How to verify the digital signatures of the files you download

Why check signatures?

Checksums such as MD5 and SHA-256 help you answer the question “Did I download this file correctly from whoever sent it to me?” They do a good job at making sure you didn't have any random errors in your download, but they don't help you figure out whether you were downloading it from an attacker. The better question to answer is: “Is this file that I just downloaded really coming from the project developers, or has it been tampered with?” That's what GPG signatures are for.

Download accompanying signature file (.asc)

Signature files are available for each Electrum-GAME package. When you download a package, make sure you also download its accompanying signature by clicking on the “signature” link next to it on the download page.
For example, to verify the file Electrum-GAME-3.2.3.tar.gz you will need the signature file Electrum-GAME-3.2.3.tar.gz.asc.

Use the below instructions if you're using Linux and have GnuPG installed. The Tor Project provides more detailed instructions for Windows and OS X. The signature key to use for Electrum-GAME is 0x02f6c8b9d8801f94.

Import signing key from keyserver

Type this in a terminal:

gpg --keyserver keys.fedoraproject.org --recv-keys 0x02f6c8b9d8801f94

You should see:

gpg: trustdb created
gpg: key 02F6C8B9D8801F94: public key "Samad Sajanlal " imported
gpg: Total number processed: 1
gpg:               imported: 1

Verify that the imported fingerprint is correct

gpg --fingerprint 0x02f6c8b9d8801f94

You should see:

pub   rsa4096 2018-10-15 [SC] [expires: 2022-10-15]
      9E27 DCCB 1520 DAB5 E09C  112A 02F6 C8B9 D880 1F94
uid           [ unknown] Samad Sajanlal 
sub   rsa4096 2018-10-15 [E] [expires: 2022-10-15]

Verify signature of downloaded file

gpg --verify Electrum-GAME-3.2.3.tar.gz.asc Electrum-GAME-3.2.3.tar.gz

The output should say “Good signature”:

gpg: Signature made Sat Oct 20 16:59:42 2018 CDT
gpg:                using RSA key 9E27DCCB1520DAB5E09C112A02F6C8B9D8801F94
gpg: Good signature from "Samad Sajanlal " [ultimate]

Notice that there may be a warning because you haven't assigned a trust index to this person.

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

This means that GnuPG verified that the key made that signature, but it's up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

Thanks to Andre Mueller for originally writing these instructions.


« Back to the homepage