Why check signatures?
Checksums such as MD5 and SHA-256 help you answer the question “Did I download this file correctly from whoever sent it to me?” They do a good job at making sure you didn't have any random errors in your download, but they don't help you figure out whether you were downloading it from an attacker. The better question to answer is: “Is this file that I just downloaded really coming from the project developers, or has it been tampered with?” That's what GPG signatures are for.
Download accompanying signature file (.asc)
Signature files are available for each Electrum-LTC package. When you download a package, make sure you also download its accompanying signature by clicking on the “signature” link next to it on the download page.
For example, to verify the file Electrum-LTC-4.6.2.tar.gz you will need the signature file Electrum-LTC-4.6.2.tar.gz.asc.
Use the below instructions if you're using Linux and have GnuPG installed. The Tor Project provides more detailed instructions for Windows and OS X. The signature key to use for Electrum-LTC is 0x6ec371a844f2c48e.
Import signing keys from keyserver
Type this in a terminal:
gpg --keyserver keyserver.ubuntu.com --recv-keys 0x6ec371a844f2c48e
You should see something similar to this (the exact output depends on your GnuPG version):
gpg: key 6EC371A844F2C48E: public key "Hector Chu <hectorchu@gmail.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
Verify that the fingerprints are correct
gpg --fingerprint 0x6ec371a844f2c48e
You should see:
pub rsa4096 2022-06-03 [SC]
7FE6 094D CB3A 7626 2EE4 C689 6EC3 71A8 44F2 C48E
uid [ unknown] Hector Chu <hectorchu@gmail.com>
Verify signature of downloaded file
gpg --verify Electrum-LTC-4.6.2.tar.gz.asc Electrum-LTC-4.6.2.tar.gz
The output should say “Good signature”:
gpg: Signature made Mon 20 Oct 2025 22:00:51 UTC
gpg: using RSA key 7FE6094DCB3A76262EE4C6896EC371A844F2C48E
gpg: Good signature from "Hector Chu <hectorchu@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7FE6 094D CB3A 7626 2EE4 C689 6EC3 71A8 44F2 C48E
Notice that there is a warning because you haven't assigned a trust index to this person.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
This means that GnuPG verified that the key made that signature, but it's up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.
Thanks to Andre Mueller for writing these instructions.