How to verify your desktop crypto wallet is genuine - #CryptoTrading

--- [ article continues after ad ] ---
How to do GPG signature verification and checksum verification: A step by step guide on verifying the integrity of crypto wallets, trading apps and other software you download.
Tech     · [technical]

In this guide we are going to look at why you should learn how to verify GPG signatures and what is the difference between GPG signatures vs checksum verification.

In the last section of this article, there is a step-by-step guide on how to verify GPG signatures on Mac or Linux. It uses Electrum wallet as an example.

Checksum vs GPG Signature

GPG Signatures: Why are digital signatures important

GPG signature is a digital signature that can be made by someone who owns a private GPG key.

A GPG signature is then a proof that the files you downloaded have been signed by the owner of the GPG key.

Vwerifying GPG signatures will enhance your security. If you do that, you are making sure the software you’re downloading was put up online by the organisation tied to a GPG key.

Typically, developers do not change their GPG key often and they store it safely - just like you store your crypto wallet seed phrases.

If a hacker gains access to a website that provides crypto wallets, they can replace the installer files but they will not be able to recreate the GPG signature. When you download those files, your GPG verification will fail and you will know that you muat not install that software.

Learn how to verify GPG signatures here:

Checksum is not a security feature

If you download open source software, you may have noticed that the developer sometimes provides a checksum alongside the installer files.

This is a common practice in software development especially if the installer file you have to download is a large file. You will also get a checksum for images used for virtual machines.

Checksum is a hash of file. You can take a 2GB file, quickly run a hashing function on it and the output will always be just a short string, no matter how big the file is.

If you download a large file and the hash the developer provided with it, you can then run a hashing function on the big file yourself. If its result matches the hash provided by the developer, you know that the download succeeded and the big file is not corrupted. And that’s all you should use it for.

Checksum verification is not a security practice. If an attacker gets access to a download page and replaces a download file, they will also replace its checksum.

Step by step guide by example

Verify Electrum wallet GPG signature on Mac and Linux

We are going to walk you through the GPG signature verification on the example of Electrum, a popular OG bitcoin wallet.

On the official downloads page, electrum.org/#download, the Electrum developer provides installers for all common operating systems with their GPG signatures.

  1. Download Electrum from the official website, electrum.org.

    Download both the installer and the signature file.

  2. Open your Terminal and install the GPG package.

    On Mac that will be brew install gnupg, on Linux apt install gnupg. This is really the fastest, easiest and safest way.

  3. Get the Electrum GPG key and check it’s the true key.

    Look up GPG keys tied up with the domain electrum.org: gpg --locate-keys electrum.org. There should only be one answer.

    The true Electrum GPG has been published in 2011, which you should see in the pub line of the output.

  4. Download this key. Copy the string just below the publish date and save the key to a file on your computer:

    gpg --output ~/btc.keyring --export 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6.

    This should create a file at ~/btc.keyring.

  5. Change to the folder into which you downloaded your Electrum installer and your signature (.asc) file.

    Verify that they are matching the GPG key: gpgv --keyring ~/btc.keyring ./<electrum-installer>.asc ./<electrum-installer>

    The output should look something like the following. It should definitely say the signature is good.

If you followed all the steps above and successfully verified the GPG signature, you can safely install the application.



Posted in Technical
Tagged as            

 

Last added to Crypto Airdrops, Bounties & Opportunities
Airdropped Token or Opportunity Airdrop Date About the airdrop Link
Twelve New LATOKEN Airdrops Live There are currently twelve new token airdrops on the LATOKEN exchange (DigiByte, Coinway, Payzus, Bitfxt ...). All of them are live now and end between 29 Oct and 4 Nov. If you sign up with the link here you get 50 USD fee credit. sign up
ByBit Signup Bonus 10 USD + MORE! (no KYC) Until Oct 31, 2020 ByBit is a trading platform that offers perpetual swaps of large cap cryptos without KYC (Be mindful of risks and legal implications). In October 2020, you get 10 USD worth of BTC sign up bonus - you need to sign up and deposit at least 0.02 BTC. There are more bonuses waiting in the Rewards Hub after you sign up. sign up
Bitrefill Birthday Contest Until Oct 26, 2020 Bitrefill turns 6 years old on October 26th and will hold a contest for Best Bitrefill Story, with a 100 USD award in Bitrefill Balance. Follow @bitrefill on Twitter to get the announcement first. use bitrefill via bitfinex
Staking without KYC on WhiteBit New! WhiteBit opened 17 different staking plans with 9 different currencies to choose from. 40% APR, available to the users without KYC. (Be mindful of risks) sign up
🌶️Chiliz Twitter Giveaway Pool of $2,500 in $CHZ Now! Chiliz is promoting the downloads of their new app with a draw of 10 winners by 250 USD in $CHZ tokens. tweet with info
Opportunity: Trade DeFi Tokens with NO FEES 14 days after signup The token exchange WhiteBit gives you 14 days of zero-fee trading if you sign up with a shill link. No KYC until 2 BTC/day withdrawal limit, lots of new DeFi projects get listed there. sign up
YoBit Get Free 1700 Dollars After signup YoBit is having a token giveaway. Sign up at YoBit and click the link "Get free 1700 dollars" in the top bar. This will take you to a Telegram bot where you can sign up to participate in the giveaway. sign up