I do everything according to the instructions specified on the official website but when trying to execute a command “gpg --verify electrum-3.3.6-x86_64.AppImage.asc” gives an error message: “gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.”
I use Whonix XFCE. Please, help
Hi Volotai
The instructions call for downloading the latests Electrum image and signature from https://electrum.org/#download. When I checked that page is mostly blank with no images or signatures. No information on that issue has been posted the official Electrum Twitter feed.
I’ll keep you posted when I find out more on this.
Changed my exit node an the downoad links popped up
Hi Volotai
The Electrum instruction have been updated to reflect the latests version 3.3.8. However since Elecrum is constantly hammered with phishing attacks its best the Whonix lead developer check the doc submission before it does live. When that is done I’ll let you know. Please be patient.
To clarify my last post you could always substitute the latest electrum version from https://electrum.org#download for the older version in the https://www.whonix.org/wiki/electrum.
Hi Volotai
The Electrum documentation has been updated.
Electrum’s site has been getting DDOS’d lately, and they’re using Cloudflare now. As a result, I have not been able to download anything from https://download.electrum.org via curl or wget in a few days. I think this situation may persist indefinitely, so this is something to keep in mind as it affects the wiki.
Using Tor Browser for the download works consistently.
Maybe there’s a way to mimic the browser with curl? I tried to use the same header that TB sends, but I didn’t trick Cloudflare. Here is what I used in that case (maybe I didn’t do it correct):
curl -v -A 'Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0' -H 'host: electrum.org' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'accept-language: en-US,en;q=0.5' -H 'accept-encoding: gzip, deflate, br' -H 'referer: https://download.electrum.org/' -LO "https://download.electrum.org/3.3.8/electrum-3.3.8-x86_64.AppImage" -O "https://download.electrum.org/3.3.8/electrum-3.3.8-x86_64.AppImage.asc"
This is always what I end up with:
user@host:~$ head electrum-3.3.8-x86_64.AppImage
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Attention Required! | Cloudflare</title>
<meta name="captcha-bypass" id="captcha-bypass" />
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
I tried to install the updated instructions. Anyway, when you try to use the gpg --verify electrum-3.3.8-x86_64.AppImage.asc command, you get the error: gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file line given on the command line.
Explain please, I have a problem or with Electrum
I was ablt to download the Appmage and signature using by following the Whonix wiki documentation.
Working on that now.
I downloaded one good elelctrum AppImage and the next two were the same as what you have. The first signature file I downloaded was the same HTML document, ASCII text as above.
Another option might be Linux deterministic builds. But not yet complete for Linux.
Release notes - Previous releases
Sources and executables are signed by ThomasV.
Linux and Windows builds are reproducible, and signed by several developers. See the list here
(Linux reproducible not complete)
https://github.com/spesmilo/electrum/tree/master/contrib/build-linux
Can be to eat alternatives Elektrum? Somebody will prompt what and how to establish?
From Freenode #electrum:
07/27/19 23:05:05 < EagleTM> cloudflare issues with using curl / wget over Tor exit nodes solved for now
Tested, works for me.
So in other words, “Tor frienldy” Cloudflare DDoS’d their own customers and only Tor users were affected.
When upgrading from Whonix testers repository, electrum appimage will be installed.
At time of writing:
version 3.3.8
filename: electrum-3.3.8-x86_64.AppImage
(It’s shipped by the binaries-freedom package. See this folder: https://github.com/adrelanos/binaries-freedom/tree/master/usr/share/binaries-freedom/electrum-appimage)
Can be started from start menu or command line:
electrum-appimage
Over time it will migrate to stable-proposed-updates as well as stable repository.
development discussion:
Related:
Not sure that is sound.
The Debian Package Tracker https://tracker.debian.org/ is quite useful to check the state of software.
For the purpose of testing, I have installed Electrum from Debian unstable repository, in its own vm. This is recommended because if by mistake, the system is upgraded from unstable, it might live by its name, becoming truly unstable. The user should be confident with sources.list.d.
The installed Electrum version is 3.3.8
The package is installed in /usr/local/bin (/rw/usrlocal/bin in qubes), meaning that the template should not be affected.
I’ve got the electrum source package from sid (unstable). It’s outdated for sure.
/tmp/electrum-3.2.3 $ electrum/electrum
This version of Electrum is vulnerable to malicious code inserted by
attackers and is being actively exploited to try and convince users to
give their private credentials to attackers. See
https://bugs.debian.org/921688 for details. Until the version in
Debian is updated, please see https://electrum.org/download.html
Traceback (most recent call last):
File "electrum/electrum", line 58, in <module>
from electrum.gui.qt.util import MessageBoxMixin
ModuleNotFoundError: No module named 'electrum.gui'
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921688 also confirms that.
https://packages.debian.org/sid/electrum says Package: electrum (3.2.3-1.1).
Seems very unlikely to me that a package from packages.debian.org would install to /usr/local. Could you confirm please?
Why?
Btw… More specifically…
version 3.3.8
filename: electrum-3.3.8-x86_64.AppImage
Will update above post.
Package binaries-freedom (which includes electrum AppImage) is now available from all Whonix repositories.
Hello, i want install last electrum version, because
Warning: Versions of Electrum older than 3.3.3 are vulnerable to a phishing attack, where malicious servers are able to display a message asking users to download a fake version of Electrum. Do not download software updates from another source than electrum.org. In order to reach users of vulnerable versions, we have started to use the same vulnerability, and to direct them to electrum.org.
But with following this instruction https://www.whonix.org/wiki/electrum possible install only 3.1.3 version.
If following official instruction
Install dependencies:
sudo apt-get install python3-setuptools python3-pyqt5 python3-pip
Install Electrum:
sudo python3 -m pip install https://download.electrum.org/3.3.3/Electrum-3.3.3.tar.gz#egg=electrum[fast]
as i understand, it’s not secure.
So what i can do?
Simple:
If you get this message that asks you to download a new/updated version of Electrum… Dont do it!
Only use Apt to download/update your software.
Avoid 3rd party package managers.
Always verify signatures.
Note: The latest version of electrum found in the Debian (unstable) repositories is electrum 3.2.3-1 .
Hello. i see it on official electrum.org site (you can check).
the previous versions have vulnerability.
How i can install 3.2.3-1? When i make as in wiki instruction, he find only 3.1.3 version. Can you write how install 3.2.3-1?
But anyway, can i install from official site electrum?
Correct. This is a vulnerability to fishing attacks.
malicious servers are able to display a message asking users to download a fake version of Electrum.
This vulnerability can be mitigated by downloading/updating electrum using Debian’s official package manager APT. Use nothing else.
This can be done by installing electrum from Debian unstable (sid). This version still has the same vulnerability. Make sure you read all warnings before installing from Debian unstable. (Installing from Debian stable is preferred)
https://whonix.org/wiki/Install_Software#Install_from_Debian_Unstable
You can if you want. Keep in mind, Install Software#Best_Practices still applies here.