I downloaded one good elelctrum AppImage and the next two were the same as what you have. The first signature file I downloaded was the same HTML document, ASCII text as above.
Another option might be Linux deterministic builds. But not yet complete for Linux.
Release notes - Previous releases
Sources and executables are signed by ThomasV.
Linux and Windows builds are reproducible, and signed by several developers. See the list here
(Linux reproducible not complete)
Can be to eat alternatives Elektrum? Somebody will prompt what and how to establish?
From Freenode #electrum:
07/27/19 23:05:05 < EagleTM> cloudflare issues with using curl / wget over Tor exit nodes solved for now
Tested, works for me.
So in other words, “Tor frienldy” Cloudflare DDoS’d their own customers and only Tor users were affected.
When upgrading from Whonix testers repository, electrum appimage will be installed.
At time of writing:
(It’s shipped by the
binaries-freedom package. See this folder: https://github.com/adrelanos/binaries-freedom/tree/master/usr/share/binaries-freedom/electrum-appimage)
Can be started from start menu or command line:
Over time it will migrate to stable-proposed-updates as well as stable repository.
- Policy for Inclusion of Compiled Software - #12 by Patrick
- ⚓ T215 install electrum bitcoin thin client by default?
Not sure that is sound.
The Debian Package Tracker https://tracker.debian.org/ is quite useful to check the state of software.
For the purpose of testing, I have installed Electrum from Debian unstable repository, in its own vm. This is recommended because if by mistake, the system is upgraded from unstable, it might live by its name, becoming truly unstable. The user should be confident with
The installed Electrum version is 3.3.8
The package is installed in
/usr/local/bin (/rw/usrlocal/bin in qubes), meaning that the template should not be affected.
I’ve got the electrum source package from
sid (unstable). It’s outdated for sure.
/tmp/electrum-3.2.3 $ electrum/electrum This version of Electrum is vulnerable to malicious code inserted by attackers and is being actively exploited to try and convince users to give their private credentials to attackers. See https://bugs.debian.org/921688 for details. Until the version in Debian is updated, please see https://electrum.org/download.html Traceback (most recent call last): File "electrum/electrum", line 58, in <module> from electrum.gui.qt.util import MessageBoxMixin ModuleNotFoundError: No module named 'electrum.gui'
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921688 also confirms that.
Debian -- Details of package electrum in sid says
Package: electrum (3.2.3-1.1).
Seems very unlikely to me that a package from packages.debian.org would install to
/usr/local. Could you confirm please?
Btw… More specifically…
Will update above post.
binaries-freedom (which includes electrum AppImage) is now available from all Whonix repositories.
Hello, i want install last electrum version, because
Warning: Versions of Electrum older than 3.3.3 are vulnerable to a phishing attack, where malicious servers are able to display a message asking users to download a fake version of Electrum. Do not download software updates from another source than electrum.org. In order to reach users of vulnerable versions, we have started to use the same vulnerability, and to direct them to electrum.org.
But with following this instruction How-to: Use Electrum Bitcoin Wallet in Whonix ™ possible install only 3.1.3 version.
If following official instruction
sudo apt-get install python3-setuptools python3-pyqt5 python3-pip
sudo python3 -m pip install https://download.electrum.org/3.3.3/Electrum-3.3.3.tar.gz#egg=electrum[fast]
as i understand, it’s not secure.
So what i can do?
If you get this message that asks you to download a new/updated version of Electrum… Dont do it!
Only use Apt to download/update your software.
Avoid 3rd party package managers.
Always verify signatures.
Note: The latest version of electrum found in the Debian (unstable) repositories is electrum 3.2.3-1 .
Hello. i see it on official electrum.org site (you can check).
the previous versions have vulnerability.
How i can install 3.2.3-1? When i make as in wiki instruction, he find only 3.1.3 version. Can you write how install 3.2.3-1?
But anyway, can i install from official site electrum?
Correct. This is a vulnerability to fishing attacks.
malicious servers are able to display a message asking users to download a fake version of Electrum.
This vulnerability can be mitigated by downloading/updating
electrum using Debian’s official package manager
APT. Use nothing else.
This can be done by installing electrum from Debian unstable (sid). This version still has the same vulnerability. Make sure you read all warnings before installing from Debian unstable. (Installing from Debian stable is preferred)
You can if you want. Keep in mind, Install Software#Best_Practices still applies here.
How did I understand, there is no correct decision to be updated on the latest version which does not have vulnerability? It is necessary to wait for updating in a repository? If I ignore vulnerability and to use the current version whether it poses some threat?
Not possible to update to
electrum 3.3.3 in Whonix using APT.
This question was already answered.
If you use APT (in Whonix) to install electrum
And update electrum using APT (in Whonix)
sudo apt-get update && sudo apt-get dist-upgrade
This vulnerability will not affect you i.e. vulnerability is mitigated.
Please read up on what a fishing attack it. I think this will make a little more sense
“How i can install 3.2.3-1?”
“This can be done by installing electrum from Debian unstable (sid). This version --still has the same vulnerability–.”
“–This vulnerability can be mitigated-- by downloading/updating
electrum using Debian’s official package manager
APT . Use nothing else.”
- I understand what is phishing attack, i.e. vulnerability can be used, only if I download, but nevertheless, I specified whether there is no danger on by it
- how did I understand, I can download only version 3.2.3-1 from debian a repository, however, the problem is fixed only in 3.3.3 versions therefore whether it makes sense? Also, I as understand, the version from an unstable repository whether it will affect other problems?
But I also not completely understood
If i try install from How-to: Use Electrum Bitcoin Wallet in Whonix ™ this instruction, i can install only 3.1.3-1
electrum is already the newest version (3.1.3-1).
So what i must do for update from APT on new version?
Danger? If you download the malicious (steel all your data, bitcoin and everything else on your system) file from the attacker? YES
If you use APT (i.e. don’t download the malicious, steel all your data, and bitcoin ‘file’ from attacker) then this vulnerability will not effect you.
The latest version of electrum available from Debian repositories (APT) is 3.2.3-1. So no version available from Debian repositories that has the fix. That was the point i was trying to make.
In other words, Not possible to update to 3.3.3 using APT.
Hey, i just installed Whonix 14 and now I can’t install Electrum. I followed the instructions from the Whonix Wiki, but every time i try to run the final command to install Electrum this happens:
user@host:~$ sudo apt-get -t buster install electrum
Reading package lists… Done
Building dependency tree
Reading state information… Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
libkf5coreaddons5 : Breaks: libkf5auth5 (< 5.47) but 5.28.0-2 is to be installed
Breaks: libkf5globalaccel-bin (< 5.47) but 5.28.0-1 is to be installed
libkf5crash5 : Breaks: libkf5globalaccel-bin (< 5.47) but 5.28.0-1 is to be installed
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.
I’m quite new to Linux so i don’t really know what to do. I hope you guys can help me out.
Hold of on using those instructions as resolveing the dependency problem will likely break your Whonix-Workstation VM.
I’ll working on trying to find a solution