website, electrum.org. You will need both the installer and the GPG signature file.
  2. Open your Terminal to install the package that can verify GPG signatures. On Mac that will be brew install gnupg, on Linux apt install gnupg. This is really the fastest, easiest and safest way.
  3. Look up GPG keys tied up with the domain electrum.org You do that like this: gpg --locate-keys electrum.org. There should only be a single answer. The true Electrum GPG has been published in 2011, which you should see in the pub line of the output.
  4. Save this key to your computer. The key_id is a code-like string just below the date of publishing. It will start with something like 66AB…. gpg --output ~/btc.keyring --export <key_id> You now have a new file at ~/btc.keyring.
  5. Change to the folder where you have your Electrum installer. You’ve also got its GPG signature file there. That’s the file that ends with .asc.
  6. Verify that they are matching the Electrum GPG key you downloaded. gpgv --keyring ~/btc.keyring ./<electrum-installer>.asc ./<electrum-installer> The output should say “Good signature”.

That’s it!

If you followed all the steps above and got a Good signature, you can safely install the Electrum wallet.

Category: Technical · Label: Tech · Author: (contact author)

 

Last added to Crypto Airdrops, Bounties & Opportunities
Airdropped Token or Opportunity Airdrop Date About the airdrop Link
DOT and GRT trading fee discount (reliable exchange, easy KYC) Until 9 March Polkadot and The Graph trading has been enabled on the Aussie exchange Independent Reserve in fiat pairs with AUD, NZD, SGP and USD. (International deposits available, KYC individual). The trading fee is 0.1% flat for accounts without premium or volume discount for the first two weeks of trading. info
Pulse Network Reward Competition Until Mid March Pulse network is opening a competition where the most active social media shills get rewarded from a prize pool of 10k+ USD. Top 50 shills get at least 430 USD worth. info
BitFuFu Bounty Promo Until end of Feb BitFuFu is a cloud mining pool that gives a bounty to approved users for online promo. Bounty is paid out weekly in stablecoin. request entry
Blockchain Space Telegram Bounty Until June 2021 Blockchain Space runs a Telegram activity bounty. The most active users will be paid 50 USDT every 15 days. info
Armor Network Early Mining Opportunity For a few weeks now Armor Network is a fast, anonymous and untraceable cryptocurrency integrated into Telegram ecosystem. No ICO, no premine. Genesis block 21 Jan, mining rewards are still high. WARNING: Right now uses a Telegram wallet, so you don't own the private key. info
Bitfinex Global Grid Competition Until 21 Feb Bitfinex intermediate verified users can enter any of the 4 trading competitions and fight for prize pool of 50k USDt. More information in the banner at the top of the chart in Bitfinex trading interface. sign up
Zappermint bounty Weekly Zappermint is a token for monetization of game apps. They run a weekly social media bounty that must be reported and claimed via bitcointalk. thread
Opportunity: DeFi Tokens on reputable exchange with lower fees 14 days after listing The Aussie exchange Independent reserve is listing new DeFi tokens these days. For each of the new markets has the fee reduced to 0.1% for the first 2 weeks. Currently those markets are yearn.finance, Aave and Kyber Network Crystal. sign up
Earn YoBit's YoDefi tokens Live YoBit set up their own defi project for liquidity on the exchange. The exchange pays out 777 YoDefi Tokens proportionally for all users every 10 mins. sign up
Staking without KYC on WhiteBit New! WhiteBit opened 17 different staking plans with 9 different currencies to choose from. 40% APR, available to the users without KYC. (Be mindful of risks) sign up