Author

Topic: Electrum SHA256 hashes (Read 237 times)

legendary
Activity: 3612
Merit: 1564
October 12, 2018, 07:35:49 AM
#7
2. Verify if it's imported:
Code:
gpg --fingerprint 0x2BD5824B7F9470E6
How should I verify that it is correct ThomasV's pubkey?
There should be Key fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6?

Yep.

Quote
Can this signature be forged?

No you need the private key behind that public key to generate a valid sig. As far as we know only thomas has that and he hasn't been hacked. So if you trust him not to include malware and not to get hacked you can use this software. Alternatively go through the code line by line so that you don't have to trust anyone!

Quote
Can it be possible that fake public key have the same  fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6?

Nope. Always compare the long fingerprint as above and not the shortened one (0x7F9470E6) because it may be possible to create another key pair with the same short fingerprint.
full member
Activity: 1274
Merit: 105
October 12, 2018, 05:36:52 AM
#6
2. Verify if it's imported:
Code:
gpg --fingerprint 0x2BD5824B7F9470E6
How should I verify that it is correct ThomasV's pubkey?
There should be Key fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6?
Can this signature be forged?
Can it be possible that fake public key have the same  fingerprint = 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6?
legendary
Activity: 2758
Merit: 6830
July 14, 2018, 10:35:05 AM
#5
When trying to to that I get this:
Quote
gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe
gpg: Signature made Пaн 02 Лiп 2018 10:12:08 +03 using RSA key ID 7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>"
gpg:                 aka "ThomasV <[email protected]>"
gpg:                 aka "Thomas Voegtlin <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
What does this warning mean?
This means that the signature is valid but you don't directly trust the user who generated the key (you didn't set the key as trusted).

Don't worry, that's not an issue. The file is legit.
legendary
Activity: 1624
Merit: 2481
July 14, 2018, 10:34:45 AM
#4
When trying to to that I get this:

gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe


gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>"

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.


What does this warning mean?


You can safely ignore the warning since the signature does match.

The warning appears because you didn't trust TomasV's key yet. For a single verification this is not necessary.
The important thing is the Good signature output.
full member
Activity: 1274
Merit: 105
July 14, 2018, 10:30:37 AM
#3
They don't publish it. You will need to verify the PGP Signature, which is not that hard.

1. Import ThomasV's pubkey:
Code:
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x2BD5824B7F9470E6

2. Verify if it's imported:
Code:
gpg --fingerprint 0x2BD5824B7F9470E6

3. Download the signature file on the website.

4. Verify with:
Code:
gpg --verify signatureFile.asc ElectrumFile.tar.gz
When trying to to that I get this:
Quote
gpg --verify electrum-3.2.2-setup.exe.asc electrum-3.2.2-setup.exe
gpg: Signature made Пaн 02 Лiп 2018 10:12:08 +03 using RSA key ID 7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <[email protected]>"
gpg:                 aka "ThomasV <[email protected]>"
gpg:                 aka "Thomas Voegtlin <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
What does this warning mean?
legendary
Activity: 2758
Merit: 6830
July 14, 2018, 10:15:43 AM
#2
They don't publish it. You will need to verify the PGP Signature, which is not that hard.

1. Import ThomasV's pubkey:
Code:
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x2BD5824B7F9470E6

2. Verify if it's imported:
Code:
gpg --fingerprint 0x2BD5824B7F9470E6

3. Download the signature file on the website.

4. Verify with:
Code:
gpg --verify signatureFile.asc ElectrumFile.tar.gz
full member
Activity: 1274
Merit: 105
July 14, 2018, 08:15:21 AM
#1
Hi,
Where can I find Electrum SHA256 hashes to ensure that downloaded wallet is original and not compromised?
I see only signature file on the official site, but signature check procedure is very complex...
Jump to: