Why check signatures?
Checksums such as MD5 and SHA-256 help you answer the question “Did I download this file correctly from whoever sent it to me?” They do a good job at making sure you didn't have any random errors in your download, but they don't help you figure out whether you were downloading it from an attacker. The better question to answer is: “Is this file that I just downloaded really coming from the project developers, or has it been tampered with?” That's what GPG signatures are for.
Download accompanying signature file (.asc)
Signature files are available for each Electrum-SUM package. When you download a package, make sure you also download its accompanying signature by clicking on the “signature” link next to it on the download page.
For example, to verify the file
Electrum-SUM-184.108.40.206.tar.gz you will need the signature file
Use the below instructions if you're using Linux and have GnuPG installed. The Tor Project provides more detailed instructions for Windows and OS X. The signature key to use for Electrum-SUM is
Import signing keys from keyserver
Type this in a terminal:
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x6fc4c9f7f1be8fea 0xfe3348877809386c
You should see something similar to this (the exact output depends on your GnuPG version):
gpg: key 6FC4C9F7F1BE8FEA: public key "pooler <firstname.lastname@example.org>" imported gpg: key FE3348877809386C: public key "Adrian Gallagher <email@example.com>" imported gpg: Total number processed: 2 gpg: imported: 2
Verify that the fingerprints are correct
gpg --fingerprint 0x6fc4c9f7f1be8fea 0xfe3348877809386c
You should see:
pub rsa2048 2013-07-21 [SC] CAE1 092A D355 3FFD 21C0 5DE3 6FC4 C9F7 F1BE 8FEA uid [ unknown] pooler <firstname.lastname@example.org> sub rsa2048 2013-07-21 [E] pub rsa2048 2013-06-19 [SC] 59CA F0E9 6F23 F537 4794 5FD4 FE33 4887 7809 386C uid [ unknown] Adrian Gallagher <email@example.com> sub rsa2048 2013-06-19 [E]
Verify signature of downloaded file
gpg --verify Electrum-SUM-220.127.116.11.tar.gz.asc Electrum-SUM-18.104.22.168.tar.gz
The output should say “Good signature”:
gpg: Signature made Thu 17 Aug 2017 10:59:17 AM PDT gpg: using RSA key 6FC4C9F7F1BE8FEA gpg: Good signature from "pooler <firstname.lastname@example.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CAE1 092A D355 3FFD 21C0 5DE3 6FC4 C9F7 F1BE 8FEA
Notice that there is a warning because you haven't assigned a trust index to this person.
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
This means that GnuPG verified that the key made that signature, but it's up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.
Thanks to Andre Mueller for writing these instructions.