I downloaded one good elelctrum AppImage and the next two were the same as what you have. The first signature file I downloaded was the same HTML document, ASCII text as above.
1 Like
Another option might be Linux deterministic builds. But not yet complete for Linux.
Release notes - Previous releases
Sources and executables are signed by ThomasV.
Linux and Windows builds are reproducible, and signed by several developers. See the list here
(Linux reproducible not complete)
https://github.com/spesmilo/electrum/tree/master/contrib/build-linux
1 Like
Can be to eat alternatives Elektrum? Somebody will prompt what and how to establish?
From Freenode #electrum:
07/27/19 23:05:05 < EagleTM> cloudflare issues with using curl / wget over Tor exit nodes solved for now
Tested, works for me.
1 Like
So in other words, “Tor frienldy” Cloudflare DDoS’d their own customers and only Tor users were affected.
When upgrading from Whonix testers repository, electrum appimage will be installed.
At time of writing:
version 3.3.8
filename: electrum-3.3.8-x86_64.AppImage
(It’s shipped by the binaries-freedom package. See this folder: https://github.com/adrelanos/binaries-freedom/tree/master/usr/share/binaries-freedom/electrum-appimage)
Can be started from start menu or command line:
electrum-appimage
Over time it will migrate to stable-proposed-updates as well as stable repository.
development discussion:
Related:
Not sure that is sound.
The Debian Package Tracker https://tracker.debian.org/ is quite useful to check the state of software.
For the purpose of testing, I have installed Electrum from Debian unstable repository, in its own vm. This is recommended because if by mistake, the system is upgraded from unstable, it might live by its name, becoming truly unstable. The user should be confident with sources.list.d.
The installed Electrum version is 3.3.8
The package is installed in /usr/local/bin (/rw/usrlocal/bin in qubes), meaning that the template should not be affected.
I’ve got the electrum source package from sid (unstable). It’s outdated for sure.
/tmp/electrum-3.2.3 $ electrum/electrum
This version of Electrum is vulnerable to malicious code inserted by
attackers and is being actively exploited to try and convince users to
give their private credentials to attackers. See
https://bugs.debian.org/921688 for details. Until the version in
Debian is updated, please see https://electrum.org/download.html
Traceback (most recent call last):
File "electrum/electrum", line 58, in <module>
from electrum.gui.qt.util import MessageBoxMixin
ModuleNotFoundError: No module named 'electrum.gui'
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921688 also confirms that.
Debian -- Details of package electrum in sid says Package: electrum (3.2.3-1.1).
Seems very unlikely to me that a package from packages.debian.org would install to /usr/local. Could you confirm please?
Why?
Btw… More specifically…
version 3.3.8
filename: electrum-3.3.8-x86_64.AppImage
Will update above post.
Package binaries-freedom (which includes electrum AppImage) is now available from all Whonix repositories.
Hello, i want install last electrum version, because
Warning: Versions of Electrum older than 3.3.3 are vulnerable to a phishing attack, where malicious servers are able to display a message asking users to download a fake version of Electrum. Do not download software updates from another source than electrum.org. In order to reach users of vulnerable versions, we have started to use the same vulnerability, and to direct them to electrum.org.
But with following this instruction Electrum Bitcoin Wallet possible install only 3.1.3 version.
If following official instruction
Install dependencies:
sudo apt-get install python3-setuptools python3-pyqt5 python3-pip
Install Electrum:
sudo python3 -m pip install https://download.electrum.org/3.3.3/Electrum-3.3.3.tar.gz#egg=electrum[fast]
as i understand, it’s not secure.
So what i can do?
Simple:
If you get this message that asks you to download a new/updated version of Electrum… Dont do it!
Only use Apt to download/update your software.
Avoid 3rd party package managers.
Always verify signatures.
Note: The latest version of electrum found in the Debian (unstable) repositories is electrum 3.2.3-1 .
1 Like
Hello. i see it on official electrum.org site (you can check).
the previous versions have vulnerability.
How i can install 3.2.3-1? When i make as in wiki instruction, he find only 3.1.3 version. Can you write how install 3.2.3-1?
But anyway, can i install from official site electrum?
Correct. This is a vulnerability to fishing attacks.
malicious servers are able to display a message asking users to download a fake version of Electrum.
This vulnerability can be mitigated by downloading/updating electrum using Debian’s official package manager APT. Use nothing else.
This can be done by installing electrum from Debian unstable (sid). This version still has the same vulnerability. Make sure you read all warnings before installing from Debian unstable. (Installing from Debian stable is preferred)
https://whonix.org/wiki/Install_Software#Install_from_Debian_Unstable
You can if you want. Keep in mind, Install Software#Best_Practices still applies here.
1 Like
How did I understand, there is no correct decision to be updated on the latest version which does not have vulnerability? It is necessary to wait for updating in a repository? If I ignore vulnerability and to use the current version whether it poses some threat?
Not possible to update to electrum 3.3.3 in Whonix using APT.
This question was already answered.
If you use APT (in Whonix) to install electrum
https://www.whonix.org/wiki/Electrum
And update electrum using APT (in Whonix)
sudo apt-get update && sudo apt-get dist-upgrade
This vulnerability will not affect you i.e. vulnerability is mitigated.
Please read up on what a fishing attack it. I think this will make a little more sense
1 Like
“How i can install 3.2.3-1?”
0brand:
“This can be done by installing electrum from Debian unstable (sid). This version --still has the same vulnerability–.”
0brand:
“–This vulnerability can be mitigated-- by downloading/updating electrum using Debian’s official package manager APT . Use nothing else.”
- I understand what is phishing attack, i.e. vulnerability can be used, only if I download, but nevertheless, I specified whether there is no danger on by it
- how did I understand, I can download only version 3.2.3-1 from debian a repository, however, the problem is fixed only in 3.3.3 versions therefore whether it makes sense? Also, I as understand, the version from an unstable repository whether it will affect other problems?
But I also not completely understood
If i try install from Electrum Bitcoin Wallet this instruction, i can install only 3.1.3-1
electrum is already the newest version (3.1.3-1).
So what i must do for update from APT on new version?
https://www.whonix.org/wiki/Install_Software#Install_from_Debian_Unstable
Danger? If you download the malicious (steel all your data, bitcoin and everything else on your system) file from the attacker? YES
If you use APT (i.e. don’t download the malicious, steel all your data, and bitcoin ‘file’ from attacker) then this vulnerability will not effect you.
The latest version of electrum available from Debian repositories (APT) is 3.2.3-1. So no version available from Debian repositories that has the fix. That was the point i was trying to make.
In other words, Not possible to update to 3.3.3 using APT.
1 Like
Hey, i just installed Whonix 14 and now I can’t install Electrum. I followed the instructions from the Whonix Wiki, but every time i try to run the final command to install Electrum this happens:
user@host:~$ sudo apt-get -t buster install electrum
Reading package lists… Done
Building dependency tree
Reading state information… Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:The following packages have unmet dependencies:
libkf5coreaddons5 : Breaks: libkf5auth5 (< 5.47) but 5.28.0-2 is to be installed
Breaks: libkf5globalaccel-bin (< 5.47) but 5.28.0-1 is to be installed
libkf5crash5 : Breaks: libkf5globalaccel-bin (< 5.47) but 5.28.0-1 is to be installed
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.
I’m quite new to Linux so i don’t really know what to do. I hope you guys can help me out.
Hi berto
Hold of on using those instructions as resolveing the dependency problem will likely break your Whonix-Workstation VM.
I’ll working on trying to find a solution 
3 Likes