Here're links to the instructions for windows:
Install:
Jump to:
|
It was the Bitcointalk forum that inspired us to create Bitcointalksearch.org - Bitcointalk is an excellent site that should be the default page for anybody dealing in cryptocurrency, since it is a virtual gold-mine of data. However, our experience and user feedback led us create our site; Bitcointalk's search is slow, and difficult to get the results you need, because you need to log in first to find anything useful - furthermore, there are rate limiters for their search functionality.
The aim of our project is to create a faster website that yields more results and faster without having to create an account and eliminate the need to log in - your personal data, therefore, will never be in jeopardy since we are not asking for any of your data and you don't need to provide them to use our site with all of its capabilities.
We created this website with the sole purpose of users being able to search quickly and efficiently in the field of cryptocurrency so they will have access to the latest and most accurate information and thereby assisting the crypto-community at large.
Install:
Hi, my desktop pc got reformat and I need to reinstall my electrum, To be honest I'm just new here in electrum and doesn't really know a lot about here that is why I don't have any transactions in my Electrum wallet I only use it because I need to stake my address here in the forum because it can sign an address.
I find this electrum download guide, in the past I only download the electrum application for PC. Is it necessary to download or do every here on the list? sorry to bother but could anyone explain the importance of these steps. because I didn't do this when I installed the electrum last time. I just can't find a clear explanation online thanks.
Yes, that's the entire point... you either need the downloaded application file/installer/exe to be PGP signed or the file containing the hashes (or both for the really paranoid! )...
Without the PGP signature attached to something, you basically have no way to properly validate the download. Some software developers will publish a list of the sha256 or MD5 hashes, and sign the list with a PGP key, so you know the hashes are authentic. I couldn't agree more with that. Hackers cannot fool us if the official site gives us the hash of their software. Not if the hacker also hack the official website, add tampered installer with it's hash on the website. And yes, it happened before on popular software/OS, such as Linux Mint OS The point is that these hashes are signed using his PGP key. Hosting the software and it hashes on the same website / same place obviously is prone to be abused. But the crucial factor is that they are signed with his PGP key, which is not stored on the server. Verifying the signature of the txt file containing the hashes would then only passed if these are indeed the hashes produced by the developer. Some software developers will publish a list of the sha256 or MD5 hashes, and sign the list with a PGP key, so you know the hashes are authentic. I couldn't agree more with that. Hackers cannot fool us if the official site gives us the hash of their software. this is actually a terrible idea because it could encourage many users (specially the beginners, or those who are lazy) to skip the PGP verification since they have a hash and only check the file's hash. then that hash could be compromised and they end up with a fake software thinking they have the legit one. besides, this method is adding an unnecessary extra step. the user has to download the hash file, and its signature and verify that signature then verify the hash of the file. whereas if they had the signature of the file itself the user would verify the signature of the file instead of the hash file. if there is any concerns about the hash algorithm used during signing they can publish more than one signature using different hash algorithms (keep in mind everything is hashed under the hood before being signed). Verifying the signature (given that his PGP key is not compromised) does protect against these attacks. Emphasis mine, but this really gets to the crux of the matter. I included redundant links to ThomasV's PGP key because the odds of multiple servers being compromised becomes infinitely small. The act verifying is really just using those redundant and separate sources to confirm the authenticity of the other source. How can a scammer fool the official site of electrum since it's owned by Thomas? There are multiple ways to achieve that. Some would be: 1) Compromise the Web Server 2) Gain access to the Registrar account (gandi.net in this case) and change the DNS resolution to a different IP (server owned by the attacker) 3) Man-in-the-Middle: Either via malicious browser extension (still https) installed in your browser or via redirecting you to a http site without a certificate. 