How to verify the digital signatures of the files you download

Why check signatures?

Checksums such as MD5 and SHA-256 help you answer the question “Did I download this file correctly from whoever sent it to me?” They do a good job at making sure you didn't have any random errors in your download, but they don't help you figure out whether you were downloading it from an attacker. The better question to answer is: “Is this file that I just downloaded really coming from the project developers, or has it been tampered with?” That's what GPG signatures are for.

Download accompanying signature file (.asc)

Signature files are available for each Electrum-LTC package. When you download a package, make sure you also download its accompanying signature by clicking on the “signature” link next to it on the download page.
For example, to verify the file Electrum-LTC-2.9.3.1.tar.gz you will need the signature file Electrum-LTC-2.9.3.1.tar.gz.asc.

Use the below instructions if you're using Linux and have GnuPG installed. The Tor Project provides more detailed instructions for Windows and OS X. The signature key to use for Electrum-LTC is 0x6fc4c9f7f1be8fea.

Import signing keys from keyserver

Type this in a terminal:

gpg --keyserver keyserver.ubuntu.com --recv-keys 0x6fc4c9f7f1be8fea 0xfe3348877809386c 0x3b2a6315cd51a673

You should see something similar to this (the exact output depends on your GnuPG version):

    gpg: key 6FC4C9F7F1BE8FEA: public key "pooler <pooler@litecoinpool.org>" imported
    gpg: key FE3348877809386C: public key "Adrian Gallagher <thrasher@addictionsoftware.com>" imported
    gpg: key 3B2A6315CD51A673: "Loshan T (A.K.A. losh11) <loshan1212@gmail.com>" imported
    gpg: Total number processed: 3
    gpg:               imported: 3

Verify that the fingerprints are correct

gpg --fingerprint 0x6fc4c9f7f1be8fea 0xfe3348877809386c 0x3b2a6315cd51a673

You should see:

    pub   rsa2048 2013-07-21 [SC]
          CAE1 092A D355 3FFD 21C0  5DE3 6FC4 C9F7 F1BE 8FEA
    uid           [ unknown] pooler <pooler@litecoinpool.org>
    sub   rsa2048 2013-07-21 [E]

    pub   rsa2048 2013-06-19 [SC]
          59CA F0E9 6F23 F537 4794  5FD4 FE33 4887 7809 386C
    uid           [ unknown] Adrian Gallagher <thrasher@addictionsoftware.com>
    sub   rsa2048 2013-06-19 [E]

    pub   rsa4096 2016-01-09 [SC] [expires: 2026-01-09]
          C092 1846 FED0 BF4C F28B  E1D7 3B2A 6315 CD51 A673
    uid           [ unknown] Loshan T (A.K.A. losh11) <loshan1212@gmail.com>
    sub   rsa4096 2016-01-09 [E] [expires: 2026-01-10]

Verify signature of downloaded file

gpg --verify Electrum-LTC-2.9.3.1.tar.gz.asc Electrum-LTC-2.9.3.1.tar.gz

The output should say “Good signature”:

    gpg: Signature made Thu 17 Aug 2017 10:59:17 AM PDT
    gpg:                using RSA key 6FC4C9F7F1BE8FEA
    gpg: Good signature from "pooler <pooler@litecoinpool.org>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: CAE1 092A D355 3FFD 21C0  5DE3 6FC4 C9F7 F1BE 8FEA

Notice that there is a warning because you haven't assigned a trust index to this person.

    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.

This means that GnuPG verified that the key made that signature, but it's up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

Thanks to Andre Mueller for writing these instructions.


« Back to the homepage