Electrum verification question/issue?

nc50lc

legendary

Activity: 2618

Merit: 6452

Self-proclaimed Genius

Quote from: bedlaminbelgium on March 26, 2022, 08:01:42 AM

Quote from: nc50lc on March 26, 2022, 07:00:04 AM

It's successfully verified; However, you haven't certified neither of the three keys.

Thats it? Awesone! What exaclty happens when I certifiy? It is confirming these keys are legit? Thankyou!

Aside from Blackhatcoiner's reply, it's also useful in case you imported a fake key and successfully verified a fake electrum with a signature of it.
If you've certified only the real keys, the real Electrum will show that it has "valid signatures" instead of what you've seen "the data could not be verified".

I haven't mentioned but, before certifying a certificate, it's very important to look for some legitimate source where you can verify the fingerprint.
For example: ThomasV's certificate that I've imported has a fingerprint 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 which is
the same as the one in the official documentary: https://electrum.readthedocs.io/en/latest/gpg-check.html and from various users' replies.
But better if you can verify it from the person himself: https://github.com/ecdsa

khaled0111

legendary

Activity: 2744

Merit: 3096

Top Crypto Casino

Quote from: bedlaminbelgium on March 26, 2022, 09:20:11 AM

Not sure what command line you are referring to? I was asking if there was another program like Kleopatra but easier

Kleopatra can be used either from the graphical user interface or from the command line interface. Using the command line is a bit harder and require more experience so better use the GUI.
To answer your second question, yes there are many other PGP software but Kleopatra is, imo, the easiest to use thanks to its user-friendly graphical interface.

bedlaminbelgium

newbie

Activity: 4

Merit: 5

Quote from: BlackHatCoiner on March 26, 2022, 09:16:52 AM

Quote from: bedlaminbelgium on March 26, 2022, 09:10:12 AM

I mean if I download the software thru the electrum website, shouldnt that be enough or is there a chance it couldve been compromised?

The reason why you're verifying the signature has been written above, by hosseinimr93.

A hacker can have compromised the website for a while and insert their own, malicious version of Electrum, right before you visit it. The developers can't guarantee you that the site won't be compromised, but by providing a PGP signature, they guarantee that whoever verifies the binaries won't be victimized. A hacker would need to compromise both electrum.org and github.com at the same time to succeed.

Quote from: bedlaminbelgium on March 26, 2022, 09:10:12 AM

That is true and thankyou. Is there any other way besides Kleopatra? An easier way to verify?

You don't want to mess with the command line, so just stick with Kleopatra. Besides, you now know how to do it.

   Yeah...I didnt see hosseinimr93 response. So true.

   Not sure what command line you are referring to? I was asking if there was another program like Kleopatra but easier

   Regardless, your right. I now know...thanks all for the help. Stay Hodling! Wink

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: bedlaminbelgium on March 26, 2022, 09:10:12 AM

I mean if I download the software thru the electrum website, shouldnt that be enough or is there a chance it couldve been compromised?

The reason why you're verifying the signature has been written above, by hosseinimr93.

A hacker can have compromised the website for a while and insert their own, malicious version of Electrum, right before you visit it. The developers can't guarantee you that the site won't be compromised, but by providing a PGP signature, they guarantee that whoever verifies the binaries won't be victimized. A hacker would need to compromise both electrum.org and github.com at the same time to succeed.

Quote from: bedlaminbelgium on March 26, 2022, 09:10:12 AM

That is true and thankyou. Is there any other way besides Kleopatra? An easier way to verify?

You don't want to mess with the command line, so just stick with Kleopatra. Besides, you now know how to do it.

bedlaminbelgium

newbie

Activity: 4

Merit: 5

Quote from: BlackHatCoiner on March 26, 2022, 08:56:07 AM

Quote from: bedlaminbelgium on March 26, 2022, 08:01:42 AM

Thats it? Awesone! What exaclty happens when I certifiy? It is confirming these keys are legit? Thankyou!

When you certify a key you essentially inform the program that you trust the signer. This isn't necessary, but it can be used in the future if you want to re-verify the new Electrum versions.

Unfortunately, someone who just wants to verify the authenticity of their wallet software must be familiar with things they don't even understand. That's a drawback of Kleopatra.

That is true and thankyou. Is there any other way besides Kleopatra? An easier way to verify?

I mean if I download the software thru the electrum website, shouldnt that be enough or is there a chance it couldve been compromised?

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: bedlaminbelgium on March 26, 2022, 08:01:42 AM

Thats it? Awesone! What exaclty happens when I certifiy? It is confirming these keys are legit? Thankyou!

When you certify a key you essentially inform the program that you trust the signer. This isn't necessary, but it can be used in the future if you want to re-verify the new Electrum versions.

Unfortunately, someone who just wants to verify the authenticity of their wallet software must be familiar with things they don't even understand. That's a drawback of Kleopatra.

hosseinimr93

legendary

Activity: 2380

Merit: 5213

Quote from: bedlaminbelgium on March 26, 2022, 08:01:42 AM

Thats it? Awesone! What exaclty happens when I certifiy? It is confirming these keys are legit? Thankyou!

Electrum is an open-source wallet and the source code is available to anyone.
Scammers can easily change the source code and make a fake version which looks like the original version.
With verifying the signature, you actually verify that you have downloaded the original version of eletrum.
Note that even if you are sure that you have downloaded electrum from its official website, you still need to verify the signature. Because, there is no guarantee that the website hasn't been hacked

bedlaminbelgium

newbie

Activity: 4

Merit: 5

Quote from: nc50lc on March 26, 2022, 07:00:04 AM

It's successfully verified; However, you haven't certified neither of the three keys.

To certify the keys: Open Kleopatra, right-click on Thomas Voegtlin's key, select "certify", tick all three checkboxes and the one below "I have verified the fingerprint".
Then click next and finish the rest of the steps. Do this to the other two keys.

Thats it? Awesone! What exaclty happens when I certifiy? It is confirming these keys are legit? Thankyou!

nc50lc

legendary

Activity: 2618

Merit: 6452

Self-proclaimed Genius

It's successfully verified; However, you haven't certified neither of the three keys.

To certify the keys: Open Kleopatra, right-click on Thomas Voegtlin's key, select "certify", tick all three checkboxes and the one below "I have verified the fingerprint".
Then click next and finish the rest of the steps. Do this to the other two keys.

bedlaminbelgium

newbie

Activity: 4

Merit: 5

  Ok...So I downloaded electrum thru https://electrum.org/#home

  I also download the keys from github keys for thomasV as per the following thread https://bitcointalksearch.org/topic/guide-how-to-safely-download-and-verify-electrum-guide-5240594

  Also downloaded other keys assosciated on github with electrum. https://github.com/spesmilo/electrum/tree/master/pubkeys

  I ran Kleopatra and I get the following..see image below. Is this good enough? I am seeing something say 3 signatures cannot be verified

https://i.imgur.com/rA3jcYV.jpg

Topic: Electrum verification question/issue? (Read 119 times)