4) DNS Hijacking: Manipulating DNS Servers to resolve the URL to a different IP (server owned by an attacker) Verifying the signature (given that his PGP key is not compromised) does protect against these attacks. Some software developers will publish a list of the sha256 or MD5 hashes, and sign the list with a PGP key, so you know the hashes are authentic. I couldn't agree more with that. Hackers cannot fool us if the official site gives us the hash of their software. Okay, so now that I've verified that my files are authetic, I can simply uninstall kleopatra and gpg right? You can, but I would recommend you keep it installed, you might find more uses for GPG in the future. You can use it sign and encrypt messages or files of your own. I frequently use it to sign addresses for my escrow service. I recently used it to encrypt a message to another member that contained my real name and mailing address (for an auction that I won.) If you're like me and use your main computer to access your cryptocurrency, you'll want to make sure you aren't downloading some other malware that can compromise your security. Other than Electrum, there are many software distributions that use GPG signatures for verification, including any updates to GPG4WIN that you'll want to download. Some software developers will publish a list of the sha256 or MD5 hashes, and sign the list with a PGP key, so you know the hashes are authentic. Here are some popular downloads that use GPG signatures to ensure authenticity: Bitcoin core: https://bitcoincore.org/en/download/ Ubuntu: https://ubuntu.com/tutorials/tutorial-how-to-verify-ubuntu#1-overview Tor Project: https://support.torproject.org/tbb/how-to-verify-signature/#BuildVerification Okay, so now that I've verified that my files are authetic, I can simply uninstall kleopatra and gpg right? Yes, but I would recommend you to keep them. Electrum updates are not released very often but you also should verify their installation files especially if Electrum is going to be your main wallet. You might forget to reinstall them or skip the verification process which might result in a loss of funds.
Okay, so now that I've verified that my files are authetic, I can simply uninstall kleopatra and gpg right?
How can a scammer fool the official site of electrum since it's owned by Thomas? There's a slight chance that the website might be compromised in the future; nothing is completely secure. The files might be replaced without any other changes to the website. Also, there have been many phishing attempts related to Electrum updates or typos in the official website's name. Verifying the signature can save you from a fatal mistake.
How can a scammer fool the official site of electrum since it's owned by Thomas?
I have always verified all Electrum apps before going through the installation process and I always get that result that pooya87 was talking about regarding the key not being certified. This guide will come in handy to get rid of that once and for all.
excellent post. just two additions. first is that usually people don't add the key to their list of trusted keys so the verification result always has a warning that confuses most people. it is along the line of saying something like this: Code: gpg: WARNING: This key is not certified with a trusted signature! I considered adding an example of such results. Technically the signature file can be verified without any keys in the keyring, but I don't know how deep the rabbit hole I should go with all that. second is that it may be a good idea to show what the message is going to look like when wrong signature or wrong key is used. although it is obvious. That's a very practical suggestion, and I do want to include "negative" results so people are familiar with what to look out for. I will be making some example screenshots of wrong files/signatures and include those. ps. we can't talk about GPG and not mention Web of Trust. Definitely worth a read while practicing social distancing and safe computing.
excellent post. just two additions.
first is that usually people don't add the key to their list of trusted keys so the verification result always has a warning that confuses most people. it is along the line of saying something like this: Code: gpg: WARNING: This key is not certified with a trusted signature! second is that it may be a good idea to show what the message is going to look like when wrong signature or wrong key is used. although it is obvious. ps. we can't talk about GPG and not mention Web of Trust.
Given that the tutorial above contains instructions that require trust to follow I thought it was appropreate that I provide a signature for the tutorial. To verify click on the "quote" button above the post, copy all the text including the quote header and footer, paste it into your favorite text editor, then save the text file. Use the code below to create another file in the same directory and with the same name, but with a .asc extension. Use your preferred method to verify.
Code: -----BEGIN PGP SIGNATURE----- My GPG key is available by clicking on the website link in my profile, or here on the forum: https://bitcointalksearch.org/topic/m.56665744 Update 15 JAN 2023 - Fixed some typos - Clarified Linux installation information - Added list of HockeyPuck Keyservers Update 27 JAN 2023 - Fixed some typos - Added link to KDE Kleopatra
.
Table of Contents Introduction Resources Getting Started Instructions for Windows and Linux Desktop distros Instructions for Mac Instructions for Command Line Interface . Introduction Electrum is one of the most popular lightweight bitcoin clients around. The software is incredibly useful and includes several options and tools that allow ultimate control of your bitcoin. Electrum can be used to access any type of bitcoin wallet, including legacy, p2sh, or bech32 (exception: as of the most recent edit of this post, Electrum is not capable of importing Taproot addresses.) Existing wallets can be imported into Electrum by using a private key, an extended private key, or a Bip39 seed phrase. It can create new wallets of any type as well, including multi-signature wallets. Electrum can be used to access the popular brands of hardware wallets, too. It's also handy for creating watch-only versions of your cold or hardware wallets. On top of all that, it’s open source, which allows anyone to audit the software, removing the need to solely trust the developers. The unfortunate thing about open source software; it can easily be copied by nefarious individuals, and made to look like the real thing. Electrum's popularity and widespread use make it a prime target for these hackers and scammers. So how does one ensure that he has downloaded the official, authentic version, and not a malicious fake? First and foremost, make sure you download it only from the official Electrum website, but don't stop there. The only way you can be certain you have downloaded an official release to check if the file was digitally signed by the developer. Electrum has many active developers and the releases are often signed by multiple individuals for security purposes. The Instructions below focus on checking the signature for one specific developer, Thomas Voegtlin but can be used to verify the signature of any of the developers listed on Electrum's downloads page. . Resources Links to key resources
ThomasV's PGP fingerprint:
Redundant links to ThomasV's public key:
List of known, reliable PGP HockeyPuck Keyservers:
Third-party binary installations that include GnuPG and a Graphical User Interface (GUI):
. Getting Started With GPG First you'll need to download and install Gnu Privacy Guard (GPG,) the successive implementation of the OpenPGP standard. The link in the resources section above provides download links for the source code, a binary compilation to install the command-line-only GnuPG service on MacOS and Windows, and links to third-party binary releases which include a graphical user interface. GPG4Win provides the option to install Kleopatra, a GUI application which is very user friendly. Kleopatra is also available on Linux. Mac GPG is also a user friendly application with a GUI Frontend. I won't go into too much detail on installing GnuPG on your system, there are plenty of resources on the internet that can guide you through that, but the following paragraphs will help you get started. Navigate to The GnuPG Project's download page, chose the appropriate command-line tool or third-party binary for your operating system, and install GnuPG according to instructions provided with the distribution. Note that some Linux distributions include GPG command-line services preinstalled, however few distributions include a graphical user interface for the GPG client. Most Ubuntu Linux distributions, including those running on Windows Subsystem for Linux will have GPG preinstalled. Refer to the CLI instructions for more information. Once you've installed GPG you may be prompted to create or import a keypair. If you already have a private key you can import it. If you do not have a private key I recommend that you create a new keypair. Again, there are plenty of instructional sites on the internet that you can reference to guide you through the process. Having a your own keypair is not mandatory to verify signed messages, but verifications will appear with errors that may be confusing. To get the full experience, and the safety and security offered by GnuPG a keypair will be needed to certify the public keys of others. Details on how this affects verification will be discussed further during the tutorial. Once you've created or imported your own private key you can now import ThomasV's public key. On the download's page of the official Electrum website, you'll find a link to ThomasV's public PGP key. For redundancy I've posted that link in the references section above. Clicking on the link will take you to a page that displays the public key. Windows users take note; When downloading signatures and keys Windows likes to save .asc files with the .txt file extension. To avoid this pitfall open an explorer window, click on the View tab, Folder Options, and under the view menu disable hidden extensions of known file types. . Windows and Linux Instructions . Install on Windows For Windows systems I recommend Gpg4win. Browse to their downloads page, and install the latest version. Once the installation directory is chosen, the installer will allow you to choose components: Kleopatra is the GUI front end that's included with Gpg4win, and I recommend you install it. If you don't, you'll have to use command line tools to manage the GnuPG app. Another optional feature is a shell extension which I find handy, and an Outlook email extension. If you use Outlook the integration is pretty seamless, and