Electrum setup question

So i see that in the new whonix the electrum appimage is installed on the system, my question is shoulf i do any steps from the manual How-to: Use Electrum Bitcoin Wallet in Whonix ™ - Manual Installation
gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg --fingerprint 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
scurl-download https://download.electrum.org/3.3.8/electrum-3.3.8-x86_64.AppImage
etc
or should i just click on the appimage and set the socks5 and port and i’m done?

want2know via Whonix Forum:

or should i just click on the appimage and set the socks5 and port and i’m done?

This.

Thanks, if the next whonix has this for monero included i’d feel much safer, i don’t trust myself with installing sensitive software.

You don’t need to download it but it won’t hurt to verify it.
Whether Patrick just took the appimage from Electrum site or built it himself, it shouldn’t matter in this case since the build is reproducible.

By the way, for those interested to build electrum appimage on Whonix, the instructions in the above link need some modifications:

  • Get 3.3.8 release (if you don’t use -b, master is downloaded)

git clone GitHub - spesmilo/electrum: Electrum Bitcoin Wallet -b 3.3.8

  • Install Docker on Debian

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo apt-get install software-properties-common
sudo su
add-apt-repository “deb [arch=amd64] Index of linux/debian/ $(lsb_release -cs) stable”
exit
sudo apt-get update
sudo apt-get install -y docker-ce

Same as the formal instructions from this point on.

  • Build linux image

sudo docker build -t electrum-appimage-builder-img contrib/build-linux/appimage

  • Build linux binary

sudo docker run -it
–name electrum-appimage-builder-cont
-v $PWD:/opt/electrum
–rm
–workdir /opt/electrum/contrib/build-linux/appimage
electrum-appimage-builder-img
./build.sh

This.

git commit / tag verification advised.

This downloads a APT signing key over TLS only.

Third party repository warning applies as per Install Additional Software Safely

I don’t know where docker images are coming from and if these are verified.

Yes, I’m sure it can be done in a better way, I have limited knowledge in this, I just took the build instructions from github and made the minimal modifications for them to work in Whonix.
At any case the resulting appimage can be verified with the signature from their site.
Maybe doing all that in one VM then just copying the appImage to another improves security as well?

Yes, that seems like a good idea. Use a dedicated VM for building. Then move the final build result to another VM. Check the checksum there. If the checksum matches, you’re golden.

(In case any of the build dependencies compromised the build machine it would be contained in the VM. (Assuming malware without VM breakout capability.))

Perhaps an option in the future: