- Mac Download Twitter Video
- Free Downloads For Mac
- Downloader For Mac
- Vlc Download For Mac
- Games Download For Mac
- Electrum is one of Bitcoin’s oldest and best-known wallets. Users running this software are trusting their private keys to it. To reduce the risk of running malware, users can verify the authenticity of Electrum downloads before using them.
- Get started with Docker for Mac Estimated reading time: 16 minutes Welcome to Docker for Mac! Docker is a full development platform for creating containerized apps, and Docker for Mac is the best way to get started with Docker on a Mac.
Electrum is one of Bitcoin’s oldest and best-known wallets. Users running this software are trusting their private keys to it. To reduce the risk of running malware, users can verify the authenticity of Electrum downloads before using them. This tutorial describes how to do so on OSX. A procedure for verifying Electrum on Windows is also available.
Choose Docker Store from the Docker for Mac menu to get to the Docker app downloads site. Docker store is a component of the next-generation Docker Hub, and the best place to find compliant, trusted commercial and free software distributed as Docker Images. Verifying your ISO helps insure the data integrity and authenticity of your download.
Any piece of software that handles your private keys can steal them or sign transactions you never authorized. This makes Bitcoin wallets especially profitable targets for malware authors. They begin by tweaking some of the open source code. Then they distribute the result, which looks identical to the authentic version. When the unwitting user enters the private key or seed, the wallet steals the funds. The loss is irreversible and can be life-changing.
Mac Download Twitter Video
This is far from a theoretical attack. For example, in 2017 a Reddit user reported that a phishing site was deploying malware through a forged copy of Electrum, resulting in the loss of five bitcoin. The phishing site was followed as the first advertising link from a Google search.
Many Bitcoin users are familiar with the idea of digital signatures. The same idea can be applied to software downloads. The developer signs a download with a private key. Users verify the download using the developer’s public key. A forged file that changes a single bit can be detected with this system, as can a developer who attempts to apply an invalid signature. The standard method for signing binaries is known as Pretty Good Privacy (PGP). Implementations are available for all operating systems.
A popular PGP implementation on OSX is GPG Suite. Begin by downloading the installer from the main page.
We are immediately faced with a dilemma: how do we know that our copy of GPG Suite is authentic? We can’t verify a signature because if we could do that we wouldn’t need GPG Suite.
Fortunately, we can verify the installer’s hash value. Think of a hash value as an immutable, unique identifier that can be assigned to any file. OSX allows hash values to be checked with the
shasum
utility. shasum
is run from the Terminal application. To access Terminal, press command-spacebar and type “Terminal”. You’ll see a mostly empty window with a prompt after a dollar sign (“$”). Commands are entered, in text form, after this prompt.From Terminal, enter the following two commands:
where:
{hash}
is the string of characters that appears at the bottom of the GPG Tools page after clicking on the “SHA256” link;{filename}
is the name of the GPG Suite installer you downloaded; and- two spaces appear between
{hash}
and{filename}
.
![Download Download](/uploads/1/3/3/8/133895927/873289350.png)
For example, On November 1, 2017, I downloaded a file named
GPG_Suite-2017.1.dmg
and its SHA256 hash value was:01705da33b9dadaf5282d28f9ef58f2eb7cd8ff6f19b4ade78861bf87668a061
I would then enter the following two commands into Terminal (leaving out the dollar signs):
The first command moves my frame of file reference to the Downloads directory. The second command verifies the checksum of the file I downloaded. You should see a response that looks something like:
Free Downloads For Mac
GPG_Suite-2017.1.dmg: OK
Downloader For Mac
Notice that an attacker who was able to change the GPG Suite website might be able to give you the correct hash value for a fake copy of the installer. This is one of the limitations of using hash values to authenticate downloads.
After downloading and verifying the hash value of GPG Suite installer, double click on it. An installer window will be presented. Double click on the one named
Install.pkg
. Enter your system password when prompted and follow the remaining instructions.You will be asked to generate a new key pair. For the purposes of verifying Electrum, this step can be skipped. Click the Cancel button.
GPG Tools should present a window containing a single key entry — the one for the GPG Suite team. Before validating the Electrum download signature, we’ll need to add the public key of its developer to our list.
Thomas Voegtlin is the Electrum lead developer. The Electrum site reports his key ID as
0x2bd5824b7f9470e6
. Use this value to look up Voegtlin’s public key. Click the GPG Keychain “Lookup Key” button and enter the developer key ID. The click Search.GPG Keychain should respond with an entry for Thomas Voegtlin’s public key. Click Retrieve Key.
GPG Keychain should report that Thomas Voegtlin’s public key was added. You’ll now see two key entries: the original for the GPGTools Team and a new one for Electrum’s lead developer. We can now verify the signature of any Electrum installer.
Browse to the Electrum download page. Next to the OSX entry are two links. Click the first one titled “Executable” to download the Electrum installer. Save it to your Downloads folder.
Click the second link titled “signature.” This link takes you to a plain text page representing the installer’s signature. Save it by pressing command-s. Be sure to save it to the the Downloads folder. Remove the last four characters of the file name reading
.txt
, but leave it otherwise unmodified.Vlc Download For Mac
You should see two files in your Downloads folder:
electrum-{version}.dmg
and electrum-{version}.dmg.asc
, where {version}
is the version of Electrum you downloaded. The former file is the installer itself and the latter is the signature file.Games Download For Mac
To verify the signature of the installer, right click on it. A context menu will appear whose last item is called Services. Hovering over it presents a submenu. One of its entries will be “OpenPGP: Verify Signature of File.” Click it.
You should be presented with a window titled “Verification Results.” A single line should appear. The first entry gives the installer’s filename. The second gives the result of the verification. You should see text beginning with “Signed by: Thomas Voegtlin”. The line will be appended with the bolded text “undefined trust.”
At this stage, you’ve verified the signature of an Electrum installer. You could, however, take this process one step further by signing Thomas Voegtlin’s public key. Doing so will remind you in the future that you trust that this key really does belong to Electrum’s lead developer. Only take this step if you have independently verified that the key really does belong to Thomas Voegtlin.
Begin by creating a key pair for yourself, which is the step we skipped when setting up GPG Keychain. Click on the New button on the main GPG Keychain interface. Doing so brings up a form. Fill it out. Click Generate Key. There is no reason to publish this key, so decline that offer.
When you’re done, you should see a new public key in the keys list. It’s your own.
Next, sign Thomas Voegtlin’s public key. Begin by right-clicking on it. Choose the Sign option from the popup menu. Accept the defaults and click Generate Signature.
Verifying the signature of any Electrum installer in the future will present a somewhat different message than before. Instead of “undefined trust,” GPG Keychain will report “full trust” in green.
Signature validation should be used for any wallet destined to hold large sums of money. Given that wallets holding spare change today can grow to become wallets holding substantial sums tomorrow, signature verification should be the first step of any Electrum wallet installation. This guide offers a step-by-step procedure for doing so. Once set up, it can be used to verify the signature of any future Electrum release, and other Bitcoin software as well.
To recap, the steps are:
- Download GPG Suite.
- Verify the GPG Suite checksum.
- Import the public key for Electrum’s lead developer.
- Download Electrum installer and signature.
- Verify the Electrum installer signature.