I can not install Electrum - Bitcoin Crypto Currency Wallet

benev · February 12, 2019, 12:42am

How did I understand, there is no correct decision to be updated on the latest version which does not have vulnerability? It is necessary to wait for updating in a repository? If I ignore vulnerability and to use the current version whether it poses some threat?

0brand · February 12, 2019, 2:13am

Not possible to update to electrum 3.3.3 in Whonix using APT.

This question was already answered.

If you use APT (in Whonix) to install electrum

https://www.whonix.org/wiki/Electrum

And update electrum using APT (in Whonix)

sudo apt-get update && sudo apt-get dist-upgrade

This vulnerability will not affect you i.e. vulnerability is mitigated.

Please read up on what a fishing attack it. I think this will make a little more sense

Whoa-nix · February 12, 2019, 10:25am

“How i can install 3.2.3-1?”

0brand:
“This can be done by installing electrum from Debian unstable (sid). This version --still has the same vulnerability–.”

0brand:
“–This vulnerability can be mitigated-- by downloading/updating electrum using Debian’s official package manager APT . Use nothing else.”

benev · February 13, 2019, 12:54am

I understand what is phishing attack, i.e. vulnerability can be used, only if I download, but nevertheless, I specified whether there is no danger on by it
how did I understand, I can download only version 3.2.3-1 from debian a repository, however, the problem is fixed only in 3.3.3 versions therefore whether it makes sense? Also, I as understand, the version from an unstable repository whether it will affect other problems?

But I also not completely understood

If i try install from Electrum Bitcoin Wallet this instruction, i can install only 3.1.3-1

electrum is already the newest version (3.1.3-1).
So what i must do for update from APT on new version?

0brand · February 13, 2019, 3:20am

https://www.whonix.org/wiki/Install_Software#Install_from_Debian_Unstable

Danger? If you download the malicious (steel all your data, bitcoin and everything else on your system) file from the attacker? YES

If you use APT (i.e. don’t download the malicious, steel all your data, and bitcoin ‘file’ from attacker) then this vulnerability will not effect you.

The latest version of electrum available from Debian repositories (APT) is 3.2.3-1. So no version available from Debian repositories that has the fix. That was the point i was trying to make.

In other words, Not possible to update to 3.3.3 using APT.

berto · August 13, 2018, 11:21am

Hey, i just installed Whonix 14 and now I can’t install Electrum. I followed the instructions from the Whonix Wiki, but every time i try to run the final command to install Electrum this happens:

user@host:~$ sudo apt-get -t buster install electrum
Reading package lists… Done
Building dependency tree
Reading state information… Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
libkf5coreaddons5 : Breaks: libkf5auth5 (< 5.47) but 5.28.0-2 is to be installed
Breaks: libkf5globalaccel-bin (< 5.47) but 5.28.0-1 is to be installed
libkf5crash5 : Breaks: libkf5globalaccel-bin (< 5.47) but 5.28.0-1 is to be installed
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.

I’m quite new to Linux so i don’t really know what to do. I hope you guys can help me out.

0brand · August 14, 2018, 2:32am

Hi berto

Hold of on using those instructions as resolveing the dependency problem will likely break your Whonix-Workstation VM.

I’ll working on trying to find a solution

Simon707 · August 14, 2018, 9:22am

I installed it following the instructions on the electrum website:

Install dependencies:
sudo apt-get install python3-setuptools python3-pyqt5 python3-pip

Install Electrum:
sudo pip3 install https://download.electrum.org/3.2.2/Electrum-3.2.2.tar.gz

Patrick · August 14, 2018, 10:06am

Bad. → Install Additional Software Safely

Simon707 · August 14, 2018, 11:39am

What is the danger? If i install Electrum following the instructions from the electrum website is it possible for electrum to connect to bitcoin node directly, and not using the tor network?

Patrick · August 14, 2018, 12:12pm

pip is a third party package manager. Referenced on Install Additional Software Safely. Did you read Install Additional Software Safely? Since it explains exactly that. It even names pip.

Simon707 · August 14, 2018, 1:53pm

I asked a specific question which is not answered in the documentation. And i don’t see other option, at the moment, for installing electrum except using pip.

Patrick · August 14, 2018, 3:51pm

Indeed.

My previous answer was only addressing your question “What is the danger?”. In short: by resorting to unsafe practices the probability increases of a system compromise which increases chances for being completely surveillance, loosing all data, loosing all coins. What you make out of the security advice is of course up to you.

berto · August 14, 2018, 7:52pm

Thank you guys! Maybe I’ll install electrum using pip, but I’m not quite sure about it.

`

qubenix · August 16, 2018, 3:14am

Indeed, there is not a clear and secure way to install Electrum. However, there is still a secure way to accomplish it which is not so difficult.

Get packages from apt:

$ sudo apt-get install python3-setuptools python3-pyqt5 python3-pip

Scroll down to “Sources” section and download tar.gz and sig:

$ curl -O "https://download.electrum.org/3.2.2/Electrum-3.2.2.tar.gz" -O "https://download.electrum.org/3.2.2/Electrum-3.2.2.tar.gz.asc"

Retrieve ThomasV’s key from keyservers or Github.

$ gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: key 0x2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Verify downloaded source code:

$ gpg --verify Electrum-3.2.2.tar.gz.asc Electrum-3.2.2.tar.gz
gpg: Signature made Mon 02 Jul 2018 07:12:08 AM UTC
gpg:                using RSA key 0x2BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]
gpg:                 aka "ThomasV <thomasv1@gmx.de>" [unknown]
gpg:                 aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

At this point you can ~~install with pip3 from your verified souce:~~

~~$ sudo pip3 install Electrum-3.2.2.tar.gz~~

See patrick’s comment below for why pip is insecure, even with a verified source.

you can extract and run from the source folder:

$ tar xf Electrum-3.2.2.tar.gz 
user@host:~$ cd Electrum-3.2.2/
user@host:~/Electrum-3.2.2$ ./electrum -v

or you can copy/link the electrum executable to somewhere in your $PATH, like /usr/local/bin.

Enjoy.

Patrick · August 16, 2018, 4:06am

Security issue: At that stage electrum does tons of downloads of third party libraries. I don’t think software signatures are verified.

Status: Draft

Related:
Whonix and Tor Limitations

qubenix · August 16, 2018, 3:13pm

You are right, starts pulling other packages over pip. I edited my steps above accordingly.

0brand · August 30, 2018, 9:58am

Hi everyone!

The Whonix wiki Electrum documentation has been updated. Anyone that would like to install Electrum in Whonix 14 can find the the instructions here:

berto · September 3, 2018, 9:48am

First of all thanks for the update. The installation worked fine, but somehow i can’t start the application.

0brand · September 3, 2018, 10:18am

Hi berto

Can you try using the konsole to start electrum?

In Whonix-Workstaton konsole, run.

electrum