GPG Signature: Verify that your crypto wallet update is genuine - #CryptoTrading

Published in Technical · Labeled as Tech ·

How to do GPG signature verification and checksum verification: A step by step guide on verifying the integrity of crypto wallets, trading apps and other software you download.

This article is about PGP signatures, used to verify you downloaded a genuine copy of a software. For a guide on how to sign or verify a message in Electrum wallet, go here.

In this guide we are going to look at why you should learn how to verify GPG signatures and what is the difference between GPG signatures vs checksum verification.

In the last section of this article, there is a step-by-step guide on how to verify GPG signatures on Mac or Linux. It uses Electrum wallet as an example.

Checksum vs GPG Signature

GPG Signatures: Why are digital signatures important

GPG signature is a digital signature that can be made by someone who owns a private GPG key.

A GPG signature is then a proof that the files you downloaded have been signed by the owner of the GPG key.

Vwerifying GPG signatures will enhance your security. If you do that, you are making sure the software you’re downloading was put up online by the organisation tied to a GPG key.

Typically, developers do not change their GPG key often and they store it safely - just like you store your crypto wallet seed phrases.

If a hacker gains access to a website that provides crypto wallets, they can replace the installer files but they will not be able to recreate the GPG signature. When you download those files, your GPG verification will fail and you will know that you muat not install that software.

Learn how to verify GPG signatures here:

Checksum is not a security feature

If you download open source software, you may have noticed that the developer sometimes provides a checksum alongside the installer files.

This is a common practice in software development especially if the installer file you have to download is a large file. You will also get a checksum for images used for virtual machines.

Checksum is a hash of file. You can take a 2GB file, quickly run a hashing function on it and the output will always be just a short string, no matter how big the file is.

If you download a large file and the hash the developer provided with it, you can then run a hashing function on the big file yourself. If its result matches the hash provided by the developer, you know that the download succeeded and the big file is not corrupted. And that’s all you should use it for.

Checksum verification is not a security practice. If an attacker gets access to a download page and replaces a download file, they will also replace its checksum.

Step by step guide by example

Verify Electrum wallet GPG signature on Mac and Linux

We are going to walk you through the GPG signature verification on the example of Electrum, a popular OG bitcoin wallet.

You will need to use command line for this, but all the commands are listed and explained below.

Scammer Alert: Always download Electrum from the official downloads page, electrum.org/#download. Electrum provides installers for all common operating systems, along with their GPG signatures.

Signature Verification Step by step

  1. Download Electrum from the official website, electrum.org. You will need both the installer and the GPG signature file.
  2. Open your Terminal to install the package that can verify GPG signatures. On Mac that will be brew install gnupg, on Linux apt install gnupg. This is really the fastest, easiest and safest way.
  3. Look up GPG keys tied up with the domain electrum.org You do that like this: gpg --locate-keys electrum.org. There should only be a single answer. The true Electrum GPG has been published in 2011, which you should see in the pub line of the output.
  4. Save this key to your computer. The key_id is a code-like string just below the date of publishing. It will start with something like 66AB…. gpg --output ~/btc.keyring --export <key_id> You now have a new file at ~/btc.keyring.
  5. Change to the folder where you have your Electrum installer. You’ve also got its GPG signature file there. That’s the file that ends with .asc.
  6. Verify that they are matching the Electrum GPG key you downloaded. gpgv --keyring ~/btc.keyring ./<electrum-installer>.asc ./<electrum-installer> The output should say “Good signature”.

That’s it!

If you followed all the steps above and got a Good signature, you can safely install the Electrum wallet.

Category: Technical · Label: Tech · Author: (contact author)

 

Last added to Crypto Airdrops, Bounties & Opportunities
Airdropped Token or Opportunity Airdrop Date About the airdrop Link
$DOT Polka Drop NFT Raffle Live Polka City is a contract-based Polkadot, DeFİ and, NFT cryptocurrency investment platform. They are running a raffle now where purchasing a ticket gets you chance to win an NFT art gallery that pays weekly yield and other commission-generating prizes. Cost of the ticket is 1000 POLC, the main prize generates 1041 POLC per week (50% APY). join
Searching for PIZZA MAN on Phemex Until 22 May (The BTC Pizza Day) To promote their new asset management service, Phemex is opening a quest to search for the og guy who spent 10K BTC on a pizza (Laszlo Hanyecz). They are going to offer him, and 100 winners, to get 1 day of interests on 10k BTC in the Phemex Earn Crypto asset management program. Earn Crypto promises up to 10% APY. Yearly compound rate of 10% translates to about 0.03% daily rate, which could earn up to 3 BTC during that single day. make account on phemex and submit gleam form
Binance to launch NFT marketplace June 2021 If you have not already, join Binance with referral code atnet10perc for 10% lifetime kickback. join
CoinBurp NFT Airdrop Until 7 May Coinburp drops BURP NFT tokens for easy social media follows. It is a governance and utility token and non-custodial NFT app. You gain 10 $BURP tokens for joining our community. gleam form
$ARN token airdrop Until 9 May ARN tokens up for grabs for a set of 8 easy social media tasks. join
$XYM Token giveaway on Latoken Until 10 May Complete simple social media tasks and get a chance to win 1000 XYM tokens ($230) in the giveaway on LATOKEN. join
SafeCovid huge marketing bounty Live SafeCovid is running a vast campaign for all types of content marketing. Blogs, videos, social media - there are categories for all types of content. Submissions need to be posted in bitcointalk thread and recorded into Google Spreadsheets. bitcointalk
Trade tokenized shares of Coinbase on FTX Open The FTX crypto derivative exchange, quickly gaining recognition in the crypto community, added tokenized trading of Coinbase IPO. Loads of other tokenized legacy assets already available. FTX does not require KYC until your total lifetime withdrawals reach 1000 USD. (More about FTX here). see the markets
PYR social media campaign March 14, 2021 for 6 Months till August 14 2021. PYR runs a long social media campaign. You need to engage in various social media channels without mentioning the bounty. Rules in the sign up form. form
Opportunity: Zero fees on DeFi tokens on Bitstamp Until end of May 2021 You can now trade ZRX, MKR, KNC, DAI and GUSD at Bitstamp. Aa a bonus this DeFi-focused batch of cryptocurrencies comes with zero trading fees until the end of May. If you have an old Bitstamp account laying about, might be worth a shot to trade or arbitrage there for a few weeks now. Bitstamp
Blockchain Space Telegram Bounty Until June 2021 Blockchain Space runs a Telegram activity bounty. The most active users will be paid 50 USDT every 15 days. info