=> Ce sont ces 3 clés dont j'aimerais vérifier l'authenticité.
Import ThomasV's PGP Key using terminal commandsDownload ThomasV's PGP key from a trusted source and import ThomasV's public key:
gpg --import /////ThomasV.asc
Example:
gpg --import ~/Downloads/ThomasV.asc
Alternatively, you can use GnuPG's built-in function to download ThomasV's key from one of the GnuPG key servers. For example, here's a command using the OpenPGP key server:
gpg --keyserver hkps://keys.openpgp.org --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Indicate your acceptance at the prompts. The response should look like this:
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: Total number processed: 1
gpg: imported: 1
Refresh your keyring:
You should now see ThomasV's key in your keyring, the entry should look like this:
pub rsa4096 2011-06-15 [SC]
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid [ unknown] Thomas Voegtlin (https://electrum.org)
uid [ unknown] ThomasV
uid [ unknown] Thomas Voegtlin
sub rsa4096 2011-06-15 [E]
ThomasV's key can now be certified.
gpg --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
This command may be needed for some configurations:
gpg -u --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
Select y and press enter at the two following prompts. You'll be prompted for the GPG password that you set when creating your key pair. ThomasV's key trust level will be set to "full."
Check the trust level of the public key by refreshing the keyring:
The results for ThomasVs key should look like this:
pub rsa4096 2011-06-15 [SC]
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid [ full ] Thomas Voegtlin (https://electrum.org)
uid [ full ] ThomasV
uid [ full ] Thomas Voegtlin
sub rsa4096 2011-06-15 [E]
.Verify using Terminal CommandsDownload the Electrum app image file and the associated signature file. To verify the downloaded AppImage, open a terminal and enter the following command:
gpg --verify /////.AppImage.asc
Example:
gpg --verify ~/Downloads/electrum-4.2.0-x86_64.AppImage.asc
The result should look like this:
gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [full]
gpg: aka "ThomasV " [full]
gpg: aka "Thomas Voegtlin " [full]
Note that the
.asc file contains signatures from multiple developers. There are three valid signatures in the example above. Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the
.asc file. The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted. If your result match the example above, you now know that it's safe to run the
.AppImage file on your system.
The example below demonstrates a fully verified signature.
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Good signature from "Stephan Oeste (it) " [full]
gpg: aka "Emzy E. (emzy) " [full]
gpg: aka "Stephan Oeste (Master-key) " [full]
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) " [full]
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [full]
gpg: aka "ThomasV " [full]
gpg: aka "Thomas Voegtlin " [full]
In the example above the
.AppImage file matches all the signatures in the
.asc, and those signatures were made by available and certified keys. The results indicate good signatures from all three keys.
If your results do not match my examples above, or you just want to learn more, keep reading.
In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file.
gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: Can't check signature: No public key
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg: aka "ThomasV " [unknown]
gpg: aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
In the example above you'll note there are three signatures in the
.asc file that could not be verified. That's because none of the keys used to sign the
.AppImage file are trusted by the system in my example. The example shows that ThomasV's key is available, but it has not been certified. The results also show that the
.AppImage file matches the signatures in the
.asc file, and lists the fingerprints of the keys used to create the signatures. So, we have valid signatures by unknown or untrusted signers. The keys must now be manually compared to the keys you are expecting to sign the
.AppImage file. The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system. To certify keys you need to have your own keypair.
Next, I will demonstrate a failed signature. If the
.AppImage does not match the signatures in the
.asc file the result will indicate a bad signature:
gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage'
gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT
gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C
gpg: BAD signature from "Stephan Oeste (it) " [full]
gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT
gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC
gpg: BAD signature from "SomberNight/ghost43 (Electrum RELEASE signing key) " [full]
gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: BAD signature from "Thomas Voegtlin (https://electrum.org) " [full]
The example above shows what an invalid signature would look like. To get the results above I created a text file full of gibberish and changed the name to match the
.AppImage file. The results would look similar if at least one of the signing keys has been imported, even if it has not been certified. This clearly indicates a potentially malicious file, that is NOT the file signed by the developers.
The contents of this article may be shared, in part or in whole. The images within are posted and shared in the public domain. If you share this article please give credit to the author and provide a link to the original. 
