Upgrading electrum on tails to 3.3.6

I see a lot of requests on reddit asking how to install the new version of Electrum on Tails. So I thought I would write an article showing people how to do it.

Electrum will not work on Tails 3.3.2 and below because of the existence of a security flaw where dishonest nodes can broadcast messages that can trick users into downloading malware and quote-unquote "scamwallets". Electrum 3.3.3 and above can mitigate these attacks. This article will show you how to manually upgrade your electrum wallet in tails.


First off, whenever you make changes to whatever you are doing, even in general, you should make a backup. This is doubly true if this involves money. My recommendation is to use the Tails official backup procedure here:

https://tails.boum.org/blueprint/backups/


Ok, boot to Tails. You have to be able to login as "administrator" for what we need to do, so when you login, press the "+" sign on the bottom left hand of the screen:
Then double-click on "administration password" and set the password to any arbitrary password you like. (This, by the way, allows you to execute the "sudo" command which gives your Tails account temporary root privileges. This password is forgotten on the next reboot, so it won't introduce any security problems once we're done).

Now that we are logged in, we have to make sure the persistent folder has correct settings. Go to Applications -> Tails -> Configure Persistent Volume:

From there, make sure that the "dotfiles" switch is set to "on" and click "save" button:


Now, we can begin upgrading the Electrum wallet. The next step is to verify the binary's validity. There are a lot of "scam wallets" going around where people download the wrong binary which then steals money. A hacker can also theoretically hack into the website and change the binary as well. So any binary that is not part of the official Tails distribution should be verified that is hasn't been tampered with. One of the maintainers of Electrum is "ThomasV" and his GPG key is here:

https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc

gpg signature: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

Notice the high number of stars in the GitHub page. This means that a lot of people are saying "yep, I like this key". I also recommend searching for this fingerprint on multiple search engines such as DuckDuckGo, Bing, and Google so you can cross-verify and make sure that is the REAL "ThomasV" in question. Don't trust one particular source for GPG keys, just in case that source gets hacked or is somehow untrustworthy.

Anyway, save the key to your Tails distribution. Visit this webpage

https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc, and highlight the text of the key, right click and press "copy".


Then open gedit, which is the text editor to Tails:
Now paste the key, and then save it as "thomasv.key" in the "Tor Browser" directory.

Next, open "tor browser directory":

in nautilus and double click the key. This will import it:

Once it's imported, you have to then "sign" the key. By signing the key, one of the things you are doing is indicating "I trust this key as valid and I made sure that it's owned by the actual 'ThomasV' in question." You can verify the key by comparing the signatures with people who you know have the correct key (googling the fingerprint and verifying with multiple sites helps). The particular GitHub account we got our key from is heavily starred, and a google search shows a lot of references to it, so we have a reasonable assurance that it is the real one. I have also personally used this particular key for years with that exact signature, so I can personally attest that the signature with the following key is valid:

6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

There are web-of-trust benefits to signing the key, but I won't go into that for now. Ok, now let's sign the key.

Click on the clipboard icon, on the upper right hand corner of the screen, and then select "Manage keys":


When the dialogue box comes up, click on "GnuPG keys" on the left, then scroll down until you find the key you want to sign (in this case ThomasV), right click and press "properties".
From there, you'll get this dialogue box, so click on the trust tab and then press the "sign this key" button:

We did a reasonable search for the key, so let's click on "casually searched". Also click on "others may not see this signature" for correctness. Then click the "sign" button:

We have now successfully signed the key.

Ok, now that is done, we can download electrum. Download the AppImage binary and the appropriate signatures from this webpage: https://electrum.org/#download



The "AppImage" version of Tails is a self-contained version of Electrum with all the appropriate libraries and python version encased in one file. Currently Electrum 3.3.6 uses a version of python that the current version of Tails does not support (3.12.1). So the AppImage is your only recourse.

Ok, so once you download Electrum and it's signature file, you can now verify the signature. Navigate to the "Tor Browser" directory you were in earlier, and right click the electrum-3.3.6-x86_64.AppImage.asc file and click "Open with Verify Signature".