actually quite useful. Kleopatra is also availabe for Linux. Look for it in the application store, or run the following command: Code: sudo apt install kleopatra Once installation is complete, and Kleopatra launches you can create a keypair. If you already have a private key that can be used to certify other people's keys, you can import it at this time. To Create a keypair enter the ID details you choose, and follow the prompts. A password is optional. . Import ThomasV's PGP Key on Windows and Ubuntu Import ThomasV's PGP Key using Kleopatra: Download ThomasV's PGP Key from a trusted source. Click the Import button, and navigate to the location where "ThomasV.asc" was saved, select the file, and click Open. Alternatively, you may choose to use the built-in search feature that will download the private key from the keyserver. To use the Search feature, copy ThomasV's fingerprint from a trusted source and enter it into the provided search field. Once ThomasV's key has been imported it can be certified. Depending on your version of Kleopatra and the default settings, a pop-up may ask you to certify the public key during the importation process, select Yes. If not, on the Certificates tab select ThomasV's key and click the Certify button. Chose the identity you want to certify, there's no reason not to select them all. Click Certify. . Verify Electrum on Windows and Ubuntu Download the Electrum package you prefer, and the associated signature file. Save both in the same directory. In Kleaopatra, click on the "Decrypt/Verify" button, and browse to the location of the .exe and .asc files you saved. Select the .asc file, and click "Open." The software will check the integrity of the .exe file and compare it to the signature file. If ThomasV's signature matches the .exe file you'll see a window like this pop up with text indicating that the signature is valid, and the key is fully trusted: Note that the .asc file contains signatures from multiple developers. There are three valid signatures in the example above. Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the .asc file. The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted. If your result match the example above, you now know that it's safe to run the .exe file on your system. Pro Tip: use the convenient Search key on the right to download and certify the keys of the remaining developers. In the example below I show what a fully trusted verification looks like: In the example above the .exe file matches all the signatures in the .asc, and those signatures were made by available and certified keys. The result has a bright green tinted background which makes fully trusted and valid signatures unmistakable. If your results do not match my examples above, or you just want to learn more, keep reading. In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file. In the example above you'll note there are three signatures in the .asc file that could not be verified. That's because none of the keys used to sign the .exe file are trusted by the system in my example. The example shows that ThomasV's key is available, but it has not been certified. The results also show that the .exe file matches the signatures in the .asc file, and lists the fingerprints of the keys used to create the signatures. So, we have valid signatures by unknown or untrusted signers. The keys must now be manually compared to the keys you are expecting to sign the .exe file. The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system. To certify keys you need to have your own keypair. Next, I will demonstrate a failed signature. If the .exe does not match the signatures in the .asc file, the window will have a red tint and the text will also be red: The example above shows what an invalid signature would look like. To get the results above I created a text file full of gibberish and changed the name to match the .exe file. The test stops when it encounters one invalid signature. The results would look similar if at least one of the signing keys has been imported, even if it has not been certified. This clearly indicates a potentially malicious file, that is NOT the file signed by the developers. . Mac Instructions . Install on Mac For Mac users I recommend using the Mac GPG Suite from GPGtools.org. It includes a GPG Keychain app that's very user friendly and walks you through creating a private key pair. Browse to gpgtools.org site, download the .dmg file for your version of MacOS, and unpack it to start installation. Once installation has reached the "Installation Type" page, click "Customize." Mac GPG is free to use, except for the mail clients. They come with a 30-day free trial if you care to try them, or you may choose to deselect them. Enter your password if prompted: Once installation is complete, the system will launch the GPG Keychain app, and prompt you to create a key pair. Enter the credentials of your preference and click the "Generate Key" button. If you already have a private key that can be used to certify other people's keys, click cancel and use the "Import" button to import your private key. . Import ThomasV's PGP Key on Mac OS Download ThomasV's PGP Key from a trusted source. If it's not already running, launch the GPG Keychain app, and click the import button. Browse to the location where you saved the ThomasV.asc file, and select it. The Keychain should now list ThomasV's public key. Select ThomasV's key, right-click on it, and select "Sign..." to certify ThomasV's key: Sign the identifications ThomasV has included in his key: . Verify on Mac OS Download the Electrum image file and the associated signature file. Open a Finder window, navigate to the location where you saved the Electrum .dmg file and the .asc signature file, and double click the signature file. Mac GPG will launch the verification tool and compare the .dmg file to the signature file. Once the verification tool has completed its diagnostic it'll pop up a window like this: Note that the .asc file contains signatures from multiple developers. There are three valid signatures in the example above. Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the .asc file. The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted. If your result match the example above, you now know that it's safe to run the .dmg file on your system. The example below demonstrates a fully verified signature. In the example above the .dmg file matches all the signatures in the .asc, and those signatures were made by available and certified keys. To replicate these results you'll have to download and sign the keys of the remaining developers by repeating the steps used to optain ThomasV's key. If your results do not match my examples above, or you just want to learn more, keep reading. In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file. In the example above you'll note there are three signatures in the .asc file that could not be verified. That's because none of the keys used to sign the .dmg file are trusted by the system in my example. The example shows that ThomasV's key is available, but it has not been certified. The results also show that the .dmg file matches the signatures in the .asc file, and lists the fingerprints of the keys used to create the signatures. So, we have valid signatures by unknown or untrusted signers. The keys must now be manually compared to the keys you are expecting to sign the .dmg file. The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system. To certify keys you need to have your own keypair. Next, I will demonstrate a failed signature. If the .dmg does not match the signatures in the .asc file the result will indicate a bad signature: The example above shows what an invalid signature would look like. To get the results above I created a text file full of gibberish and changed the name to match the .dmg file. The results would look similar if at least one of the signing keys has been imported, even if it has not been certified. This clearly indicates a potentially malicious file, that is NOT the file signed by the developers. . Shell Terminal Instructions . Install CLI-Only Binary Terminal commands are a more powerful way to interact with GPG. They can be used on any of the operating systems mentioned in this post. If you've installed one of the third-party binaries with a GUI, the core GnuPG services are already installed. If you choose not to use a third-party binary with a GUI, the GnuPG site has binary files for Windows that can be used to run the command line tools only. For more convenient usage, they can also be set to run as a NT-service. For MacOS use homebrew or your preferred package manager to install the core services. If you're using Linux, many distros include the core GnuPG services by default, otherwise see institutions below. Once GPG is installed on your system you can run these commands. In Windows use PowerShell or the Windows Terminal, in MacOS and Linux use the terminal app. WARNING! As a general precaution you should never copy unknown commands from the internet and paste them into your operating system's shell terminal. Take the time to research these instructions before following them. Your safety is why you're here in the first place. If your version of Linux doesn't have GnuPG installed run the following command (Note; apt is the default package manager for Debian based Linux distros, change accordingly for your version of Linux.) Code: sudo apt update && sudo apt install -y gnupg To show a list of common commands use: Code: gpg --help To create a new keypair use: Code: gpg --generate-key To import an existing private key use: Code: gpg --import /path/to/private-key.gpg To list all the keys in your keyring use: Code: gpg -k To list only the private keys in your keyring use: Code: gpg -K . Import ThomasV's PGP Key using terminal commands Download ThomasV's PGP key from a trusted source and import ThomasV's public key: Code: gpg --import / Example: Code: gpg --import ~/Downloads/ThomasV.asc Alternatively, you can use GnuPG's built-in function to download ThomasV's key from one of the GnuPG key servers. For example, here's a command using the OpenPGP key server: Code: gpg --keyserver hkps://keys.openpgp.org --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 Indicate your acceptance at the prompts. The response should look like this: Quote gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) gpg: Total number processed: 1 gpg: imported: 1 Refresh your keyring: Code: gpg -k You should now see ThomasV's key in your keyring, the entry should look like this: Quote pub rsa4096 2011-06-15 [SC] 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 uid [ unknown] Thomas Voegtlin (https://electrum.org) uid [ unknown] ThomasV uid [ unknown] Thomas Voegtlin sub rsa4096 2011-06-15 [E] ThomasV's key can now be certified. Code: gpg --sign-key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 This command may be needed for some configurations: Code: gpg -u Select y and press enter at the two following prompts. You'll be prompted for the GPG password that you set when creating your key pair. ThomasV's key trust level will be set to "full." Check the trust level of the public key by refreshing the keyring: Code: gpg -k The results for ThomasVs key should look like this: Quote pub rsa4096 2011-06-15 [SC] 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 uid [ full ] Thomas Voegtlin (https://electrum.org) uid [ full ] ThomasV uid [ full ] Thomas Voegtlin sub rsa4096 2011-06-15 [E] . Verify using Terminal Commands Download the Electrum app image file and the associated signature file. To verify the downloaded AppImage, open a terminal and enter the following command: Code: gpg --verify / Example: Code: gpg --verify ~/Downloads/electrum-4.2.0-x86_64.AppImage.asc The result should look like this: Quote gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage' gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C gpg: Can't check signature: No public key gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC gpg: Can't check signature: No public key gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u gpg: Good signature from "Thomas Voegtlin (https://electrum.org) gpg: aka "ThomasV gpg: aka "Thomas Voegtlin Note that the .asc file contains signatures from multiple developers. There are three valid signatures in the example above. Two of the signatures are made by unavailable certificates, but it does list the keys which were used to sign the .asc file. The last signature listed is the one is made by ThomasV's key, and it's shown as valid and trusted. If your result match the example above, you now know that it's safe to run the .AppImage file on your system. The example below demonstrates a fully verified signature. Quote gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C gpg: Good signature from "Stephan Oeste (it) gpg: aka "Emzy E. (emzy) gpg: aka "Stephan Oeste (Master-key) gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC gpg: Good signature from "SomberNight/ghost43 (Electrum RELEASE signing key) gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) gpg: aka "ThomasV gpg: aka "Thomas Voegtlin In the example above the .AppImage file matches all the signatures in the .asc, and those signatures were made by available and certified keys. The results indicate good signatures from all three keys. If your results do not match my examples above, or you just want to learn more, keep reading. In the examples below I demonstrate the importance of having your own keypair by replicating some of the errors you're likely to encounter if ThomasV's key is not certified, or if you have a corrupt or malicious file. Quote gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage' gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C gpg: Can't check signature: No public key gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC gpg: Can't check signature: No public key gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) gpg: aka "ThomasV gpg: aka "Thomas Voegtlin gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 In the example above you'll note there are three signatures in the .asc file that could not be verified. That's because none of the keys used to sign the .AppImage file are trusted by the system in my example. The example shows that ThomasV's key is available, but it has not been certified. The results also show that the .AppImage file matches the signatures in the .asc file, and lists the fingerprints of the keys used to create the signatures. So, we have valid signatures by unknown or untrusted signers. The keys must now be manually compared to the keys you are expecting to sign the .AppImage file. The only way to have the results automatically return at least one trustworthy signature is to have at least one of the signing keys certified by your system. To certify keys you need to have your own keypair. Next, I will demonstrate a failed signature. If the .AppImage does not match the signatures in the .asc file the result will indicate a bad signature: Quote gpg: assuming signed data in '/home/direwolf/Downloads/electrum-4.2.0-x86_64.AppImage' gpg: Signature made Wed 16 Mar 2022 12:43:00 PM PDT gpg: using RSA key 637DB1E23370F84AFF88CCE03152347D07DA627C gpg: BAD signature from "Stephan Oeste (it) gpg: Signature made Wed 16 Mar 2022 08:54:00 AM PDT gpg: using RSA key 0EEDCFD5CAFB459067349B23CA9EEEC43DF911DC gpg: BAD signature from "SomberNight/ghost43 (Electrum RELEASE signing key) gpg: Signature made Wed 16 Mar 2022 06:52:58 AM PDT gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 gpg: BAD signature from "Thomas Voegtlin (https://electrum.org) The example above shows what an invalid signature would look like. To get the results above I created a text file full of gibberish and changed the name to match the .AppImage file. The results would look similar if at least one of the signing keys has been imported, even if it has not been certified. This clearly indicates a potentially malicious file, that is NOT the file signed by the developers. The contents of this article may be shared, in part or in whole. The images within are posted and shared in the public domain. If you share this article please give credit to the author and provide a link to the original. Jump to:
|