Once that goes through, it should hopefully give you a "good signature" emblem on top:


The "good signature" line shows that the binary has not been tampered with and is safe to put on the system. This is because we verified that it was digitally signed by a well-known hacker with a good reputation.

Ok. Next steps. We have to create some folders in an appropriate directory. We do this because Tails has an ephemeral filesystem mostly, with only a few key directories that are "remembered" between each bootup. The "Persistent" folder is one of those folders.

So let's return to the command terminal and type these commands (or copy and paste if you prefer):
sudo mkdir -p /live/persistence/TailsData_unlocked/dotfiles/.local/share/applications
sudo chown -R 1000:1000 /live/persistence/TailsData_unlocked/dotfiles/
mkdir -p /home/amnesia/Persistent/bin/
mkdir -p /home/amnesia/Persistent/conf/electrum/

If the sudo command asks for a password, use the "administrator account" password that you setup when you booted Tails.

Ok, next go back to "Tor Browser" window and right click the AppImage files. From there click properties:


Click on the permissions tab and click on "allow executing file as program":

This makes the file "executable" meaning it turns the file into an "app" that Tails can run. Then right click and rename file to "electrum.AppImage".

Then open the persistent directory:

and drag the "electrum.AppImage" over to "Persistent/bin"

It's best to be extra cautious about bitcoin wallets, so we are not going to "write over" the old bitcoin wallet, we are going to create another wallet and put it in a separate directory. (Conservatism is an important concept in the bitcoin world). So let's open your old electrum wallet and copy the seed. You can do this by going to Wallet -> Seed on your menubar and writing it down or saving it to a file in your persistent partition.

Keep these words in a safe place and don't give it to anyone! Your seed is a "second layer" of defense in case you somehow screw up the upgrade process. If upgrading your wallet does not work for some reason, you can always re-create a new wallet, type the seed words back in and be able to recover your bitcoins through your seed words. So make sure you don't lose that seed!

Once we have the words stored in a safe place, let's go ahead and make the bitcoin icon point to the new version of Electrum that we just put on the persistent folder.

Go back to your terminal window and type the following:

gedit /live/persistence/TailsData_unlocked/dotfiles/.local/share/applications/electrum.desktop

When gedit opens, copy and paste the following:
[Desktop Entry]
Comment=Lightweight Bitcoin Client
Exec=/home/amnesia/Persistent/bin/electrum.AppImage -D /home/amnesia/Persistent/conf/electrum/
GenericName[en_US]=Bitcoin Wallet
GenericName=Bitcoin Wallet
Icon=electrum
Name[en_US]=Electrum Bitcoin Wallet
Name=Electrum Bitcoin Wallet
Categories=Finance;Network;
StartupNotify=false
Terminal=false
Type=Application
MimeType=x-scheme-handler/bitcoin;
Actions=Testnet;

Then save.
Go back to your terminal and type:
sudo chmod +x /live/persistence/TailsData_unlocked/dotfiles/.local/share/applications/electrum.desktop

Go to Places -> Computer on the upper left hand corner of the screen. Once it opens, Press ctrl-l and type this in the directory:
/live/persistence/TailsData_unlocked/dotfiles/.local/share/applications

There should be an "Electrum" icon there, double click on it then click on "trust" (we verified the binary so we know we can trust it). When the new wallet comes up, go install the Electrum wallet like you normally would, but select "standard wallet" and "I already have a seed".

When the prompt comes up, paste the words of that seed that you entered earlier and click next. When Electrum comes on, it should show your old "history of transactions". Make sure you can see them.

Next, we have to tell Electrum to use the Tails proxy to communicate. Go to tools -> network in the menu:

Then click on the proxy tab and tell it to use the "Tor Proxy at port 9050":

Reboot Tails, re-login and click on Electrum icon on your menu, it should bring up the new version of Tails:

Send a small test transaction to another wallet and make sure it works.

If there are any errors with this blog post, please email steve@thestever.net and I can fix it.

Also, I don't have comments set up on this website yet, so if you want to see comments on the blog version of this article, you can view them here